feat(toolsets): add support for multiple toolsets in configuration

Users can now enable or disable different toolsets either by providing
a command-line flag or by setting the toolsets array field in the TOML
configuration.

Downstream Kubernetes API developers can declare toolsets for their
APIs by creating a new nested package in pkg/toolsets and registering
it in pkg/mcp/modules.go

Signed-off-by: Marc Nuri <[email protected]>

Author: manusa

README.md

@@ -6,7 +6,7 @@
 [![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/containers/kubernetes-mcp-server?sort=semver)](https://github.com/containers/kubernetes-mcp-server/releases/latest)
 [![Build](https://github.com/containers/kubernetes-mcp-server/actions/workflows/build.yaml/badge.svg)](https://github.com/containers/kubernetes-mcp-server/actions/workflows/build.yaml)
 
-[✨ Features](#features) | [🚀 Getting Started](#getting-started) | [🎥 Demos](#demos) | [⚙️ Configuration](#configuration) | [🛠️ Tools](#tools) | [🧑‍💻 Development](#development)
+[✨ Features](#features) | [🚀 Getting Started](#getting-started) | [🎥 Demos](#demos) | [⚙️ Configuration](#configuration) | [🛠️ Tools](#tools-and-functionalities) | [🧑‍💻 Development](#development)
 
 https://github.com/user-attachments/assets/be2b67b3-fc1c-4d11-ae46-93deba8ed98e
 
@@ -183,8 +183,27 @@ uvx kubernetes-mcp-server@latest --help
 | `--list-output`         | Output format for resource list operations (one of: yaml, table) (default "table")                                                                                                                                                                                                            |
 | `--read-only`           | If set, the MCP server will run in read-only mode, meaning it will not allow any write operations (create, update, delete) on the Kubernetes cluster. This is useful for debugging or inspecting the cluster without making changes.                                                          |
 | `--disable-destructive` | If set, the MCP server will disable all destructive operations (delete, update, etc.) on the Kubernetes cluster. This is useful for debugging or inspecting the cluster without accidentally making changes. This option has no effect when `--read-only` is used.                            |
+| `--toolsets`            | Comma-separated list of toolsets to enable. Check the [🛠️ Tools and Functionalities](#tools-and-functionalities) section for more information.                                                                                                                                               |
+
+## 🛠️ Tools and Functionalities <a id="tools-and-functionalities"></a>
+
+The Kubernetes MCP server supports enabling or disabling specific groups of tools and functionalities (tools, resources, prompts, and so on) via the `--toolsets` command-line flag or `toolsets` configuration option.
+This allows you to control which Kubernetes functionalities are available to your AI tools.
+Enabling only the toolsets you need can help reduce the context size and improve the LLM's tool selection accuracy.
+
+### Available Toolsets
+
+The following sets of tools are available (all on by default):
+
+| Toolset  | Description                                                                         |
+|----------|-------------------------------------------------------------------------------------|
+| `core`   | Most common tools for Kubernetes management (Pods, Generic Resources, Events, etc.) |
+| `config` | View and manage the current local Kubernetes configuration (kubeconfig)             |
+| `helm`   | Tools for managing Helm charts and releases                                         |
+
+### Tools
+
 
-## 🛠️ Tools <a id="tools"></a>
 
 ### `configuration_view`
 

internal/test/test.go

@@ -0,0 +1,8 @@
+package test
+
+func Must[T any](v T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return v
+}

pkg/config/config.go

@@ -20,6 +20,7 @@ type StaticConfig struct {
 	ReadOnly bool `toml:"read_only,omitempty"`
 	// When true, disable tools annotated with destructiveHint=true
 	DisableDestructive bool     `toml:"disable_destructive,omitempty"`
+	Toolsets           []string `toml:"toolsets,omitempty"`
 	EnabledTools       []string `toml:"enabled_tools,omitempty"`
 	DisabledTools      []string `toml:"disabled_tools,omitempty"`
 
@@ -50,22 +51,32 @@ type StaticConfig struct {
 	ServerURL            string   `toml:"server_url,omitempty"`
 }
 
+func Default() *StaticConfig {
+	return &StaticConfig{
+		ListOutput: "table",
+		Toolsets:   []string{"core", "config", "helm"},
+	}
+}
+
 type GroupVersionKind struct {
 	Group   string `toml:"group"`
 	Version string `toml:"version"`
 	Kind    string `toml:"kind,omitempty"`
 }
 
-// ReadConfig reads the toml file and returns the StaticConfig.
-func ReadConfig(configPath string) (*StaticConfig, error) {
+// Read reads the toml file and returns the StaticConfig.
+func Read(configPath string) (*StaticConfig, error) {
 	configData, err := os.ReadFile(configPath)
 	if err != nil {
 		return nil, err
 	}
+	return ReadToml(configData)
+}
 
-	var config *StaticConfig
-	err = toml.Unmarshal(configData, &config)
-	if err != nil {
+// ReadToml reads the toml data and returns the StaticConfig.
+func ReadToml(configData []byte) (*StaticConfig, error) {
+	config := Default()
+	if err := toml.Unmarshal(configData, config); err != nil {
 		return nil, err
 	}
 	return config, nil

pkg/config/config_test.go

@@ -1,156 +1,175 @@
 package config
 
 import (
+	"errors"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/suite"
 )
 
-func TestReadConfigMissingFile(t *testing.T) {
-	config, err := ReadConfig("non-existent-config.toml")
-	t.Run("returns error for missing file", func(t *testing.T) {
-		if err == nil {
-			t.Fatal("Expected error for missing file, got nil")
-		}
-		if config != nil {
-			t.Fatalf("Expected nil config for missing file, got %v", config)
-		}
+type ConfigSuite struct {
+	suite.Suite
+}
+
+func (s *ConfigSuite) TestReadConfigMissingFile() {
+	config, err := Read("non-existent-config.toml")
+	s.Run("returns error for missing file", func() {
+		s.Require().NotNil(err, "Expected error for missing file, got nil")
+		s.True(errors.Is(err, fs.ErrNotExist), "Expected ErrNotExist, got %v", err)
+	})
+	s.Run("returns nil config for missing file", func() {
+		s.Nil(config, "Expected nil config for missing file")
 	})
 }
 
-func TestReadConfigInvalid(t *testing.T) {
-	invalidConfigPath := writeConfig(t, `
-[[denied_resources]]
-group = "apps"
-version = "v1"
-kind = "Deployment"
-[[denied_resources]]
-group = "rbac.authorization.k8s.io"
-version = "v1"
-kind = "Role
-`)
+func (s *ConfigSuite) TestReadConfigInvalid() {
+	invalidConfigPath := s.writeConfig(`
+		[[denied_resources]]
+		group = "apps"
+		version = "v1"
+		kind = "Deployment"
+		[[denied_resources]]
+		group = "rbac.authorization.k8s.io"
+		version = "v1"
+		kind = "Role
+	`)
 
-	config, err := ReadConfig(invalidConfigPath)
-	t.Run("returns error for invalid file", func(t *testing.T) {
-		if err == nil {
-			t.Fatal("Expected error for invalid file, got nil")
-		}
-		if config != nil {
-			t.Fatalf("Expected nil config for invalid file, got %v", config)
-		}
+	config, err := Read(invalidConfigPath)
+	s.Run("returns error for invalid file", func() {
+		s.Require().NotNil(err, "Expected error for invalid file, got nil")
 	})
-	t.Run("error message contains toml error with line number", func(t *testing.T) {
+	s.Run("error message contains toml error with line number", func() {
 		expectedError := "toml: line 9"
-		if err != nil && !strings.HasPrefix(err.Error(), expectedError) {
-			t.Fatalf("Expected error message '%s' to contain line number, got %v", expectedError, err)
-		}
+		s.Truef(strings.HasPrefix(err.Error(), expectedError), "Expected error message to contain line number, got %v", err)
+	})
+	s.Run("returns nil config for invalid file", func() {
+		s.Nil(config, "Expected nil config for missing file")
 	})
 }
 
-func TestReadConfigValid(t *testing.T) {
-	validConfigPath := writeConfig(t, `
-log_level = 1
-port = "9999"
-sse_base_url = "https://example.com"
-kubeconfig = "./path/to/config"
-list_output = "yaml"
-read_only = true
-disable_destructive = true
+func (s *ConfigSuite) TestReadConfigValid() {
+	validConfigPath := s.writeConfig(`
+		log_level = 1
+		port = "9999"
+		sse_base_url = "https://example.com"
+		kubeconfig = "./path/to/config"
+		list_output = "yaml"
+		read_only = true
+		disable_destructive = true
 
-denied_resources = [
-    {group = "apps", version = "v1", kind = "Deployment"},
-    {group = "rbac.authorization.k8s.io", version = "v1", kind = "Role"}
-]
+		toolsets = ["core", "config", "helm", "metrics"]
+		
+		enabled_tools = ["configuration_view", "events_list", "namespaces_list", "pods_list", "resources_list", "resources_get", "resources_create_or_update", "resources_delete"]
+		disabled_tools = ["pods_delete", "pods_top", "pods_log", "pods_run", "pods_exec"]
 
-enabled_tools = ["configuration_view", "events_list", "namespaces_list", "pods_list", "resources_list", "resources_get", "resources_create_or_update", "resources_delete"]
-disabled_tools = ["pods_delete", "pods_top", "pods_log", "pods_run", "pods_exec"]
-`)
+		denied_resources = [
+			{group = "apps", version = "v1", kind = "Deployment"},
+			{group = "rbac.authorization.k8s.io", version = "v1", kind = "Role"}
+		]
+		
+	`)
 
-	config, err := ReadConfig(validConfigPath)
-	t.Run("reads and unmarshalls file", func(t *testing.T) {
-		if err != nil {
-			t.Fatalf("ReadConfig returned an error for a valid file: %v", err)
-		}
-		if config == nil {
-			t.Fatal("ReadConfig returned a nil config for a valid file")
-		}
+	config, err := Read(validConfigPath)
+	s.Require().NotNil(config)
+	s.Run("reads and unmarshalls file", func() {
+		s.Nil(err, "Expected nil error for valid file")
+		s.Require().NotNil(config, "Expected non-nil config for valid file")
 	})
-	t.Run("denied resources are parsed correctly", func(t *testing.T) {
-		if len(config.DeniedResources) != 2 {
-			t.Fatalf("Expected 2 denied resources, got %d", len(config.DeniedResources))
-		}
-		if config.DeniedResources[0].Group != "apps" ||
-			config.DeniedResources[0].Version != "v1" ||
-			config.DeniedResources[0].Kind != "Deployment" {
-			t.Errorf("Unexpected denied resources: %v", config.DeniedResources[0])
-		}
+	s.Run("log_level parsed correctly", func() {
+		s.Equalf(1, config.LogLevel, "Expected LogLevel to be 1, got %d", config.LogLevel)
 	})
-	t.Run("log_level parsed correctly", func(t *testing.T) {
-		if config.LogLevel != 1 {
-			t.Fatalf("Unexpected log level: %v", config.LogLevel)
-		}
+	s.Run("port parsed correctly", func() {
+		s.Equalf("9999", config.Port, "Expected Port to be 9999, got %s", config.Port)
 	})
-	t.Run("port parsed correctly", func(t *testing.T) {
-		if config.Port != "9999" {
-			t.Fatalf("Unexpected port value: %v", config.Port)
-		}
+	s.Run("sse_base_url parsed correctly", func() {
+		s.Equalf("https://example.com", config.SSEBaseURL, "Expected SSEBaseURL to be https://example.com, got %s", config.SSEBaseURL)
 	})
-	t.Run("sse_base_url parsed correctly", func(t *testing.T) {
-		if config.SSEBaseURL != "https://example.com" {
-			t.Fatalf("Unexpected sse_base_url value: %v", config.SSEBaseURL)
-		}
+	s.Run("kubeconfig parsed correctly", func() {
+		s.Equalf("./path/to/config", config.KubeConfig, "Expected KubeConfig to be ./path/to/config, got %s", config.KubeConfig)
 	})
-	t.Run("kubeconfig parsed correctly", func(t *testing.T) {
-		if config.KubeConfig != "./path/to/config" {
-			t.Fatalf("Unexpected kubeconfig value: %v", config.KubeConfig)
-		}
+	s.Run("list_output parsed correctly", func() {
+		s.Equalf("yaml", config.ListOutput, "Expected ListOutput to be yaml, got %s", config.ListOutput)
+	})
+	s.Run("read_only parsed correctly", func() {
+		s.Truef(config.ReadOnly, "Expected ReadOnly to be true, got %v", config.ReadOnly)
+	})
+	s.Run("disable_destructive parsed correctly", func() {
+		s.Truef(config.DisableDestructive, "Expected DisableDestructive to be true, got %v", config.DisableDestructive)
 	})
-	t.Run("list_output parsed correctly", func(t *testing.T) {
-		if config.ListOutput != "yaml" {
-			t.Fatalf("Unexpected list_output value: %v", config.ListOutput)
+	s.Run("toolsets", func() {
+		s.Require().Lenf(config.Toolsets, 4, "Expected 4 toolsets, got %d", len(config.Toolsets))
+		for _, toolset := range []string{"core", "config", "helm", "metrics"} {
+			s.Containsf(config.Toolsets, toolset, "Expected toolsets to contain %s", toolset)
 		}
 	})
-	t.Run("read_only parsed correctly", func(t *testing.T) {
-		if !config.ReadOnly {
-			t.Fatalf("Unexpected read-only mode: %v", config.ReadOnly)
+	s.Run("enabled_tools", func() {
+		s.Require().Lenf(config.EnabledTools, 8, "Expected 8 enabled tools, got %d", len(config.EnabledTools))
+		for _, tool := range []string{"configuration_view", "events_list", "namespaces_list", "pods_list", "resources_list", "resources_get", "resources_create_or_update", "resources_delete"} {
+			s.Containsf(config.EnabledTools, tool, "Expected enabled tools to contain %s", tool)
 		}
 	})
-	t.Run("disable_destructive parsed correctly", func(t *testing.T) {
-		if !config.DisableDestructive {
-			t.Fatalf("Unexpected disable destructive: %v", config.DisableDestructive)
+	s.Run("disabled_tools", func() {
+		s.Require().Lenf(config.DisabledTools, 5, "Expected 5 disabled tools, got %d", len(config.DisabledTools))
+		for _, tool := range []string{"pods_delete", "pods_top", "pods_log", "pods_run", "pods_exec"} {
+			s.Containsf(config.DisabledTools, tool, "Expected disabled tools to contain %s", tool)
 		}
 	})
-	t.Run("enabled_tools parsed correctly", func(t *testing.T) {
-		if len(config.EnabledTools) != 8 {
-			t.Fatalf("Unexpected enabled tools: %v", config.EnabledTools)
+	s.Run("denied_resources", func() {
+		s.Require().Lenf(config.DeniedResources, 2, "Expected 2 denied resources, got %d", len(config.DeniedResources))
+		s.Run("contains apps/v1/Deployment", func() {
+			s.Contains(config.DeniedResources, GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
+				"Expected denied resources to contain apps/v1/Deployment")
+		})
+		s.Run("contains rbac.authorization.k8s.io/v1/Role", func() {
+			s.Contains(config.DeniedResources, GroupVersionKind{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "Role"},
+				"Expected denied resources to contain rbac.authorization.k8s.io/v1/Role")
+		})
+	})
+}
 
-		}
-		for i, tool := range []string{"configuration_view", "events_list", "namespaces_list", "pods_list", "resources_list", "resources_get", "resources_create_or_update", "resources_delete"} {
-			if config.EnabledTools[i] != tool {
-				t.Errorf("Expected enabled tool %d to be %s, got %s", i, tool, config.EnabledTools[i])
-			}
-		}
+func (s *ConfigSuite) TestReadConfigValidPreservesDefaultsForMissingFields() {
+	validConfigPath := s.writeConfig(`
+		port = "1337"
+	`)
+
+	config, err := Read(validConfigPath)
+	s.Require().NotNil(config)
+	s.Run("reads and unmarshalls file", func() {
+		s.Nil(err, "Expected nil error for valid file")
+		s.Require().NotNil(config, "Expected non-nil config for valid file")
 	})
-	t.Run("disabled_tools parsed correctly", func(t *testing.T) {
-		if len(config.DisabledTools) != 5 {
-			t.Fatalf("Unexpected disabled tools: %v", config.DisabledTools)
-		}
-		for i, tool := range []string{"pods_delete", "pods_top", "pods_log", "pods_run", "pods_exec"} {
-			if config.DisabledTools[i] != tool {
-				t.Errorf("Expected disabled tool %d to be %s, got %s", i, tool, config.DisabledTools[i])
-			}
+	s.Run("log_level defaulted correctly", func() {
+		s.Equalf(0, config.LogLevel, "Expected LogLevel to be 0, got %d", config.LogLevel)
+	})
+	s.Run("port parsed correctly", func() {
+		s.Equalf("1337", config.Port, "Expected Port to be 9999, got %s", config.Port)
+	})
+	s.Run("list_output defaulted correctly", func() {
+		s.Equalf("table", config.ListOutput, "Expected ListOutput to be table, got %s", config.ListOutput)
+	})
+	s.Run("toolsets defaulted correctly", func() {
+		s.Require().Lenf(config.Toolsets, 3, "Expected 3 toolsets, got %d", len(config.Toolsets))
+		for _, toolset := range []string{"core", "config", "helm"} {
+			s.Containsf(config.Toolsets, toolset, "Expected toolsets to contain %s", toolset)
 		}
 	})
 }
 
-func writeConfig(t *testing.T, content string) string {
-	t.Helper()
-	tempDir := t.TempDir()
+func (s *ConfigSuite) writeConfig(content string) string {
+	s.T().Helper()
+	tempDir := s.T().TempDir()
 	path := filepath.Join(tempDir, "config.toml")
 	err := os.WriteFile(path, []byte(content), 0644)
 	if err != nil {
-		t.Fatalf("Failed to write config file %s: %v", path, err)
+		s.T().Fatalf("Failed to write config file %s: %v", path, err)
 	}
 	return path
 }
+
+func TestConfig(t *testing.T) {
+	suite.Run(t, new(ConfigSuite))
+}