Add node_files tool for privileged node filesystem operations

[ngopalak-redhat]

This PR adds a new node_files MCP tool that enables AI assistants like Claude to perform file operations on Kubernetes node filesystems through temporary privileged pods.

Motivation

AI tools are effective at identifying the specific node files needed for debugging (e.g., kernel configs, system logs, cgroup settings). However, the manual workflow of creating privileged debug pods and copying files is time-consuming and repetitive. While kubectl cp and kubectl debug achieve the same goal, they require constant monitoring and are slower when fetching multiple files (10-15+) for analysis.

Key Features

• Three operations: put (copy to node), get (copy from node), list (directory listing)
• Auto-cleanup: Temporary privileged pod is automatically deleted after operation
• Configurable:
  • namespace: Defaults to default (not all clusters allow privileged pods in all namespaces)
  • image: Defaults to busybox (organizations can specify approved images)
  • privileged: Can be toggled if needed

Use Cases

1. Rapid multi-file debugging: Fetch and analyze 10-15 files together for comprehensive troubleshooting
2. Verification: Quickly verify configuration changes applied to nodes
3. Monitoring: Use list operation to monitor file creation/changes
4. Privileged file access: Access files requiring privileged permissions (note: use nodes_log for standard logging via kubelet proxy)

Note: I didn't add any zipping feature as I observed in most cases the files fetched need to analyzed by other AI tool. Zipping slows it down. It can be considered later.

Performance

Significantly faster than manual debug pod creation - the MCP server handles pod lifecycle automatically, allowing Claude to focus on analysis rather than cluster operations.

Examples

Get node system information:
  Get /proc/cpuinfo and /proc/meminfo from node ip-10-0-119-110.ec2.internal

  Debug cgroup settings:
  Get /sys/fs/cgroup/memory.max from node ip-10-0-50-25.ec2.internal
  Verify memory limits applied at the cgroup level.

  Monitor kubelet configuration changes:
  List /etc/kubernetes/kubelet.conf on all nodes
  Verify if kubelet config updates were rolled out correctly.

[ngopalak-redhat]

/assign @manusa This is similar to the other PRs you have been reviewing in the nodes.

[ngopalak-redhat]

@manusa thank you very much for your reviews on the previous PRs. I've rebased this PR and moved the test to a different file, similar to the earlier PR.

[ngopalak-redhat]

@manusa I still believe this provides value. Would you be open to reconsidering this?

[manusa]

For other operations we're using the k.NamespaceOrDefault method.
I'm not sure if this would apply here too.

[manusa]

Since the purpose of the tool/feature is to perform file operations is there any value in being able to customize the used image?

I understand, that changing the image might also break the implementation. Wouldn't it be better to use a specific image that can be freely pulled and that worked on any cluster?

[manusa]

Note to self: this is a good candidate to try out MCP progress notifications (Not in this PR)

• https://modelcontextprotocol.io/specification/2025-06-18/basic/utilities/progress
• How to handle timeouts #416
• feat(kiali): Consolidate kiali tools from 20 to 6 #496 (comment)

[manusa]

For the copy operations we should probably replicate what kubectl does to ensure the behavior is consistent:

https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/cp/cp.go

Personally, I've had some bad experiences with the implementation of these operations in the Fabric8 Kubernetes Client

[manusa]

@manusa I still believe this provides value. Would you be open to reconsidering this?

Hi, @ngopalak-redhat
Sorry for the lack of replies. The last couple of weeks have been crazy.
I added a few comments to the current implementation. Feature-wise sound like something useful to me, not sure what the rest of the team thinks.

I added a few comments.