Skip to content

Kubernetes MCP server fails with Permission denied - kubeconfig mounted to wrong path #284

New issue
New issue
Open
Open
Kubernetes MCP server fails with Permission denied - kubeconfig mounted to wrong path#284
@samhanoun

Description

@samhanoun
samhanoun
opened on Dec 7, 2025

Summary

When using the Kubernetes MCP server via Docker MCP Gateway on Windows, the server fails with "Permission denied" when trying to read the kubeconfig file. The issue is that the gateway mounts the kubeconfig to /root/.kube/config, but the mcp/kubernetes container runs as appuser (uid 1001), not root.

Environment

  • Windows 11
  • Docker Desktop 29.1.2
  • Docker MCP v0.28.0
  • K3S cluster (5 nodes, works fine with local kubectl)

Steps to Reproduce

  1. Enable the kubernetes server in Docker MCP:

    docker mcp server enable kubernetes
docker mcp config set kubernetes.config_path "C:\Users\harry\.kube\config"

  2. Connect to VS Code:

    docker mcp client connect vscode

  3. Try to use any kubernetes tool - it fails silently or returns no data

Root Cause Analysis

The mcp/kubernetes container runs as appuser, not root:

$ docker run --rm mcp/kubernetes id
uid=1001(appuser) gid=1001(appuser) groups=1001(appuser)

Mounting to /root/.kube/config fails because appuser cannot access /root:

$ docker run --rm -v "$HOME/.kube/config:/root/.kube/config" mcp/kubernetes cat /root/.kube/config
cat: /root/.kube/config: Permission denied

But mounting to /home/appuser/.kube/config works perfectly:

$ docker run --rm -v "$HOME/.kube/config:/home/appuser/.kube/config" mcp/kubernetes kubectl get nodes
NAME     STATUS   ROLES                       AGE   VERSION
k3s-01   Ready    control-plane,etcd,master   9d    v1.26.10+k3s2
k3s-02   Ready    none                        9d    v1.26.10+k3s2
k3s-03   Ready    none                        9d    v1.26.10+k3s2
k3s-04   Ready    none                        9d    v1.26.10+k3s2
k3s-05   Ready    none                        9d    v1.26.10+k3s2

Expected Behavior

The Docker MCP Gateway should mount the kubeconfig to /home/appuser/.kube/config (or the appropriate home directory based on the container's user) instead of /root/.kube/config.

Note

The mcp-server-kubernetes documentation (ADVANCED_README.md) already correctly documents that the mount path should be /home/appuser/.kube/config. The issue is that the Docker MCP Gateway is using the wrong path when mounting the config file.

Workaround

None currently - the gateway handles the container startup and mount paths internally.

Related

I initially filed this against Flux159/mcp-server-kubernetes but closed it after discovering the issue is in the gateway's mount path logic, not the kubernetes server image itself. See: Flux159/mcp-server-kubernetes#243

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions