Description
When using the official Kagent tools image (ghcr.io/kagent-dev/kagent/tools) in an EKS environment to manage remote or cross-account clusters, authentication fails because the image lacks the necessary binary dependencies.
Most EKS kubeconfig configurations rely on the client.authentication.k8s.io/v1 exec plugin to dynamically fetch authentication tokens using the AWS CLI (e.g., command: aws). Because the current official image is distroless, it does not include the aws binary, preventing the MCP server from authenticating with the target Kubernetes API.
Steps to Reproduce
Deploy an MCPServer using the ghcr.io/kagent-dev/kagent/tools image.
Provide a kubeconfig via a Secret that uses the aws eks get-token exec command for authentication.
Observe the Kagent Dashboard or logs shows 0 tools
Expected Behavior
The MCP server should be able to execute the aws command defined in the kubeconfig to retrieve a valid token and connect to the cluster.
Actual Behavior
The MCP server fails to authenticate because the aws binary is not found in the container's $PATH. As a result, the server reports 0 tools discovered because it cannot reach the Kubernetes API.
Impact
Users are unable to use the native Kagent tools image for managing EKS clusters without building a custom image that includes the AWS CLI and its dependencies.
Suggested Fix/Workaround
Feature Request: Provide a "full" or "cloud" version of the tools image (e.g., tools:0.1.3-full) that includes common cloud CLIs like aws, gcloud, and az.
Current Workaround: Users must manually use a base image like debian or golang, install the AWS CLI at runtime, and download the tools binary.
Technical Summary for Maintainers
Image: ghcr.io/kagent-dev/kagent/tools:0.1.3
Error Context: exec: "aws": executable file not found in $PATH
Environment: EKS Cross-Account / Remote Cluster Management via IRSA.
Description
When using the official Kagent tools image (ghcr.io/kagent-dev/kagent/tools) in an EKS environment to manage remote or cross-account clusters, authentication fails because the image lacks the necessary binary dependencies.
Most EKS kubeconfig configurations rely on the client.authentication.k8s.io/v1 exec plugin to dynamically fetch authentication tokens using the AWS CLI (e.g., command: aws). Because the current official image is distroless, it does not include the aws binary, preventing the MCP server from authenticating with the target Kubernetes API.
Steps to Reproduce
Deploy an MCPServer using the ghcr.io/kagent-dev/kagent/tools image.
Provide a kubeconfig via a Secret that uses the aws eks get-token exec command for authentication.
Observe the Kagent Dashboard or logs shows 0 tools
Expected Behavior
The MCP server should be able to execute the aws command defined in the kubeconfig to retrieve a valid token and connect to the cluster.
Actual Behavior
The MCP server fails to authenticate because the aws binary is not found in the container's $PATH. As a result, the server reports 0 tools discovered because it cannot reach the Kubernetes API.
Impact
Users are unable to use the native Kagent tools image for managing EKS clusters without building a custom image that includes the AWS CLI and its dependencies.
Suggested Fix/Workaround
Feature Request: Provide a "full" or "cloud" version of the tools image (e.g., tools:0.1.3-full) that includes common cloud CLIs like aws, gcloud, and az.
Current Workaround: Users must manually use a base image like debian or golang, install the AWS CLI at runtime, and download the tools binary.
Technical Summary for Maintainers
Image: ghcr.io/kagent-dev/kagent/tools:0.1.3
Error Context: exec: "aws": executable file not found in $PATH
Environment: EKS Cross-Account / Remote Cluster Management via IRSA.