A Model Context Protocol (MCP) server that provides AI assistants with access to operational data from Kubernetes, Prometheus, Elasticsearch, and Jaeger.
Ops MCP Server enables AI assistants to query and interact with your observability stack through a unified MCP interface:
- Kubernetes Events: Monitor pods, deployments, and cluster events
- Prometheus Metrics: Query metrics with natural language
- Elasticsearch Logs: Search and analyze logs
- SOPS Operations: Execute standardized operational procedures
- Jaeger Traces: Investigate performance issues
- Modular Design: Enable only the modules you need
- Multiple Protocols: HTTP/SSE and stdio modes
- Production Ready: Built with Go, optimized for performance
- Configurable: YAML configuration with environment variable support
execute-sop-from-ops- Execute operational procedureslist-sops-from-ops- List available proceduresget-sop-parameters-from-ops- Get procedure parameters
get-events-from-ops- Get Kubernetes eventslist-events-from-ops- List event types
list-metrics-from-prometheus- List available metricsquery-metrics-from-prometheus- Execute instant queriesquery-metrics-range-from-prometheus- Execute range queries
search-logs-from-elasticsearch- Full-text search across log messageslist-log-indices-from-elasticsearch- List all available log indicesquery-logs-from-elasticsearch- Query logs using ES|QL (Elasticsearch Query Language)
get-services-from-jaeger- List servicesget-operations-from-jaeger- List operationsget-trace-from-jaeger- Get trace detailsfind-traces-from-jaeger- Search traces
Configure the server using configs/config.yaml:
log:
level: info
server:
host: 0.0.0.0
port: 80
mode: sse
uri: /mcp
token: "" # Optional: Set via SERVER_TOKEN environment variable
# Enable modules
sops:
enabled: false
tools:
prefix: ""
suffix: "-from-ops"
ops:
endpoint: "https://ops-server.your-company.com"
token: ""
events:
enabled: false
tools:
prefix: ""
suffix: "-from-ops"
ops:
endpoint: "https://ops-server.your-company.com"
token: ""
metrics:
enabled: false
tools:
prefix: ""
suffix: "-from-prometheus"
prometheus:
endpoint: "https://prometheus.your-company.com"
# Authentication (priority: token > basic auth > none)
# Set via environment variables: METRICS_PROMETHEUS_USERNAME, METRICS_PROMETHEUS_PASSWORD, METRICS_PROMETHEUS_TOKEN
username: "" # Optional: Basic auth username
password: "" # Optional: Basic auth password
token: "" # Optional: Bearer token
timeout: 30 # Timeout in seconds (default: 30)
logs:
enabled: false
tools:
prefix: ""
suffix: "-from-elasticsearch"
elasticsearch:
endpoint: "https://elasticsearch.your-company.com"
# Authentication (priority: api_key > basic auth > none)
# Set via environment variables: LOGS_ELASTICSEARCH_USERNAME, LOGS_ELASTICSEARCH_PASSWORD, LOGS_ELASTICSEARCH_API_KEY
username: "" # Optional: Basic auth username
password: "" # Optional: Basic auth password
api_key: "" # Optional: Elasticsearch API key
timeout: 120 # Timeout in seconds (default: 120)
traces:
enabled: false
tools:
prefix: ""
suffix: "-from-jaeger"
jaeger:
endpoint: "https://jaeger.your-company.com"
timeout: 120 # Timeout in seconds (default: 120)# Enable modules
export SOPS_ENABLED="true"
export EVENTS_ENABLED="true"
export METRICS_ENABLED="true"
export LOGS_ENABLED="true"
export TRACES_ENABLED="true"
# API endpoints
export SOPS_OPS_ENDPOINT="https://ops-server.your-company.com"
export SOPS_OPS_TOKEN="your-token"
export EVENTS_OPS_ENDPOINT="https://ops-server.your-company.com"
export EVENTS_OPS_TOKEN="your-token"
# Prometheus authentication (optional, priority: token > basic auth)
export METRICS_PROMETHEUS_ENDPOINT="https://prometheus.your-company.com"
export METRICS_PROMETHEUS_USERNAME="your-username" # Optional: Basic auth
export METRICS_PROMETHEUS_PASSWORD="your-password" # Optional: Basic auth
export METRICS_PROMETHEUS_TOKEN="your-token" # Optional: Bearer token
# Elasticsearch authentication (optional, priority: api_key > basic auth)
export LOGS_ELASTICSEARCH_ENDPOINT="https://elasticsearch.your-company.com"
export LOGS_ELASTICSEARCH_USERNAME="elastic" # Optional: Basic auth
export LOGS_ELASTICSEARCH_PASSWORD="your-password" # Optional: Basic auth
export LOGS_ELASTICSEARCH_API_KEY="your-api-key" # Optional: API key
export TRACES_JAEGER_ENDPOINT="https://jaeger.your-company.com"
# export SERVER_TOKEN="your-server-token" # Optional: Uncomment to enable authenticationThe MCP server supports optional token-based authentication. By default, no authentication is required. When a token is configured in the server configuration, protected endpoints will require a valid Authorization header with a Bearer token.
The server supports multiple authentication methods for connecting to backend services:
Supports two authentication methods with the following priority:
- Bearer Token (highest priority) - Set
tokenorMETRICS_PROMETHEUS_TOKEN - Basic Auth - Set both
username/passwordorMETRICS_PROMETHEUS_USERNAME/METRICS_PROMETHEUS_PASSWORD - No Authentication (default) - If none of the above are configured
Supports two authentication methods with the following priority:
- API Key (highest priority) - Set
api_keyorLOGS_ELASTICSEARCH_API_KEY - Basic Auth - Set both
username/passwordorLOGS_ELASTICSEARCH_USERNAME/LOGS_ELASTICSEARCH_PASSWORD - No Authentication (default) - If none of the above are configured
Set the SERVER_TOKEN environment variable or configure it in the YAML file:
server:
token: "" # Set via SERVER_TOKEN environment variableBy default, all endpoints are accessible without authentication:
# All endpoints accessible without authentication
curl http://localhost:80/mcp/healthz
curl http://localhost:80/mcp/docs
curl http://localhost:80/mcp/sse
curl http://localhost:80/mcp/messageWhen SERVER_TOKEN is set, protected endpoints require authentication:
# Protected endpoints (require authentication)
curl -H "Authorization: Bearer your-server-token" http://localhost:80/mcp/sse
curl -H "Authorization: Bearer your-server-token" http://localhost:80/mcp/message
# Public endpoints (always accessible)
curl http://localhost:80/mcp/healthz
curl http://localhost:80/mcp/docs- Default behavior: If no
SERVER_TOKENis set, authentication is disabled and all requests are allowed - When token is configured: The token is validated for MCP endpoints that require authentication:
- SSE endpoint (
/mcp/sse) - Message endpoint (
/mcp/message) - Main MCP handler (
/mcp)
- SSE endpoint (
- Always public endpoints (never require authentication):
- Health check endpoint (
/mcp/healthz) - for monitoring - Documentation endpoint (
/mcp/docs) - for API documentation
- Health check endpoint (
- Use strong, randomly generated tokens in production
docker run -d \
--name ops-mcp-server \
-p 80:80 \
-e SOPS_ENABLED="true" \
-e EVENTS_ENABLED="true" \
-e METRICS_ENABLED="true" \
-e LOGS_ENABLED="true" \
-e TRACES_ENABLED="true" \
shaowenchen/ops-mcp-server:latest \
--mode=sse --enable-sops --enable-events --enable-metrics --enable-logs --enable-tracesmake build
./bin/ops-mcp-server --enable-sops --enable-events --enable-metrics --enable-logs --enable-traces- MCP:
http://localhost:80/mcp - Health:
http://localhost:80/mcp/healthz - Docs:
http://localhost:80/mcp/docs - SSE:
http://localhost:80/mcp/sse - Message:
http://localhost:80/mcp/message
make buildmake testmake run-allMIT License - see LICENSE file for details.