Add MCPRemoteProxy documentation for Kubernetes operator #267
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
This commit adds comprehensive documentation for the MCPRemoteProxy CRD, which enables proxying remote MCP servers in Kubernetes with authentication, authorization, audit logging, and tool filtering capabilities. Key features documented: - Overview and use cases for enterprise SaaS MCP servers - Basic configuration with OIDC authentication - Multiple authentication methods (inline OIDC, ConfigMap, Kubernetes SA) - Authorization policies using Cedar policy language - Tool filtering and renaming with MCPToolConfig - Token exchange for federated authentication - Quick start example for testing - Exposing proxies externally with Ingress - Telemetry and observability (audit logs, Prometheus, OpenTelemetry) - Comprehensive troubleshooting guide The documentation follows the project's style guide and includes: - Realistic enterprise examples (avoiding GitHub since it doesn't support OIDC) - Practical troubleshooting based on real deployment scenarios - Correct Kubernetes label selectors verified against actual cluster resources - Cross-references to related documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
| The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive documentation for the MCPRemoteProxy CRD, which enables Kubernetes-based proxying of remote MCP servers with enterprise features like authentication, authorization, audit logging, and tool filtering.
Key changes:
- Introduces a new documentation page covering MCPRemoteProxy configuration, use cases, and operational guidance
- Adds the new guide to the Kubernetes Operator section in the documentation sidebar
- Provides practical examples for enterprise deployments with OIDC authentication and Cedar policy-based authorization
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| sidebars.ts | Adds the remote MCP proxy guide to the Kubernetes guides section |
| docs/toolhive/guides-k8s/remote-mcp-proxy.mdx | New comprehensive guide covering MCPRemoteProxy setup, authentication methods, authorization policies, tool filtering, telemetry, and troubleshooting |
jhrozek reviewed Oct 29, 2025
Contributor
jhrozek left a comment
jhrozek left a comment There was a problem hiding this comment.
I read the documentation (human review) and I like how it flows and reads. The review agent found a couple of issues.
Fixes identified by copilot-pull-request-reviewer: 1. Clarified that principal attributes are examples from JWT tokens, with actual attributes depending on IDP configuration 2. Fixed capitalization: "User ID" instead of "user ID" 3. Improved JWT decoding command to handle base64url encoding and missing padding, with explanatory note 4. Fixed Cedar policy action names throughout: - Action::"tools/list" → Action::"list_tools" - Action::"tools/call" → Action::"call_tool" 5. Changed token exchange scope from string to array: - scope: 'analytics:read analytics:write' - scopes: ['analytics:read', 'analytics:write'] 6. Updated Prometheus metric names to match actual implementation: - toolhive_mcp_requests_total - toolhive_mcp_request_duration_seconds - toolhive_mcp_tool_calls_total - toolhive_mcp_active_connections 7. Fixed audit log JSON structure to match actual format: - Moved auditId to metadata.auditId - Moved duration_ms and transport to metadata.extra - Changed target.tool to target.name - Added required fields: loggedAt, source, component 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
jhrozek approved these changes Oct 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds comprehensive documentation for the MCPRemoteProxy CRD, which enables proxying remote MCP servers in Kubernetes with authentication, authorization, audit logging, and tool filtering capabilities.
Changes
docs/toolhive/guides-k8s/remote-mcp-proxy.mdxDocumentation Highlights
Features Covered
Documentation Quality
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com