The MCP (Model Context Protocol) Client feature enables kubectl-ai to coordinate multiple specialized tools through natural language commands. This integration demonstrates automated security workflows that combine RBAC scanning with email reporting.
Problem: Traditional security audits require manual execution of multiple tools, data correlation, and report distribution—a time-consuming process prone to human error.
Solution: Single command orchestration across multiple MCP servers:
kubectl-ai --mcp-client --quiet "scan rbac and send urgent report to incident-team@company.com from sender@company.com"Architecture Components:
- kubectl-ai: Central orchestrator interpreting natural language commands
- Permiflow: RBAC security scanning and analysis
- Resend: Automated email delivery service
- Additional servers: Documentation, reasoning, and extensible integrations
sequenceDiagram
participant User
participant kubectl-ai as kubectl-ai<br/>(MCP Client)
participant Permiflow as Permiflow<br/>(MCP Server)
participant K8s as Kubernetes<br/>Cluster
participant Resend as Resend<br/>(MCP Server)
participant Email as Email<br/>Recipient
User->>kubectl-ai: "scan rbac and send report to admin@company.com"
kubectl-ai->>Permiflow: scan_rbac()
Permiflow->>K8s: Query RBAC policies
K8s-->>Permiflow: Return roles, bindings, permissions
Permiflow->>Permiflow: Analyze security risks
Permiflow-->>kubectl-ai: Security findings report
kubectl-ai->>kubectl-ai: Format report for email
kubectl-ai->>Resend: send_email(to, from, subject, content)
Resend->>Email: Deliver formatted security report
Email-->>User: Email confirmation
kubectl-ai-->>User: "✅ RBAC scan completed and report sent"
The command execution follows this sequence:
- kubectl-ai parses the natural language request
- Permiflow performs comprehensive RBAC analysis across cluster resources
- Resend formats and delivers the security report via email
Extensibility: The architecture supports additional MCP servers for Slack notifications, Jira ticket creation, compliance databases, and custom integrations.
Configure the MCP servers in ~/.config/kubectl-ai/mcp.yaml:
servers:
- name: resend
command: node
args:
- "~/mcp-send-email/build/index.js"
env:
RESEND_API_KEY: "api-key-here"
- name: permiflow
url: http://localhost:8080/mcp# 1. Start the Permiflow MCP server
permiflow mcp --transport http --http-port 8080
# 2. Execute kubectl-ai with MCP client enabled
kubectl-ai --mcp-client --quiet "scan rbac and send report to admin@company.com from sec@company.com"Implement automated daily security scans using cron:
# Daily RBAC audit at 9 AM
0 9 * * * kubectl-ai --mcp-client --quiet "scan rbac and send daily report to admin@company.com from sec@company.com"Execute immediate security assessments during incidents:
kubectl-ai --mcp-client --quiet "scan rbac for production namespace and send urgent report to incident-team@company.com from sec@company.com"Launch kubectl-ai in interactive mode for exploratory analysis:
kubectl-ai --mcp-client
>>> "scan rbac and send report to admin@company.com"
>>> "analyze RBAC for kubeflow namespace"
>>> "show me the most dangerous permissions in production"
>>> "which service accounts can access secrets across namespaces?"Execute specific security queries directly:
kubectl-ai --mcp-client "show wildcard permissions and suggest fixes"Expand the automation capabilities by adding specialized servers:
servers:
- name: slack-notifier
url: "https://slack-mcp.company.com/mcp"
- name: jira-tickets
url: "https://jira-mcp.company.com/mcp"
- name: trivy-scanner
command: npx
args: ["-y", "@aquasecurity/trivy-mcp"]Multi-Channel Incident Response:
"scan rbac, create jira ticket, email security team, post to slack"Compliance Automation:
"scan vulnerabilities, update compliance database, email leadership"- Unified Interface: Single natural language interface for multiple tools
- Automation: Reduces manual security audit processes
- Consistency: Standardized security scanning and reporting
- Extensibility: Modular architecture supports additional integrations
- Efficiency: Rapid security assessment and stakeholder notification