diff --git a/README.md b/README.md index 7d421e4..b710f4a 100644 --- a/README.md +++ b/README.md @@ -110,82 +110,82 @@ The server dynamically filters the available tools based on the permissions asso - **`kubernetes_list_clusters`** - **Description**: Lists the cluster information for all clusters or just the cluster specified. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "List all kubernetes clusters" or "Show me info for cluster 'production-gke'" - **`kubernetes_list_nodes`** - **Description**: Lists the node information for all nodes, all nodes from a cluster or just the node specified. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "List all kubernetes nodes in the cluster 'production-gke'" or "Show me info for node 'node-123'" - **`kubernetes_list_workloads`** - **Description**: Lists all the workloads that are in a particular state, desired, ready, running or unavailable. The LLM can filter by cluster, namespace, workload name or type. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "List all desired workloads in the cluster 'production-gke' and namespace 'default'" - **`kubernetes_list_pod_containers`** - **Description**: Retrieves information from a particular pod and container. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show me info for pod 'my-pod' in cluster 'production-gke'" - **`kubernetes_list_cronjobs`** - **Description**: Retrieves information from the cronjobs in the cluster. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "List all cronjobs in cluster 'prod' and namespace 'default'" - **`troubleshoot_kubernetes_list_top_unavailable_pods`** - **Description**: Shows the top N pods with the highest number of unavailable or unready replicas in a Kubernetes cluster, ordered from highest to lowest. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 20 unavailable pods in cluster 'production'" - **`troubleshoot_kubernetes_list_top_restarted_pods`** - **Description**: Lists the pods with the highest number of container restarts in the specified scope (cluster, namespace, workload, or individual pod). By default, it returns the top 10. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 pods with the most container restarts in cluster 'production'" - **`troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods`** - **Description**: Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval, allowing filtering by cluster, namespace, workload type, and workload name. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 20 pods with the most HTTP errors in cluster 'production'" - **`troubleshoot_kubernetes_list_top_network_errors_in_pods`** - **Description**: Shows the top network errors by pod over a given interval, aggregated by cluster, namespace, workload type, and workload name. The result is an average rate of network errors per second. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 pods with the most network errors in cluster 'production'" - **`troubleshoot_kubernetes_list_count_pods_per_cluster`** - **Description**: List the count of running Kubernetes Pods grouped by cluster and namespace. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "List the count of running Kubernetes Pods in cluster 'production'" - **`troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota`** - **Description**: List Kubernetes pods with CPU usage below 25% of the quota limit. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 underutilized pods by CPU quota in cluster 'production'" - **`troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota`** - **Description**: List Kubernetes pods with memory usage below 25% of the limit. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 underutilized pods by memory quota in cluster 'production'" - **`troubleshoot_kubernetes_list_top_cpu_consumed_by_workload`** - **Description**: Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores). - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 workloads consuming the most CPU in cluster 'production'" - **`troubleshoot_kubernetes_list_top_cpu_consumed_by_container`** - **Description**: Identifies the Kubernetes containers consuming the most CPU (in cores). - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 containers consuming the most CPU in cluster 'production'" - **`troubleshoot_kubernetes_list_top_memory_consumed_by_workload`** - **Description**: Lists memory-intensive workloads (all containers). - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 workloads consuming the most memory in cluster 'production'" - **`troubleshoot_kubernetes_list_top_memory_consumed_by_container`** - **Description**: Lists memory-intensive containers. - - **Required Permission**: `promql.exec` + - **Required Permission**: `metrics-data.read` - **Sample Prompt**: "Show the top 10 containers consuming the most memory in cluster 'production'" ## Requirements @@ -244,11 +244,12 @@ To use the MCP server tools, your API token needs specific permissions in Sysdig **Permissions Mapping:** -| Permission | Sysdig UI Permission Name | -|------------|---------------------------| -| `policy-events.read` | Threats: "Policy Events" (Read) | -| `sage.exec` | SysQL: "AI Query Generation" (EXEC) | -| `risks.read` | Risks: "Access to risk feature" (Read) | +| Permission | Sysdig UI Permission Name | +|----------------------|---------------------------------------------| +| `metrics-data.read` | Data Access Settings: "Metrics Data" (Read) | +| `policy-events.read` | Threats: "Policy Events" (Read) | +| `risks.read` | Risks: "Access to risk feature" (Read) | +| `sage.exec` | SysQL: "AI Query Generation" (Exec) | **Additional Permissions:** diff --git a/internal/infra/mcp/tools/README.md b/internal/infra/mcp/tools/README.md index ec77ca8..61d8879 100644 --- a/internal/infra/mcp/tools/README.md +++ b/internal/infra/mcp/tools/README.md @@ -2,29 +2,29 @@ The handler filters tools dynamically based on the Sysdig user's permissions. Each tool declares mandatory permissions via `WithRequiredPermissions`. -| Tool | File | Capability | Required Permissions | Useful Prompts | -| --- | --- | --- | --- | --- | -| `list_runtime_events` | `tool_list_runtime_events.go` | Query runtime events with filters, cursor, scope. | `policy-events.read` | “Show high severity runtime events from last 2h.” | -| `get_event_info` | `tool_get_event_info.go` | Pull full payload for a single policy event. | `policy-events.read` | “Fetch event `abc123` details.” | -| `get_event_process_tree` | `tool_get_event_process_tree.go` | Retrieve the process tree for an event when available. | `policy-events.read` | “Show the process tree behind event `abc123`.” | -| `run_sysql` | `tool_run_sysql.go` | Execute caller-supplied Sysdig SysQL queries safely. | `sage.exec`, `risks.read` | “Run the following SysQL…”. | -| `generate_sysql` | `tool_generate_sysql.go` | Convert natural language to SysQL via Sysdig Sage. | `sage.exec` (does not work with Service Accounts) | “Create a SysQL to list S3 buckets.” | -| `kubernetes_list_clusters` | `tool_kubernetes_list_clusters.go` | Lists Kubernetes cluster information. | `promql.exec` | "List all Kubernetes clusters" | -| `kubernetes_list_nodes` | `tool_kubernetes_list_nodes.go` | Lists Kubernetes node information. | `promql.exec` | "List all Kubernetes nodes in the cluster 'production-gke'" | -| `kubernetes_list_workloads` | `tool_kubernetes_list_workloads.go` | Lists Kubernetes workload information. | `promql.exec` | "List all desired workloads in the cluster 'production-gke' and namespace 'default'" | -| `kubernetes_list_pod_containers` | `tool_kubernetes_list_pod_containers.go` | Retrieves information from a particular pod and container. | `promql.exec` | "Show me info for pod 'my-pod' in cluster 'production-gke'" | -| `kubernetes_list_cronjobs` | `tool_kubernetes_list_cronjobs.go` | Retrieves information from the cronjobs in the cluster. | `promql.exec` | "List all cronjobs in cluster 'prod' and namespace 'default'" | -| `troubleshoot_kubernetes_list_top_unavailable_pods` | `tool_troubleshoot_kubernetes_list_top_unavailable_pods.go` | Shows the top N pods with the highest number of unavailable or unready replicas. | `promql.exec` | "Show the top 20 unavailable pods in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_restarted_pods` | `tool_troubleshoot_kubernetes_list_top_restarted_pods.go` | Lists the pods with the highest number of container restarts. | `promql.exec` | "Show the top 10 pods with the most container restarts in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go` | Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval. | `promql.exec` | "Show the top 20 pods with the most HTTP errors in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_network_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go` | Shows the top network errors by pod over a given interval. | `promql.exec` | "Show the top 10 pods with the most network errors in cluster 'production'" | -| `troubleshoot_kubernetes_list_count_pods_per_cluster` | `tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go` | List the count of running Kubernetes Pods grouped by cluster and namespace. | `promql.exec` | "List the count of running Kubernetes Pods in cluster 'production'" | -| `troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `promql.exec` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" | -| `troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `promql.exec` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_cpu_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go` | Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores). | `promql.exec` | "Show the top 10 workloads consuming the most CPU in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_cpu_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go` | Identifies the Kubernetes containers consuming the most CPU (in cores). | `promql.exec` | "Show the top 10 containers consuming the most CPU in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_memory_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go` | Lists memory-intensive workloads (all containers). | `promql.exec` | "Show the top 10 workloads consuming the most memory in cluster 'production'" | -| `troubleshoot_kubernetes_list_top_memory_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go` | Lists memory-intensive containers. | `promql.exec` | "Show the top 10 containers consuming the most memory in cluster 'production'" | +| Tool | File | Capability | Required Permissions | Useful Prompts | +|-------------------------------------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|---------------------------------------------------|--------------------------------------------------------------------------------------| +| `generate_sysql` | `tool_generate_sysql.go` | Convert natural language to SysQL via Sysdig Sage. | `sage.exec` (does not work with Service Accounts) | “Create a SysQL to list S3 buckets.” | +| `get_event_info` | `tool_get_event_info.go` | Pull full payload for a single policy event. | `policy-events.read` | “Fetch event `abc123` details.” | +| `get_event_process_tree` | `tool_get_event_process_tree.go` | Retrieve the process tree for an event when available. | `policy-events.read` | “Show the process tree behind event `abc123`.” | +| `kubernetes_list_clusters` | `tool_kubernetes_list_clusters.go` | Lists Kubernetes cluster information. | `metrics-data.read` | "List all Kubernetes clusters" | +| `kubernetes_list_cronjobs` | `tool_kubernetes_list_cronjobs.go` | Retrieves information from the cronjobs in the cluster. | `metrics-data.read` | "List all cronjobs in cluster 'prod' and namespace 'default'" | +| `kubernetes_list_nodes` | `tool_kubernetes_list_nodes.go` | Lists Kubernetes node information. | `metrics-data.read` | "List all Kubernetes nodes in the cluster 'production-gke'" | +| `kubernetes_list_pod_containers` | `tool_kubernetes_list_pod_containers.go` | Retrieves information from a particular pod and container. | `metrics-data.read` | "Show me info for pod 'my-pod' in cluster 'production-gke'" | +| `kubernetes_list_workloads` | `tool_kubernetes_list_workloads.go` | Lists Kubernetes workload information. | `metrics-data.read` | "List all desired workloads in the cluster 'production-gke' and namespace 'default'" | +| `list_runtime_events` | `tool_list_runtime_events.go` | Query runtime events with filters, cursor, scope. | `policy-events.read` | “Show high severity runtime events from last 2h.” | +| `run_sysql` | `tool_run_sysql.go` | Execute caller-supplied Sysdig SysQL queries safely. | `sage.exec`, `risks.read` | “Run the following SysQL…”. | +| `troubleshoot_kubernetes_list_count_pods_per_cluster` | `tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go` | List the count of running Kubernetes Pods grouped by cluster and namespace. | `metrics-data.read` | "List the count of running Kubernetes Pods in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go` | Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval. | `metrics-data.read` | "Show the top 20 pods with the most HTTP errors in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_cpu_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go` | Identifies the Kubernetes containers consuming the most CPU (in cores). | `metrics-data.read` | "Show the top 10 containers consuming the most CPU in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_cpu_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go` | Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores). | `metrics-data.read` | "Show the top 10 workloads consuming the most CPU in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_memory_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go` | Lists memory-intensive containers. | `metrics-data.read` | "Show the top 10 containers consuming the most memory in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_memory_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go` | Lists memory-intensive workloads (all containers). | `metrics-data.read` | "Show the top 10 workloads consuming the most memory in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_network_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go` | Shows the top network errors by pod over a given interval. | `metrics-data.read` | "Show the top 10 pods with the most network errors in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_restarted_pods` | `tool_troubleshoot_kubernetes_list_top_restarted_pods.go` | Lists the pods with the highest number of container restarts. | `metrics-data.read` | "Show the top 10 pods with the most container restarts in cluster 'production'" | +| `troubleshoot_kubernetes_list_top_unavailable_pods` | `tool_troubleshoot_kubernetes_list_top_unavailable_pods.go` | Shows the top N pods with the highest number of unavailable or unready replicas. | `metrics-data.read` | "Show the top 20 unavailable pods in cluster 'production'" | +| `troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `metrics-data.read` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" | +| `troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `metrics-data.read` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" | # Adding a New Tool diff --git a/internal/infra/mcp/tools/tool_kubernetes_list_clusters.go b/internal/infra/mcp/tools/tool_kubernetes_list_clusters.go index 8ff2c76..f314dad 100644 --- a/internal/infra/mcp/tools/tool_kubernetes_list_clusters.go +++ b/internal/infra/mcp/tools/tool_kubernetes_list_clusters.go @@ -32,7 +32,7 @@ func (t *KubernetesListClusters) RegisterInServer(s *server.MCPServer) { mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_kubernetes_list_cronjobs.go b/internal/infra/mcp/tools/tool_kubernetes_list_cronjobs.go index 01df001..80574b0 100644 --- a/internal/infra/mcp/tools/tool_kubernetes_list_cronjobs.go +++ b/internal/infra/mcp/tools/tool_kubernetes_list_cronjobs.go @@ -35,7 +35,7 @@ func (t *KubernetesListCronjobs) RegisterInServer(s *server.MCPServer) { mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_kubernetes_list_nodes.go b/internal/infra/mcp/tools/tool_kubernetes_list_nodes.go index 44dd750..20af225 100644 --- a/internal/infra/mcp/tools/tool_kubernetes_list_nodes.go +++ b/internal/infra/mcp/tools/tool_kubernetes_list_nodes.go @@ -34,7 +34,7 @@ func (t *KubernetesListNodes) RegisterInServer(s *server.MCPServer) { mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_kubernetes_list_pod_containers.go b/internal/infra/mcp/tools/tool_kubernetes_list_pod_containers.go index 7534d58..da192c8 100644 --- a/internal/infra/mcp/tools/tool_kubernetes_list_pod_containers.go +++ b/internal/infra/mcp/tools/tool_kubernetes_list_pod_containers.go @@ -40,7 +40,7 @@ func (t *KubernetesListPodContainers) RegisterInServer(s *server.MCPServer) { mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_kubernetes_list_workloads.go b/internal/infra/mcp/tools/tool_kubernetes_list_workloads.go index 06b53bb..2f9d2be 100644 --- a/internal/infra/mcp/tools/tool_kubernetes_list_workloads.go +++ b/internal/infra/mcp/tools/tool_kubernetes_list_workloads.go @@ -44,7 +44,7 @@ func (t *KubernetesListWorkloads) RegisterInServer(s *server.MCPServer) { mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go index 9cae24a..03d254d 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go @@ -34,7 +34,7 @@ func (t *TroubleshootKubernetesListCountPodsPerCluster) RegisterInServer(s *serv mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go index 66f5ede..4729e10 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go @@ -38,7 +38,7 @@ func (t *TroubleshootKubernetesListTop400500HttpErrorsInPods) RegisterInServer(s mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go index cf3b65a..d27415c 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go @@ -36,7 +36,7 @@ func (t *TroubleshootKubernetesListTopCPUConsumedByContainer) RegisterInServer(s mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go index 0a1cec1..5e07810 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go @@ -36,7 +36,7 @@ func (t *TroubleshootKubernetesListTopCPUConsumedByWorkload) RegisterInServer(s mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go index 21ed255..f705a61 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go @@ -36,7 +36,7 @@ func (t *TroubleshootKubernetesListTopMemoryConsumedByContainer) RegisterInServe mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go index 71a828f..9284b77 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go @@ -36,7 +36,7 @@ func (t *TroubleshootKubernetesListTopMemoryConsumedByWorkload) RegisterInServer mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go index 5c62abf..7b6cb54 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go @@ -38,7 +38,7 @@ func (t *TroubleshootKubernetesListTopNetworkErrorsInPods) RegisterInServer(s *s mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_restarted_pods.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_restarted_pods.go index 2fd7f68..d25d402 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_restarted_pods.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_restarted_pods.go @@ -37,7 +37,7 @@ func (t *TroubleshootKubernetesListTopRestartedPods) RegisterInServer(s *server. mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_unavailable_pods.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_unavailable_pods.go index c8fcf9c..949879b 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_unavailable_pods.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_unavailable_pods.go @@ -36,7 +36,7 @@ func (t *TroubleshootKubernetesListTopUnavailablePods) RegisterInServer(s *serve mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go index ec59495..f572f3a 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go @@ -34,7 +34,7 @@ func (t *TroubleshootKubernetesListUnderutilizedPodsByCPUQuota) RegisterInServer mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go index 9c3ce2d..7f59ad8 100644 --- a/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go +++ b/internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go @@ -34,7 +34,7 @@ func (t *TroubleshootKubernetesListUnderutilizedPodsByMemoryQuota) RegisterInSer mcp.WithOutputSchema[map[string]any](), mcp.WithReadOnlyHintAnnotation(true), mcp.WithDestructiveHintAnnotation(false), - WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries. + WithRequiredPermissions("metrics-data.read"), ) s.AddTool(tool, t.handle) } diff --git a/package.nix b/package.nix index 8c93355..905ce58 100644 --- a/package.nix +++ b/package.nix @@ -1,7 +1,7 @@ { buildGoModule, versionCheckHook }: buildGoModule (finalAttrs: { pname = "sysdig-mcp-server"; - version = "0.5.0"; + version = "0.5.1"; src = ./.; # This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just bump`. vendorHash = "sha256-jf/px0p88XbfuSPMry/qZcfR0QPTF9IrPegg2CwAd6M=";