MCP Installation

Install

brew install kubeshark

Or download from GitHub Releases.


Connect an AI Agent

Claude Code:

claude mcp add kubeshark -- kubeshark mcp

Cursor / VS Code: Add to your MCP configuration:

{
  "mcpServers": {
    "kubeshark": {
      "command": "kubeshark",
      "args": ["mcp"]
    }
  }
}

Without kubectl access (connect directly to an existing deployment):

claude mcp add kubeshark -- kubeshark mcp --url https://kubeshark.example.com

Gated Hub (tap.auth.enabled: true): the MCP surface is gated on the mcp:use capability (granted to kubeshark-admin). In the default proxy mode (with kube access) the CLI mints and auto-renews a short-lived kubeshark-cli ServiceAccount token for you. In --url mode it can’t mint one, so pass a token explicitly:

export KUBESHARK_HUB_TOKEN=$(kubectl create token kubeshark-cli --audience kubeshark-hub)
kubeshark mcp --url https://kubeshark.example.com --token "$KUBESHARK_HUB_TOKEN"

The --url token is short-lived and does not auto-renew — on a 401 the CLI tells you to re-mint and restart. This requires tap.auth.cli.enabled: true and your identity listed under tap.auth.cli.subjects. See Roles & Permissions.


CLI Options

OptionDescription
--urlConnect directly to Kubeshark URL (no kubectl required)
--tokenServiceAccount / bearer token for a gated Hub in --url mode; also read from KUBESHARK_HUB_TOKEN. Mint with kubectl create token kubeshark-cli --audience kubeshark-hub. Ignored without --url (proxy mode mints and auto-renews the token from kube access).
--kubeconfigPath to kubeconfig file
--allow-destructiveEnable start/stop Kubeshark operations
--list-toolsList available MCP tools and exit

What’s Next