Skip to content

feat(cli): add --read-only flag to disable write operations#41

Merged
EItanya merged 2 commits intokagent-dev:mainfrom
MatteoMori8:feature/disable-write-flag
Feb 10, 2026
Merged

feat(cli): add --read-only flag to disable write operations#41
EItanya merged 2 commits intokagent-dev:mainfrom
MatteoMori8:feature/disable-write-flag

Conversation

@MatteoMori8
Copy link
Contributor

@MatteoMori8 MatteoMori8 commented Feb 4, 2026
edited
Loading

Add a new --read-only CLI flag that prevents the MCP server from advertising write-operation tools to the agent. When enabled, tools that perform mutations (delete, patch, scale, create, apply, etc.) and the shell tool are removed from the tool list entirely -- the LLM never sees them.

This enables deploying the MCP server in read-only mode for:

  • Observability-only use cases (monitoring, troubleshooting)
  • Environments with read-only service accounts
  • Compliance requirements separating read/write capabilities

Co-Authored-By: Claude Opus 4.6

@MatteoMori8
feat: add --read-only flag to disable write operations
392d29d 
Add a new `--read-only` CLI flag that disables tools which perform
write operations (delete, patch, scale, create, apply, etc.).

This enables deploying the MCP server in read-only mode for:
- Observability-only use cases (monitoring, troubleshooting)
- Environments with read-only service accounts
- Compliance requirements separating read/write capabilities

Tools are categorized as read-only or write operations:
- K8s: 8 read-only, 14 write tools
- Helm: 3 read-only, 3 write tools
- Istio: 9 read-only, 3 write tools
- Cilium: ~25 read-only, ~15 write tools
- Argo: 4 read-only, 4 write tools
- Prometheus/Kubescape/Utils: all read-only (unchanged)

Co-Authored-By: Claude Opus 4.5
Signed-off-by: Matteo Mori <[email protected]>
@MatteoMori8 MatteoMori8 force-pushed the feature/disable-write-flag branch from 2d81f3a to 392d29d Compare February 4, 2026 10:54
@MatteoMori8 MatteoMori8 changed the title FEAT | add --read-only flag to disable write operations feat: add --read-only flag to disable write operations Feb 5, 2026
@MatteoMori8 MatteoMori8 changed the title feat: add --read-only flag to disable write operations feat(cli): add --read-only flag to disable write operations Feb 5, 2026
EItanya
EItanya reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

@EItanya EItanya left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of this overall, but I'm not convinced this really solves the problem, maybe we should also remove all write operations from the ServiceAccount which kmcp uses by default?

Actually, there's also an issue for that already #40

@MatteoMori8
fix: disable shell tool in read-only mode
823bf51 
The utils provider exposes a `shell` tool that executes arbitrary
commands, bypassing read-only restrictions. In read-only mode, this
tool is now disabled.

Also pass readOnly to all providers (kubescape, prometheus, utils)
for consistency with the existing providers.

Signed-off-by: Matteo Mori <[email protected]>
@MatteoMori8
Copy link
Contributor Author

MatteoMori8 commented Feb 9, 2026

Hey @EItanya thanks for the review! 😄
Fully agree that locking down the default ServiceAccount RBAC ( #40 ) is important and complementary ( In fact, I might try to address this problem in a new PR if I have time).

This flag is intentionally solving a different part of the problem: it controls which tools are advertised to agents via MCP, so write-capable tools are removed from the tool list entirely and the LLM never sees them.

That distinction matters because many “write” operations don’t go through the Kubernetes API at all. A lot of the tools we have here ( like helm uninstall, istioctl install, and especially the shell tool) execute via CLI shelling, so ServiceAccount verb restrictions won’t prevent them.

Even within a single category the auth model can be inconsistent. For example, cilium uninstall wraps Helm and goes through the K8s API (so RBAC would catch it), but cilium config set / cilium policy talk directly to the Cilium agent API and bypass K8s RBAC entirely. The most reliable way to prevent these across the board is to not expose them to the agent in the first place.

So I see these as two layers of the same story:

  • This PR (application layer): controls what the agent can see and attempt. It covers all tool categories, including non-K8s CLIs
  • add readonly flag for RBAC -> verbs: ["get", "list", "watch"] #40 (RBAC layer): controls what the ServiceAccount can do at the K8s API level. Which is obviously a valuable safety net for K8s-specific operations 😄

While reviewing this I also noticed a gap in my PR: the shell tool in the utils provider wasn’t gated by --read-only. That’s the highest-risk tool since it can execute anything on PATH ( kubectl delete, helm uninstall, rm -rf /, etc.), bypassing all other filtering. I pushed a fix for that 💪

@EItanya EItanya merged commit 4485bf4 into kagent-dev:main Feb 10, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MatteoMori8 @EItanya