1
61%
main: 61%

Ran 30 Jan 2026 06:11AM UTC

Files 487

Run time 9s

Badge

Embed ▾

Committed 30 Jan 2026 06:03AM UTC coverage: 60.492% (+0.007%) from 60.485%

Job # 21506200086.1

Build Type

push

github

Committed by

web-flow

Commit Message

Limit RBAC permissions for inline mode VirtualMCPServers (#3504)

In inline mode, VirtualMCPServer pods receive all backend configuration
through the VirtualMCPServer spec and don't need to discover backends
from Kubernetes resources. However, they were still granted full RBAC
permissions including access to secrets and configmaps.

Since vMCP is exposed to the outside world via HTTP, granting unnecessary
Kubernetes API permissions increases the security risk. This change
implements conditional RBAC based on the outgoing auth source mode:

  - Inline mode: Minimal permissions (read own spec + update status)
  - Discovered mode: Full permissions (read secrets, configmaps, MCP resources)

The implementation creates two separate RBAC rule sets and selects the
appropriate one based on spec.outgoingAuth.source. Existing resources
default to discovered mode for backward compatibility.

Added comprehensive tests to verify correct permissions are granted for
each mode, including validation that inline mode has no secret or
configmap access while still maintaining status update capabilities.

Also removed orphaned comment and nolint directive for deleted
discoverBackends function.

Related-to: #3149

Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Run Details

39377 of 65095 relevant lines covered (60.49%)

76.1 hits per line

stacklok / toolhive / 21506200086 / 1
61%
main: 61%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 21506200086.1

stacklok / toolhive / 21506200086 / 1 61% main: 61%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 21506200086.1

stacklok / toolhive / 21506200086 / 1
61%
main: 61%

README BADGES
x