containers
diff --git a/‎internal/test/mock_server.go‎
Lines changed: 10 additions & 1 deletion b/‎internal/test/mock_server.go‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎pkg/helm/helm.go‎
Lines changed: 4 additions & 3 deletions b/‎pkg/helm/helm.go‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎pkg/kubernetes/accesscontrol_restclient.go‎
Lines changed: 0 additions & 61 deletions b/‎pkg/kubernetes/accesscontrol_restclient.go‎
Lines changed: 0 additions & 61 deletions
diff --git a/‎pkg/kubernetes/accesscontrol_restmapper.go‎
Lines changed: 0 additions & 80 deletions b/‎pkg/kubernetes/accesscontrol_restmapper.go‎
Lines changed: 0 additions & 80 deletions
diff --git a/‎pkg/kubernetes/accesscontrol_round_tripper.go‎
Lines changed: 70 additions & 0 deletions b/‎pkg/kubernetes/accesscontrol_round_tripper.go‎
Lines changed: 70 additions & 0 deletions
@@ -200,7 +200,9 @@ func (h *DiscoveryClientHandler) ServeHTTP(w http.ResponseWriter, req *http.Requ
 	// Request Performed by DiscoveryClient to Kube API (Get API Groups)
 	if req.URL.Path == "/apis" {
 		w.Header().Set("Content-Type", "application/json")
-		_, _ = w.Write([]byte(`{"kind":"APIGroupList","apiVersion":"v1","groups":[]}`))
+		_, _ = w.Write([]byte(`{"kind":"APIGroupList","apiVersion":"v1","groups":[
+			{"name":"apps","versions":[{"groupVersion":"apps/v1","version":"v1"}],"preferredVersion":{"groupVersion":"apps/v1","version":"v1"}}
+		]}`))
 		return
 	}
 	// Request Performed by DiscoveryClient to Kube API (Get API Resources)
@@ -211,6 +213,13 @@ func (h *DiscoveryClientHandler) ServeHTTP(w http.ResponseWriter, req *http.Requ
 		]}`))
 		return
 	}
+	if req.URL.Path == "/apis/apps/v1" {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{"kind":"APIResourceList","apiVersion":"v1","groupVersion":"apps/v1","resources":[
+			{"name":"deployments","singularName":"","namespaced":true,"kind":"Deployment","verbs":["get","list","watch","create","update","patch","delete"]}
+		]}`))
+		return
+	}
 }
 
 type InOpenShiftHandler struct {
 
@@ -3,15 +3,16 @@ package helm
 import (
 	"context"
 	"fmt"
+	"time"
+
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/cli"
 	"helm.sh/helm/v3/pkg/registry"
 	"helm.sh/helm/v3/pkg/release"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"log"
+	"k8s.io/klog/v2"
 	"sigs.k8s.io/yaml"
-	"time"
 )
 
 type Kubernetes interface {
@@ -115,7 +116,7 @@ func (h *Helm) newAction(namespace string, allNamespaces bool) (*action.Configur
 		return nil, err
 	}
 	cfg.RegistryClient = registryClient
-	return cfg, cfg.Init(h.kubernetes, applicableNamespace, "", log.Printf)
+	return cfg, cfg.Init(h.kubernetes, applicableNamespace, "", klog.V(5).Infof)
 }
 
 func simplify(release ...*release.Release) []map[string]interface{} {
 
@@ -0,0 +1,70 @@
+package kubernetes
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/containers/kubernetes-mcp-server/pkg/config"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type AccessControlRoundTripper struct {
+	delegate     http.RoundTripper
+	staticConfig *config.StaticConfig
+	restMapper   meta.RESTMapper
+}
+
+func (rt *AccessControlRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	gvr, ok := parseURLToGVR(req.URL.Path)
+	// Not an API resource request, just pass through
+	if !ok {
+		return rt.delegate.RoundTrip(req)
+	}
+
+	gvk, err := rt.restMapper.KindFor(gvr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: AccessControlRoundTripper failed to get kind for gvr %v: %w", gvr, err)
+	}
+	if !isAllowed(rt.staticConfig, &gvk) {
+		return nil, isNotAllowedError(&gvk)
+	}
+
+	return rt.delegate.RoundTrip(req)
+}
+
+func parseURLToGVR(path string) (gvr schema.GroupVersionResource, ok bool) {
+	parts := strings.Split(strings.Trim(path, "/"), "/")
+
+	gvr = schema.GroupVersionResource{}
+	switch parts[0] {
+	case "api":
+		// /api or /api/v1 are discovery endpoints
+		if len(parts) < 3 {
+			return
+		}
+		gvr.Group = ""
+		gvr.Version = parts[1]
+		if parts[2] == "namespaces" && len(parts) > 4 {
+			gvr.Resource = parts[4]
+		} else {
+			gvr.Resource = parts[2]
+		}
+	case "apis":
+		// /apis, /apis/apps, or /apis/apps/v1 are discovery endpoints
+		if len(parts) < 4 {
+			return
+		}
+		gvr.Group = parts[1]
+		gvr.Version = parts[2]
+		if parts[3] == "namespaces" && len(parts) > 5 {
+			gvr.Resource = parts[5]
+		} else {
+			gvr.Resource = parts[3]
+		}
+	default:
+		return
+	}
+	return gvr, true
+}