Skip to main content

MCPServer

MCPServer defines a containerized MCP server managed by the ToolHive Kubernetes operator. The operator watches MCPServer resources and reconciles them into a running, proxied MCP server with the configured transport, authentication, telemetry, and tool filtering.

API: toolhive.stacklok.dev/v1beta1 · Scope: Namespaced · Short names: mcpserver, mcpservers

Example

mcpserver.yaml
apiVersion: toolhive.stacklok.dev/v1beta1
kind: MCPServer
metadata:
  name: my-mcpserver
  namespace: default
spec:
  image: <string>

Schema

spec

MCPServerSpec defines the desired state of MCPServer

FieldTypeDescription
argsstring[]

Args are additional arguments to pass to the MCP server

auditobject

Audit defines audit logging configuration for the MCP server

authServerRefobject

AuthServerRef optionally references a resource that configures an embedded OAuth 2.0/OIDC authorization server to authenticate MCP clients. Currently the only supported kind is MCPExternalAuthConfig (type: embeddedAuthServer).

authzConfigobject

AuthzConfig defines authorization policy configuration for the MCP server

backendReplicasinteger

BackendReplicas is the desired number of MCP server backend pod replicas. This controls the backend Deployment (the MCP server container itself), independent of the proxy runner controlled by Replicas. When nil, the operator does not set Deployment.Spec.Replicas, leaving replica management to an HPA or other external controller.


format int32 · min 0
endpointPrefixstring

EndpointPrefix is the path prefix to prepend to SSE endpoint URLs. This is used to handle path-based ingress routing scenarios where the ingress strips a path prefix before forwarding to the backend.

envobject[]

Env are environment variables to set in the MCP server container

externalAuthConfigRefobject

ExternalAuthConfigRef references a MCPExternalAuthConfig resource for external authentication. The referenced MCPExternalAuthConfig must exist in the same namespace as this MCPServer.

groupRefobject

GroupRef references the MCPGroup this server belongs to. The referenced MCPGroup must be in the same namespace.

imagerequiredstring

Image is the container image for the MCP server

mcpPortinteger

MCPPort is the port that MCP server listens to


format int32 · min 1 · max 65535
oidcConfigRefobject

OIDCConfigRef references a shared MCPOIDCConfig resource for OIDC authentication. The referenced MCPOIDCConfig must exist in the same namespace as this MCPServer. Per-server overrides (audience, scopes) are specified here; shared provider config lives in the MCPOIDCConfig resource.

permissionProfileobject

PermissionProfile defines the permission profile to use

podTemplateSpecobject

PodTemplateSpec defines the pod template to use for the MCP server This allows for customizing the pod configuration beyond what is provided by the other fields. Note that to modify the specific container the MCP server runs in, you must specify the `mcp` container name in the PodTemplateSpec. This field accepts a PodTemplateSpec object as JSON/YAML.

proxyModestring

ProxyMode is the proxy mode for stdio transport (sse or streamable-http) This setting is ONLY applicable when Transport is "stdio". For direct transports (sse, streamable-http), this field is ignored. The default value is applied by Kubernetes but will be ignored for non-stdio transports.


default "streamable-http" · enum: sse | streamable-http
proxyPortinteger

ProxyPort is the port to expose the proxy runner on


default 8080 · format int32 · min 1 · max 65535
rateLimitingobject

RateLimiting defines rate limiting configuration for the MCP server. Requires Redis session storage to be configured for distributed rate limiting.

replicasinteger

Replicas is the desired number of proxy runner (thv run) pod replicas. MCPServer creates two separate Deployments: one for the proxy runner and one for the MCP server backend. This field controls the proxy runner Deployment. When nil, the operator does not set Deployment.Spec.Replicas, leaving replica management to an HPA or other external controller.


format int32 · min 0
resourceOverridesobject

ResourceOverrides allows overriding annotations and labels for resources created by the operator

resourcesobject

Resources defines the resource requirements for the MCP server container

secretsobject[]

Secrets are references to secrets to mount in the MCP server container

serviceAccountstring

ServiceAccount is the name of an already existing service account to use by the MCP server. If not specified, a ServiceAccount will be created automatically and used by the MCP server.

sessionAffinitystring

SessionAffinity controls whether the Service routes repeated client connections to the same pod. MCP protocols (SSE, streamable-http) are stateful, so ClientIP is the default. Set to "None" for stateless servers or when using an external load balancer with its own affinity.


default "ClientIP" · enum: ClientIP | None
sessionStorageobject

SessionStorage configures session storage for stateful horizontal scaling. When nil, no session storage is configured.

telemetryConfigRefobject

TelemetryConfigRef references an MCPTelemetryConfig resource for shared telemetry configuration. The referenced MCPTelemetryConfig must exist in the same namespace as this MCPServer. Cross-namespace references are not supported for security and isolation reasons.

toolConfigRefobject

ToolConfigRef references a MCPToolConfig resource for tool filtering and renaming. The referenced MCPToolConfig must exist in the same namespace as this MCPServer. Cross-namespace references are not supported for security and isolation reasons.

transportstring

Transport is the transport method for the MCP server (stdio, streamable-http or sse)


default "stdio" · enum: stdio | streamable-http | sse
trustProxyHeadersboolean

TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies When enabled, the proxy will use X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Port, and X-Forwarded-Prefix headers to construct endpoint URLs


default false
volumesobject[]

Volumes are volumes to mount in the MCP server container

spec.audit

Audit defines audit logging configuration for the MCP server

FieldTypeDescription
enabledboolean

Enabled controls whether audit logging is enabled When true, enables audit logging with default configuration


default false
↑ Back to spec

spec.authServerRef

AuthServerRef optionally references a resource that configures an embedded OAuth 2.0/OIDC authorization server to authenticate MCP clients. Currently the only supported kind is MCPExternalAuthConfig (type: embeddedAuthServer).

FieldTypeDescription
kindrequiredstring

Kind identifies the type of the referenced resource.


default "MCPExternalAuthConfig" · enum: MCPExternalAuthConfig
namerequiredstring

Name is the name of the referenced resource in the same namespace.


minLength 1
↑ Back to spec

spec.authzConfig

AuthzConfig defines authorization policy configuration for the MCP server

FieldTypeDescription
configMapobject

ConfigMap references a ConfigMap containing authorization configuration Only used when Type is "configMap"

inlineobject

Inline contains direct authorization configuration Only used when Type is "inline"

typerequiredstring

Type is the type of authorization configuration


default "configMap" · enum: configMap | inline
↑ Back to spec
spec.authzConfig.configMap

ConfigMap references a ConfigMap containing authorization configuration Only used when Type is "configMap"

FieldTypeDescription
keystring

Key is the key in the ConfigMap that contains the authorization configuration


default "authz.json"
namerequiredstring

Name is the name of the ConfigMap

↑ Back to spec.authzConfig
spec.authzConfig.inline

Inline contains direct authorization configuration Only used when Type is "inline"

FieldTypeDescription
entitiesJsonstring

EntitiesJSON is a JSON string representing Cedar entities


default "[]"
policiesrequiredstring[]

Policies is a list of Cedar policy strings

↑ Back to spec.authzConfig

spec.env[]

Env are environment variables to set in the MCP server container

FieldTypeDescription
namerequiredstring

Name of the environment variable

valuerequiredstring

Value of the environment variable

↑ Back to spec

spec.externalAuthConfigRef

ExternalAuthConfigRef references a MCPExternalAuthConfig resource for external authentication. The referenced MCPExternalAuthConfig must exist in the same namespace as this MCPServer.

FieldTypeDescription
namerequiredstring

Name is the name of the MCPExternalAuthConfig resource

↑ Back to spec

spec.groupRef

GroupRef references the MCPGroup this server belongs to. The referenced MCPGroup must be in the same namespace.

FieldTypeDescription
namerequiredstring

Name is the name of the MCPGroup resource in the same namespace


minLength 1
↑ Back to spec

spec.oidcConfigRef

OIDCConfigRef references a shared MCPOIDCConfig resource for OIDC authentication. The referenced MCPOIDCConfig must exist in the same namespace as this MCPServer. Per-server overrides (audience, scopes) are specified here; shared provider config lives in the MCPOIDCConfig resource.

FieldTypeDescription
audiencerequiredstring

Audience is the expected audience for token validation. This MUST be unique per server to prevent token replay attacks.


minLength 1
namerequiredstring

Name is the name of the MCPOIDCConfig resource


minLength 1
resourceUrlstring

ResourceURL is the public URL for OAuth protected resource metadata (RFC 9728). When the server is exposed via Ingress or gateway, set this to the external URL that MCP clients connect to. If not specified, defaults to the internal Kubernetes service URL.

scopesstring[]

Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728). If empty, defaults to ["openid"].

↑ Back to spec

spec.permissionProfile

PermissionProfile defines the permission profile to use

FieldTypeDescription
keystring

Key is the key in the ConfigMap that contains the permission profile Only used when Type is "configmap"

namerequiredstring

Name is the name of the permission profile If Type is "builtin", Name must be one of: "none", "network" If Type is "configmap", Name is the name of the ConfigMap

typerequiredstring

Type is the type of permission profile reference


default "builtin" · enum: builtin | configmap
↑ Back to spec

spec.rateLimiting

RateLimiting defines rate limiting configuration for the MCP server. Requires Redis session storage to be configured for distributed rate limiting.

FieldTypeDescription
perUserobject

PerUser is a token bucket applied independently to each authenticated user at the server level. Requires authentication to be enabled. Each unique userID creates Redis keys that expire after 2x refillPeriod. Memory formula: unique_users_per_TTL_window * (1 + num_tools_with_per_user_limits) keys.

sharedobject

Shared is a token bucket shared across all users for the entire server.

toolsobject[]

Tools defines per-tool rate limit overrides. Each entry applies additional rate limits to calls targeting a specific tool name. A request must pass both the server-level limit and the per-tool limit.

↑ Back to spec
spec.rateLimiting.perUser

PerUser is a token bucket applied independently to each authenticated user at the server level. Requires authentication to be enabled. Each unique userID creates Redis keys that expire after 2x refillPeriod. Memory formula: unique_users_per_TTL_window * (1 + num_tools_with_per_user_limits) keys.

FieldTypeDescription
maxTokensrequiredinteger

MaxTokens is the maximum number of tokens (bucket capacity). This is also the burst size: the maximum number of requests that can be served instantaneously before the bucket is depleted.


format int32 · min 1
refillPeriodrequiredstring

RefillPeriod is the duration to fully refill the bucket from zero to maxTokens. The effective refill rate is maxTokens / refillPeriod tokens per second. Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").

↑ Back to spec.rateLimiting
spec.rateLimiting.shared

Shared is a token bucket shared across all users for the entire server.

FieldTypeDescription
maxTokensrequiredinteger

MaxTokens is the maximum number of tokens (bucket capacity). This is also the burst size: the maximum number of requests that can be served instantaneously before the bucket is depleted.


format int32 · min 1
refillPeriodrequiredstring

RefillPeriod is the duration to fully refill the bucket from zero to maxTokens. The effective refill rate is maxTokens / refillPeriod tokens per second. Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").

↑ Back to spec.rateLimiting
spec.rateLimiting.tools[]

Tools defines per-tool rate limit overrides. Each entry applies additional rate limits to calls targeting a specific tool name. A request must pass both the server-level limit and the per-tool limit.

FieldTypeDescription
namerequiredstring

Name is the MCP tool name this limit applies to.


minLength 1
perUserobject

PerUser token bucket configuration for this tool.

sharedobject

Shared token bucket for this specific tool.

↑ Back to spec.rateLimiting
spec.rateLimiting.tools.perUser

PerUser token bucket configuration for this tool.

FieldTypeDescription
maxTokensrequiredinteger

MaxTokens is the maximum number of tokens (bucket capacity). This is also the burst size: the maximum number of requests that can be served instantaneously before the bucket is depleted.


format int32 · min 1
refillPeriodrequiredstring

RefillPeriod is the duration to fully refill the bucket from zero to maxTokens. The effective refill rate is maxTokens / refillPeriod tokens per second. Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").

↑ Back to spec.rateLimiting.tools
spec.rateLimiting.tools.shared

Shared token bucket for this specific tool.

FieldTypeDescription
maxTokensrequiredinteger

MaxTokens is the maximum number of tokens (bucket capacity). This is also the burst size: the maximum number of requests that can be served instantaneously before the bucket is depleted.


format int32 · min 1
refillPeriodrequiredstring

RefillPeriod is the duration to fully refill the bucket from zero to maxTokens. The effective refill rate is maxTokens / refillPeriod tokens per second. Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").

↑ Back to spec.rateLimiting.tools

spec.resourceOverrides

ResourceOverrides allows overriding annotations and labels for resources created by the operator

FieldTypeDescription
proxyDeploymentobject

ProxyDeployment defines overrides for the Proxy Deployment resource (toolhive proxy)

proxyServiceobject

ProxyService defines overrides for the Proxy Service resource (points to the proxy deployment)

↑ Back to spec
spec.resourceOverrides.proxyDeployment

ProxyDeployment defines overrides for the Proxy Deployment resource (toolhive proxy)

FieldTypeDescription
annotationsmap<string, string>

Annotations to add or override on the resource

envobject[]

Env are environment variables to set in the proxy container (thv run process) These affect the toolhive proxy itself, not the MCP server it manages Use TOOLHIVE_DEBUG=true to enable debug logging in the proxy

imagePullSecretsobject[]

ImagePullSecrets allows specifying image pull secrets for the proxy runner These are applied to both the Deployment and the ServiceAccount

labelsmap<string, string>

Labels to add or override on the resource

podTemplateMetadataOverridesobject

ResourceMetadataOverrides defines metadata overrides for a resource

↑ Back to spec.resourceOverrides
spec.resourceOverrides.proxyDeployment.env[]

Env are environment variables to set in the proxy container (thv run process) These affect the toolhive proxy itself, not the MCP server it manages Use TOOLHIVE_DEBUG=true to enable debug logging in the proxy

FieldTypeDescription
namerequiredstring

Name of the environment variable

valuerequiredstring

Value of the environment variable

↑ Back to spec.resourceOverrides.proxyDeployment
spec.resourceOverrides.proxyDeployment.imagePullSecrets[]

ImagePullSecrets allows specifying image pull secrets for the proxy runner These are applied to both the Deployment and the ServiceAccount

FieldTypeDescription
namestring

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names


default ""
↑ Back to spec.resourceOverrides.proxyDeployment
spec.resourceOverrides.proxyDeployment.podTemplateMetadataOverrides

ResourceMetadataOverrides defines metadata overrides for a resource

FieldTypeDescription
annotationsmap<string, string>

Annotations to add or override on the resource

labelsmap<string, string>

Labels to add or override on the resource

↑ Back to spec.resourceOverrides.proxyDeployment
spec.resourceOverrides.proxyService

ProxyService defines overrides for the Proxy Service resource (points to the proxy deployment)

FieldTypeDescription
annotationsmap<string, string>

Annotations to add or override on the resource

labelsmap<string, string>

Labels to add or override on the resource

↑ Back to spec.resourceOverrides

spec.resources

Resources defines the resource requirements for the MCP server container

FieldTypeDescription
limitsobject

Limits describes the maximum amount of compute resources allowed

requestsobject

Requests describes the minimum amount of compute resources required

↑ Back to spec
spec.resources.limits

Limits describes the maximum amount of compute resources allowed

FieldTypeDescription
cpustring

CPU is the CPU limit in cores (e.g., "500m" for 0.5 cores)

memorystring

Memory is the memory limit in bytes (e.g., "64Mi" for 64 megabytes)

↑ Back to spec.resources
spec.resources.requests

Requests describes the minimum amount of compute resources required

FieldTypeDescription
cpustring

CPU is the CPU limit in cores (e.g., "500m" for 0.5 cores)

memorystring

Memory is the memory limit in bytes (e.g., "64Mi" for 64 megabytes)

↑ Back to spec.resources

spec.secrets[]

Secrets are references to secrets to mount in the MCP server container

FieldTypeDescription
keyrequiredstring

Key is the key in the secret itself

namerequiredstring

Name is the name of the secret

targetEnvNamestring

TargetEnvName is the environment variable to be used when setting up the secret in the MCP server If left unspecified, it defaults to the key

↑ Back to spec

spec.sessionStorage

SessionStorage configures session storage for stateful horizontal scaling. When nil, no session storage is configured.

FieldTypeDescription
addressstring

Address is the Redis server address (required when provider is redis)


minLength 1
dbinteger

DB is the Redis database number


default 0 · format int32 · min 0
keyPrefixstring

KeyPrefix is an optional prefix for all Redis keys used by ToolHive

passwordRefobject

PasswordRef is a reference to a Secret key containing the Redis password

providerrequiredstring

Provider is the session storage backend type


enum: memory | redis
↑ Back to spec
spec.sessionStorage.passwordRef

PasswordRef is a reference to a Secret key containing the Redis password

FieldTypeDescription
keyrequiredstring

Key is the key within the secret

namerequiredstring

Name is the name of the secret

↑ Back to spec.sessionStorage

spec.telemetryConfigRef

TelemetryConfigRef references an MCPTelemetryConfig resource for shared telemetry configuration. The referenced MCPTelemetryConfig must exist in the same namespace as this MCPServer. Cross-namespace references are not supported for security and isolation reasons.

FieldTypeDescription
namerequiredstring

Name is the name of the MCPTelemetryConfig resource


minLength 1
serviceNamestring

ServiceName overrides the telemetry service name for this specific server. This MUST be unique per server for proper observability (e.g., distinguishing traces and metrics from different servers sharing the same collector). If empty, defaults to the server name with "thv-" prefix at runtime.

↑ Back to spec

spec.toolConfigRef

ToolConfigRef references a MCPToolConfig resource for tool filtering and renaming. The referenced MCPToolConfig must exist in the same namespace as this MCPServer. Cross-namespace references are not supported for security and isolation reasons.

FieldTypeDescription
namerequiredstring

Name is the name of the MCPToolConfig resource in the same namespace

↑ Back to spec

spec.volumes[]

Volumes are volumes to mount in the MCP server container

FieldTypeDescription
hostPathrequiredstring

HostPath is the path on the host to mount

mountPathrequiredstring

MountPath is the path in the container to mount to

namerequiredstring

Name is the name of the volume

readOnlyboolean

ReadOnly specifies whether the volume should be mounted read-only


default false
↑ Back to spec

status

MCPServerStatus defines the observed state of MCPServer

FieldTypeDescription
authServerConfigHashstring

AuthServerConfigHash is the hash of the referenced authServerRef spec, used to detect configuration changes and trigger reconciliation.

conditionsobject[]

Conditions represent the latest available observations of the MCPServer's state

externalAuthConfigHashstring

ExternalAuthConfigHash is the hash of the referenced MCPExternalAuthConfig spec

messagestring

Message provides additional information about the current phase

observedGenerationinteger

ObservedGeneration reflects the generation most recently observed by the controller


format int64
oidcConfigHashstring

OIDCConfigHash is the hash of the referenced MCPOIDCConfig spec for change detection

phasestring

Phase is the current phase of the MCPServer


enum: Pending | Ready | Failed | Terminating | Stopped
readyReplicasinteger

ReadyReplicas is the number of ready proxy replicas


format int32
telemetryConfigHashstring

TelemetryConfigHash is the hash of the referenced MCPTelemetryConfig spec for change detection

toolConfigHashstring

ToolConfigHash stores the hash of the referenced ToolConfig for change detection

urlstring

URL is the URL where the MCP server can be accessed

status.conditions[]

Conditions represent the latest available observations of the MCPServer's state

FieldTypeDescription
lastTransitionTimerequiredstring

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


format date-time
messagerequiredstring

message is a human readable message indicating details about the transition. This may be an empty string.


maxLength 32768
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


format int64 · min 0
reasonrequiredstring

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.


pattern ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ · minLength 1 · maxLength 1024
statusrequiredstring

status of the condition, one of True, False, Unknown.


enum: True | False | Unknown
typerequiredstring

type of condition in CamelCase or in foo.example.com/CamelCase.


pattern ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ · maxLength 316
↑ Back to status

References: