The Kyverno MCP Server exposes Kyverno policy management through the MCP (Model Context Protocol) interface, enabling AI assistants and automation tools to manage Kyverno policies on Kubernetes clusters in a standardized way. It translates MCP requests into Kyverno policy operations such as creating, updating, or deleting policies, as well as querying existing policies and monitoring policy status. Typical workflows involve connecting an MCP client to the server, subscribing to Kyverno policy resources, and issuing MCP-like commands to manage policy lifecycle across clusters.

To use the server, start it with the provided container image (or your preferred deployment method) and point your MCP client at the server endpoint. Once connected, you can perform operations like listing policies, applying new policy definitions, updating existing policies, and removing policies, with Kyverno enforcing the results on the Kubernetes cluster. The server bridges MCP operations to Kyverno’s policy engine, enabling automation agents to reason about policy states and enforce compliance across environments.

Prerequisites:

• A Kubernetes cluster with kubectl configured
• Docker installed (for the recommended container deployment)
• Optional: access to the container registry hosting the Kyverno MCP image

Installation steps (containerized):

1. Pull or run the Kyverno MCP image: docker pull nirmata/kyverno-mcp

   or run directly

   docker run -d --name kyverno-mcp -i nirmata/kyverno-mcp

2. Verify the container is running and reachable from your MCP client. If you need to expose it, you can run with port mappings or rely on in-cluster service discovery depending on your deployment environment.

3. Ensure access to your Kubernetes cluster and Kyverno is installed in that cluster. The MCP server will orchestrate Kyverno policies against the cluster as requested by clients.

4. Configure your MCP client to point to the Kyverno MCP server endpoint (e.g., the Docker container URL or the in-cluster service URL).

Note: If you prefer a non-container deployment, you would build the Go binary from source (if provided) and run it directly with the appropriate environment (KUBECONFIG, cluster credentials, etc.).

Tips and common issues:

• Ensure Kyverno is installed and configured in the target Kubernetes cluster before issuing policy operations through MCP.
• If running behind a firewall or in a restricted network, expose the MCP server via a service or ingress appropriate to your environment.
• Set KUBECONFIG or mount your kubeconfig into the container if you are running outside the cluster.
• When debugging, check Kyverno policy status and event logs in the cluster to correlate with MCP operations.
• If you encounter permission errors, verify that the MCP server has sufficient RBAC access to read/write Kyverno policies and related resources in the target namespace.
• Environment variable hints:
  • KUBECONFIG: path to kubeconfig if not running inside the cluster
  • Optional: KYVERNO_NAMESPACE or similar, if the Kyverno resources are namespace-scoped in your setup
• Review the official Kyverno MCP documentation for supported MCP operations and response formats to ensure your client handles responses correctly.