containers
diff --git a/‎pkg/kubernetes/nodes.go‎
Lines changed: 23 additions & 3 deletions b/‎pkg/kubernetes/nodes.go‎
Lines changed: 23 additions & 3 deletions
diff --git a/‎pkg/mcp/nodes_files_test.go‎
Lines changed: 314 additions & 0 deletions b/‎pkg/mcp/nodes_files_test.go‎
Lines changed: 314 additions & 0 deletions
@@ -12,6 +12,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/httpstream"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/tools/remotecommand"
 	"k8s.io/metrics/pkg/apis/metrics"
@@ -169,7 +170,7 @@ func (k *Kubernetes) NodesFiles(ctx context.Context, opts NodeFilesOptions) (str
 	}
 
 	// Create the pod
-	pods, err := k.manager.accessControlClientSet.Pods(opts.Namespace)
+	pods, err := k.AccessControlClientset().Pods(opts.Namespace)
 	if err != nil {
 		return "", fmt.Errorf("failed to get pods client: %w", err)
 	}
@@ -288,7 +289,26 @@ func (k *Kubernetes) execInPod(ctx context.Context, namespace, podName string, c
 		Stderr:    true,
 	}
 
-	executor, err := k.manager.accessControlClientSet.PodsExec(namespace, podName, podExecOptions)
+	// Compute URL
+	execRequest := k.AccessControlClientset().CoreV1().RESTClient().
+		Post().
+		Resource("pods").
+		Namespace(namespace).
+		Name(podName).
+		SubResource("exec")
+	execRequest.VersionedParams(podExecOptions, ParameterCodec)
+
+	spdyExec, err := remotecommand.NewSPDYExecutor(k.AccessControlClientset().cfg, "POST", execRequest.URL())
+	if err != nil {
+		return "", err
+	}
+	webSocketExec, err := remotecommand.NewWebSocketExecutor(k.AccessControlClientset().cfg, "GET", execRequest.URL().String())
+	if err != nil {
+		return "", err
+	}
+	executor, err := remotecommand.NewFallbackExecutor(webSocketExec, spdyExec, func(err error) bool {
+		return httpstream.IsUpgradeFailure(err) || httpstream.IsHTTPSProxyError(err)
+	})
 	if err != nil {
 		return "", err
 	}
@@ -316,7 +336,7 @@ func (k *Kubernetes) execInPod(ctx context.Context, namespace, podName string, c
 
 // waitForPodReady waits for a pod to be ready
 func (k *Kubernetes) waitForPodReady(ctx context.Context, namespace, podName string, timeout time.Duration) error {
-	pods, err := k.manager.accessControlClientSet.Pods(namespace)
+	pods, err := k.AccessControlClientset().Pods(namespace)
 	if err != nil {
 		return err
 	}
 
@@ -0,0 +1,314 @@
+package mcp
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/BurntSushi/toml"
+	"github.com/containers/kubernetes-mcp-server/internal/test"
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/stretchr/testify/suite"
+)
+
+type NodeFilesSuite struct {
+	BaseMcpSuite
+	mockServer *test.MockServer
+}
+
+func (s *NodeFilesSuite) SetupTest() {
+	s.BaseMcpSuite.SetupTest()
+	s.mockServer = test.NewMockServer()
+	s.Cfg.KubeConfig = s.mockServer.KubeconfigFile(s.T())
+	s.mockServer.Handle(&test.DiscoveryClientHandler{})
+}
+
+func (s *NodeFilesSuite) TearDownTest() {
+	s.BaseMcpSuite.TearDownTest()
+	if s.mockServer != nil {
+		s.mockServer.Close()
+	}
+}
+
+func (s *NodeFilesSuite) TestNodeFiles() {
+	// Setup test files and directories
+	s.T().Run("prepare test environment", func(t *testing.T) {
+		// This ensures we have a node in the cluster for testing
+		s.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			// Get Node response
+			if req.URL.Path == "/api/v1/nodes/test-node" {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				_, _ = w.Write([]byte(`{
+					"apiVersion": "v1",
+					"kind": "Node",
+					"metadata": {
+						"name": "test-node"
+					}
+				}`))
+				return
+			}
+			// Handle pod creation
+			if req.URL.Path == "/api/v1/namespaces/default/pods" && req.Method == "POST" {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusCreated)
+				_, _ = w.Write([]byte(`{
+					"apiVersion": "v1",
+					"kind": "Pod",
+					"metadata": {
+						"name": "node-files-test",
+						"namespace": "default"
+					},
+					"status": {
+						"phase": "Running",
+						"conditions": [{
+							"type": "Ready",
+							"status": "True"
+						}]
+					}
+				}`))
+				return
+			}
+			// Handle pod get (for wait)
+			if req.URL.Path == "/api/v1/namespaces/default/pods/node-files-test" && req.Method == "GET" {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				_, _ = w.Write([]byte(`{
+					"apiVersion": "v1",
+					"kind": "Pod",
+					"metadata": {
+						"name": "node-files-test",
+						"namespace": "default"
+					},
+					"status": {
+						"phase": "Running",
+						"conditions": [{
+							"type": "Ready",
+							"status": "True"
+						}]
+					}
+				}`))
+				return
+			}
+			// Not handled by this handler, let it fall through to discovery handler
+		}))
+	})
+
+	s.InitMcpClient()
+
+	// Test missing node_name parameter
+	s.Run("node_files(node_name=nil)", func() {
+		toolResult, err := s.CallTool("node_files", map[string]interface{}{
+			"operation":   "list",
+			"source_path": "/tmp",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes missing node_name", func() {
+			expectedMessage := "missing required argument: node_name"
+			s.Equalf(expectedMessage, toolResult.Content[0].(mcp.TextContent).Text,
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+
+	// Test missing operation parameter
+	s.Run("node_files(operation=nil)", func() {
+		toolResult, err := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"source_path": "/tmp",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes missing operation", func() {
+			expectedMessage := "missing required argument: operation"
+			s.Equalf(expectedMessage, toolResult.Content[0].(mcp.TextContent).Text,
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+
+	// Test missing source_path parameter
+	s.Run("node_files(source_path=nil)", func() {
+		toolResult, err := s.CallTool("node_files", map[string]interface{}{
+			"node_name": "test-node",
+			"operation": "list",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes missing source_path", func() {
+			expectedMessage := "missing required argument: source_path"
+			s.Equalf(expectedMessage, toolResult.Content[0].(mcp.TextContent).Text,
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+
+	// Test invalid operation
+	s.Run("node_files(operation=invalid)", func() {
+		toolResult, err := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "invalid",
+			"source_path": "/tmp",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes invalid operation", func() {
+			content := toolResult.Content[0].(mcp.TextContent).Text
+			s.Containsf(content, "failed to perform node file operation", "expected error to mention failed operation, got %v", content)
+		})
+	})
+
+	// Test with non-existent node
+	s.Run("node_files(node_name=non-existent-node)", func() {
+		toolResult, err := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "non-existent-node",
+			"operation":   "list",
+			"source_path": "/tmp",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes missing node", func() {
+			content := toolResult.Content[0].(mcp.TextContent).Text
+			s.Containsf(content, "failed to perform node file operation", "expected error to mention failed operation, got %v", content)
+		})
+	})
+
+	// Test with default namespace and image
+	s.Run("node_files with defaults", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "list",
+			"source_path": "/tmp",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// Note: This will fail in the mock environment, but we're testing parameter handling
+		s.Run("attempts operation", func() {
+			// The tool should attempt the operation even if it fails in mock environment
+			s.NotNil(toolResult, "toolResult should not be nil")
+		})
+	})
+
+	// Test with custom namespace
+	s.Run("node_files with custom namespace", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "list",
+			"source_path": "/tmp",
+			"namespace":   "custom-ns",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// The operation will fail in mock environment, but we're verifying parameters are passed
+	})
+
+	// Test with custom image
+	s.Run("node_files with custom image", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "list",
+			"source_path": "/tmp",
+			"image":       "alpine",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// The operation will fail in mock environment, but we're verifying parameters are passed
+		s.NotNil(toolResult)
+	})
+
+	// Test with privileged=false
+	s.Run("node_files with privileged=false", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "list",
+			"source_path": "/tmp",
+			"privileged":  false,
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// The operation will fail in mock environment, but we're verifying parameters are passed
+		s.NotNil(toolResult)
+	})
+
+	// Test list operation
+	s.Run("node_files operation=list", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "list",
+			"source_path": "/proc",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// Will fail in mock environment but tests the operation type
+	})
+
+	// Test get operation
+	s.Run("node_files operation=get", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "get",
+			"source_path": "/proc/cpuinfo",
+			"dest_path":   "/tmp/cpuinfo",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// Will fail in mock environment but tests the operation type
+	})
+
+	// Test get operation without dest_path
+	s.Run("node_files operation=get without dest_path", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "get",
+			"source_path": "/proc/meminfo",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// Will fail in mock environment but tests the operation type
+	})
+
+	// Test put operation
+	s.Run("node_files operation=put", func() {
+		toolResult, _ := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "put",
+			"source_path": "/tmp/local-file",
+			"dest_path":   "/tmp/node-file",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		// Will fail in mock environment but tests the operation type
+	})
+}
+
+func (s *NodeFilesSuite) TestNodeFilesDenied() {
+	s.Require().NoError(toml.Unmarshal([]byte(`
+		denied_resources = [ { version = "v1", kind = "Pod" } ]
+	`), s.Cfg), "Expected to parse denied resources config")
+	s.InitMcpClient()
+	s.Run("node_files (denied)", func() {
+		toolResult, err := s.CallTool("node_files", map[string]interface{}{
+			"node_name":   "test-node",
+			"operation":   "list",
+			"source_path": "/tmp",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			expectedMessage := "failed to perform node file operation: resource not allowed: /v1, Kind=Pod"
+			s.Containsf(toolResult.Content[0].(mcp.TextContent).Text, "resource not allowed",
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+}
+
+func TestNodeFiles(t *testing.T) {
+	suite.Run(t, new(NodeFilesSuite))
+}