feat(validation): add pre-execution validation layer by nader-ziada · Pull Request #764 · containers/kubernetes-mcp-server

nader-ziada · 2026-02-10T21:47:18Z

Add validation middleware that catches errors before they reach the Kubernetes API.

Changes:

Resource validation: catches typos in resource types (GVK)
Schema validation: validates manifests against OpenAPI schema
RBAC validation: pre-checks permissions using SelfSubjectAccessReview
All validators are enabled by default and can be configured via environment variables (MCP_VALIDATION_*) or TOML config.

Closes #775

manusa

Thx for putting this together.
I gave it an initial look and added a few comments.

nader-ziada · 2026-02-12T18:44:31Z

made a refactor of how this works, sorry to the reviewers, to make work from the kubernetes pkg instead of the mcp pkg, now more dynamic and flexible. also disabled by default.

manusa

I think that the decoupling from the mcp layer is going great, thx.
I added some more comments regarding the new approach.

manusa

Sorry for the late review, I wanted to check the changes locally to ensure the tests in pkg/mcp could be reverted to their original state in main (they can).

I added a few more comments for your consideration.

manusa · 2026-02-19T14:27:52Z

 	restMapper := rt.restMapperProvider()
 	if restMapper == nil {
-		return nil, fmt.Errorf("failed to make request: AccessControlRoundTripper restMapper not initialized")
+		return nil, fmt.Errorf("failed to make request: restMapper not initialized")


Since this is AccessControlRoundTripper (again), this change shouldn't be necessary, the original error provides better context for debugging.

nader-ziada · 2026-02-19T15:36:17Z

@manusa thanks for the review, I addressed the comments and mostly applied your suggestions to simplify the code.

Add validation middleware that catches errors before they reach the Kubernetes API. Signed-off-by: Nader Ziada <nziada@redhat.com>

Signed-off-by: Nader Ziada <nziada@redhat.com>

cleanup up unused func and fields Signed-off-by: Nader Ziada <nziada@redhat.com>

manusa

LGTM, thx!

matzew reviewed Feb 11, 2026

View reviewed changes

Comment thread pkg/validation/middleware.go Outdated

matzew reviewed Feb 11, 2026

View reviewed changes

Comment thread pkg/validation/rbac_validator.go Outdated

matzew reviewed Feb 11, 2026

View reviewed changes

Comment thread pkg/validation/middleware.go Outdated

manusa reviewed Feb 11, 2026

View reviewed changes

Comment thread pkg/mcp/mcp.go Outdated

Comment thread pkg/mcp/mcp.go Outdated

manusa mentioned this pull request Feb 12, 2026

refactor(kubernetes): export k.CanIUse func #775

Closed

nader-ziada force-pushed the validation branch 2 times, most recently from 108f733 to b07324e Compare February 12, 2026 18:42

manusa self-requested a review February 16, 2026 13:34

swghosh approved these changes Feb 16, 2026

View reviewed changes

manusa requested changes Feb 16, 2026

View reviewed changes

Comment thread pkg/config/validation_config.go Outdated

Comment thread pkg/config/validation_config.go Outdated

Comment thread pkg/kubernetes/validation_round_tripper.go Outdated

Comment thread pkg/mcp/events_test.go Outdated

Comment thread pkg/mcp/pods_test.go Outdated

Comment thread README.md

nader-ziada requested a review from manusa February 18, 2026 13:44

manusa requested changes Feb 19, 2026

View reviewed changes

manusa mentioned this pull request Feb 19, 2026

Toolsets() returns toolsets in non-deterministic init() order #791

Closed

nader-ziada force-pushed the validation branch from 2c940f4 to ad19b52 Compare February 19, 2026 15:35

nader-ziada force-pushed the validation branch 3 times, most recently from 30eff21 to 83fbd1f Compare February 19, 2026 16:26

nader-ziada added 3 commits February 19, 2026 11:32

feat(validation): add pre-execution validation layer

ff9f2e6

Add validation middleware that catches errors before they reach the Kubernetes API. Signed-off-by: Nader Ziada <nziada@redhat.com>

simplify config and merge into AccessControlRoundTripper

f7aae2f

Signed-off-by: Nader Ziada <nziada@redhat.com>

remove redundant ResourceValidator and simplify validation

b140a12

cleanup up unused func and fields Signed-off-by: Nader Ziada <nziada@redhat.com>

nader-ziada force-pushed the validation branch from 83fbd1f to b140a12 Compare February 19, 2026 16:33

manusa approved these changes Feb 23, 2026

View reviewed changes

manusa added this to the 0.1.0 milestone Feb 23, 2026

manusa merged commit 9a33b10 into containers:main Feb 23, 2026
7 checks passed

swghosh mentioned this pull request Feb 23, 2026

NO-JIRA: Sync downstream openshift/openshift-mcp-server#155

Merged

Conversation

nader-ziada commented Feb 10, 2026 • edited by manusa Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

manusa left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

nader-ziada commented Feb 12, 2026

Uh oh!

manusa left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

manusa left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

manusa Feb 19, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nader-ziada commented Feb 19, 2026

Uh oh!

manusa left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

nader-ziada commented Feb 10, 2026 •

edited by manusa

Loading