Skip to content

feat(crd): add security context and resource configuration support#113

Merged
jmhbh merged 1 commit intokagent-dev:mainfrom
skhedim:feat/add-security-and-resource-fields
Jan 27, 2026
Merged

feat(crd): add security context and resource configuration support#113
jmhbh merged 1 commit intokagent-dev:mainfrom
skhedim:feat/add-security-and-resource-fields

Conversation

@skhedim
Copy link
Contributor

@skhedim skhedim commented Jan 13, 2026

Add Security Context and Resource Configuration Support to MCPServer CRD

Summary

This PR adds comprehensive security and resource configuration options to the MCPServer CRD, enabling production-ready deployments that follow Kubernetes security best practices and provide fine-grained control over resource allocation and pod scheduling.

Motivation

Currently, the MCPServer CRD has limited configuration options for production deployments. Organizations deploying MCP servers in production environments need:

  • Security controls: Pod and container security contexts to enforce security policies
  • Resource management: CPU/memory requests and limits to ensure predictable resource usage
  • Pod scheduling: Node selectors, affinity rules, and tolerations for proper workload placement
  • Metadata management: Custom labels and annotations for monitoring, cost allocation, and governance
  • Multi-tenancy: Registry credentials and replica configuration for scalable deployments

Changes Made

New fields added to MCPServerDeployment:

Security & Access Control

  • securityContext – Container-level security context (e.g., runAsNonRoot, capabilities, etc.)
  • podSecurityContext – Pod-level security context (e.g., fsGroup, seccompProfile, etc.)
  • imagePullSecrets – Registry credentials for private container images

Resource Management

  • resources – CPU/memory requests and limits for the main container
  • replicas – Number of pod replicas for horizontal scaling

Pod Scheduling

  • tolerations – Node tolerations for tainted nodes
  • affinity – Pod/node affinity and anti-affinity rules
  • nodeSelector – Node selection constraints

Metadata

  • labels – Custom labels applied to pods
  • annotations – Custom annotations applied to pods

New fields added to InitContainerConfig:

  • resources – CPU/memory requests and limits for init container
  • securityContext – Container-level security context for init container

Design Decisions

  • Backward Compatibility: All new fields are optional to maintain compatibility with existing MCPServer resources
  • Security Context Inheritance: When initContainer.securityContext is not specified, it inherits from the main container's securityContext for consistent security policies
  • Kubernetes Standards: Field names and structures follow standard Kubernetes conventions for consistency with other CRDs

@skhedim skhedim force-pushed the feat/add-security-and-resource-fields branch from e701bd7 to aeea2ed Compare January 13, 2026 10:26
@skhedim skhedim force-pushed the feat/add-security-and-resource-fields branch from aeea2ed to d9b4d32 Compare January 21, 2026 10:23
@skhedim
feat(crd): add security context and resource configuration support
521e30f 
Add comprehensive security and resource configuration options to the
MCPServer CRD to enable production-ready deployments following
Kubernetes security best practices.

Signed-off-by: skhedim <sebastien.khedim@gmail.com>
@skhedim skhedim force-pushed the feat/add-security-and-resource-fields branch from d9b4d32 to 521e30f Compare January 21, 2026 10:29
jmhbh
jmhbh approved these changes Jan 27, 2026
View reviewed changes
Copy link
Collaborator

@jmhbh jmhbh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jmhbh jmhbh merged commit 6bd1712 into kagent-dev:main Jan 27, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmhbh jmhbh jmhbh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skhedim @jmhbh