MCP Tools Reference: container.googleapis.com

Tool: `check_k8s_auth`

Checks whether an action is allowed on a Kubernetes resource. This is similar to running kubectl auth can-i .

The following sample demonstrate how to use curl to invoke the check_k8s_auth MCP tool.

Curl Request
curl --location 'https://container.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "check_k8s_auth", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } '

Curl Request

  
curl  
--location  
 'https://container.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "check_k8s_auth", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

Input Schema

Request for checking authorization for a Kubernetes resource.

CheckK8SAuthRequest

JSON representation
{ "parent" : string , "verb" : string , "resourceType" : string , "namespace" : string , "resource" : string }

Fields
`parent`	`string` Required. The cluster to check authorization against. Format: projects/{project}/locations/{location}/clusters/{cluster}
`verb`	`string` Required. The verb to check. e.g. "get", "list", "watch", "create", "update", "patch", "delete".
`resourceType`	`string` Required. The type of resource to check. e.g. "pods", "deployments", "services".
`namespace`	`string` Optional. The namespace of the resource. If not specified, "default" is used for namespace-scoped resources.
`resource`	`string` Optional. The name of the resource to check.

Output Schema

Response for checking authorization for a Kubernetes resource.

CheckK8SAuthResponse

JSON representation
{ "result" : string , "errors" : [ { object ( `Status` ) } ] }

Fields

Fields
`result`	`string` The result of auth can-i check.
`errors[]`	`object ( Status )` Errors encountered during auth check.

result

string

The result of auth can-i check.

errors[]

object ( Status )

Errors encountered during auth check.

Status

JSON representation
{ "code" : integer , "message" : string , "details" : [ { "@type" : string , field1 : ... , ... } ] }

Fields

Fields
`code`	`integer` The status code, which should be an enum value of `google.rpc.Code` .
`message`	`string` A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the `google.rpc.Status.details` field, or localized by the client.
`details[]`	`object` A list of messages that carry the error details. There is a common set of message types for APIs to use. An object containing fields of an arbitrary type. An additional field `"@type"` contains a URI identifying the type. Example: `{ "id": 1234, "@type": "types.example.com/standard/id" }` .

code

integer

The status code, which should be an enum value of google.rpc.Code .

message

string

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

details[]

object

A list of messages that carry the error details. There is a common set of message types for APIs to use.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" } .

Any

JSON representation
{ "typeUrl" : string , "value" : string }

Fields

Fields
`typeUrl`	`string` Identifies the type of the serialized Protobuf message with a URI reference consisting of a prefix ending in a slash and the fully-qualified type name. Example: type.googleapis.com/google.protobuf.StringValue This string must contain at least one `/` character, and the content after the last `/` must be the fully-qualified name of the type in canonical form, without a leading dot. Do not write a scheme on these URI references so that clients do not attempt to contact them. The prefix is arbitrary and Protobuf implementations are expected to simply strip off everything up to and including the last `/` to identify the type. `type.googleapis.com/` is a common default prefix that some legacy implementations require. This prefix does not indicate the origin of the type, and URIs containing it are not expected to respond to any requests. All type URL strings must be legal URI references with the additional restriction (for the text format) that the content of the reference must consist only of alphanumeric characters, percent-encoded escapes, and characters in the following set (not including the outer backticks): `/-.~_!$&()*+,;=` . Despite our allowing percent encodings, implementations should not unescape them to prevent confusion with existing parsers. For example, `type.googleapis.com%2FFoo` should be rejected. In the original design of `Any` , the possibility of launching a type resolution service at these type URLs was considered but Protobuf never implemented one and considers contacting these URLs to be problematic and a potential security issue. Do not attempt to contact type URLs.
`value`	`string ( bytes format)` Holds a Protobuf serialization of the type described by type_url. A base64-encoded string.

typeUrl

string

Identifies the type of the serialized Protobuf message with a URI reference consisting of a prefix ending in a slash and the fully-qualified type name.

Example: type.googleapis.com/google.protobuf.StringValue

This string must contain at least one / character, and the content after the last / must be the fully-qualified name of the type in canonical form, without a leading dot. Do not write a scheme on these URI references so that clients do not attempt to contact them.

The prefix is arbitrary and Protobuf implementations are expected to simply strip off everything up to and including the last / to identify the type. type.googleapis.com/ is a common default prefix that some legacy implementations require. This prefix does not indicate the origin of the type, and URIs containing it are not expected to respond to any requests.

All type URL strings must be legal URI references with the additional restriction (for the text format) that the content of the reference must consist only of alphanumeric characters, percent-encoded escapes, and characters in the following set (not including the outer backticks): /-.~_!$&()*+,;= . Despite our allowing percent encodings, implementations should not unescape them to prevent confusion with existing parsers. For example, type.googleapis.com%2FFoo should be rejected.

In the original design of Any , the possibility of launching a type resolution service at these type URLs was considered but Protobuf never implemented one and considers contacting these URLs to be problematic and a potential security issue. Do not attempt to contact type URLs.

value

string ( bytes format)

Holds a Protobuf serialization of the type described by type_url.

A base64-encoded string.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌

MCP Tools Reference: container.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: check_k8s_auth

Input Schema

CheckK8SAuthRequest

Output Schema

CheckK8SAuthResponse

Status

Any

Tool Annotations

MCP Tools Reference: container.googleapis.com

Tool: `check_k8s_auth`