From 64aeece6fcb8424d801aede8bfdf688247f8b2d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Magall=C3=B3n?= <alejandro.magallon@sysdig.com>
Date: Thu, 19 Feb 2026 16:17:20 +0100
Subject: [PATCH 1/3] docs: add remote deployment guide and fix URL path

Add Kubernetes deployment section with manifests and mcp-remote client
configuration for Claude Desktop. Fix incorrect /sysdig-mcp-server/mcp
URL to /sysdig-mcp-server. Update Go requirement to 1.26.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 README.md | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 93 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 25d9be0..1137582 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,7 @@
   - [Running the Server](#running-the-server)
     - [Docker (Recommended)](#docker-recommended)
     - [Go](#go)
+    - [Kubernetes](#kubernetes)
   - [Client Configuration](#client-configuration)
     - [Authentication](#authentication)
     - [URL](#url)
@@ -195,7 +196,7 @@ The server dynamically filters the available tools based on the permissions asso
   - **Note**: The `generate_sysql` tool currently does not work with Service Account tokens and will return a 500 error. For this tool, use an API token assigned to a regular user account.
 
 ## Requirements
-- [Go](https://go.dev/doc/install) 1.25 or higher (if running without Docker).
+- [Go](https://go.dev/doc/install) 1.26 or higher (if running without Docker).
 
 ## Configuration
 
@@ -309,6 +310,72 @@ By default, the server will run using the `stdio` transport. To use the `streama
 SYSDIG_MCP_TRANSPORT=streamable-http go run github.com/sysdiglabs/sysdig-mcp-server/cmd/server@latest
 ```
 
+### Kubernetes
+
+You can deploy the MCP server to a Kubernetes cluster and connect to it remotely from clients like Claude Desktop.
+
+**1. Create a Secret with your Sysdig credentials:**
+
+```bash
+kubectl create namespace mcp-server
+
+kubectl create secret generic mcp-server-secrets \
+  --namespace mcp-server \
+  --from-literal=SYSDIG_MCP_API_HOST=<your_sysdig_host> \
+  --from-literal=SYSDIG_MCP_API_TOKEN=<your_sysdig_secure_api_token>
+```
+
+**2. Deploy the server:**
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mcp-server
+  namespace: mcp-server
+  labels:
+    app: mcp-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mcp-server
+  template:
+    metadata:
+      labels:
+        app: mcp-server
+    spec:
+      containers:
+      - name: mcp-server
+        image: ghcr.io/sysdiglabs/sysdig-mcp-server:latest
+        ports:
+          - containerPort: 8080
+            protocol: TCP
+        env:
+          - name: SYSDIG_MCP_TRANSPORT
+            value: "streamable-http"
+          - name: SYSDIG_MCP_LISTENING_HOST
+            value: "0.0.0.0"
+        envFrom:
+        - secretRef:
+            name: mcp-server-secrets
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mcp-server
+  namespace: mcp-server
+spec:
+  type: ClusterIP
+  selector:
+    app: mcp-server
+  ports:
+  - port: 8080
+    targetPort: 8080
+```
+
+> **Note:** Expose the Service externally using a `NodePort`, `LoadBalancer`, or `Ingress` depending on your cluster setup. The examples in the [Client Configuration](#client-configuration) section assume the server is reachable at `http://<server-address>:<port>/sysdig-mcp-server`.
+
 ## Local Development
 
 For local development, we provide a `flake.nix` file that sets up a reproducible environment with all necessary dependencies (Go, development tools, linters, etc.).
@@ -346,9 +413,9 @@ X-Sysdig-Host: <your_sysdig_host>
 
 ### URL
 
-If you are running the server with the `sse` or `streamable-http` transport, the URL will be `http://<host>:<port>/sysdig-mcp-server/mcp`.
+If you are running the server with the `sse` or `streamable-http` transport, the URL will be `http://<host>:<port>/sysdig-mcp-server`.
 
-For example, if you are running the server locally on port 8080, the URL will be `http://localhost:8080/sysdig-mcp-server/mcp`.
+For example, if you are running the server locally on port 8080, the URL will be `http://localhost:8080/sysdig-mcp-server`.
 
 ### Claude Desktop App
 
@@ -410,9 +477,32 @@ For the Claude Desktop app, you can manually configure the MCP server by editing
     }
     ```
 
+    **Option C: Connecting to a Remote Server**
+
+    If the MCP server is deployed remotely (e.g., in a [Kubernetes cluster](#kubernetes)), you can connect to it using [`mcp-remote`](https://www.npmjs.com/package/mcp-remote). This requires [Node.js](https://nodejs.org/) (v18+) installed on your machine.
+
+    ```json
+    {
+      "mcpServers": {
+        "sysdig-mcp-server": {
+          "command": "npx",
+          "args": [
+            "-y",
+            "mcp-remote",
+            "http://<server-address>:<port>/sysdig-mcp-server",
+            "--allow-http"
+          ]
+        }
+      }
+    }
+    ```
+
+    > **Note:** The `--allow-http` flag is required when connecting over plain HTTP. If your server is behind HTTPS (e.g., via an Ingress with TLS), you can omit it. No authentication headers or tokens are needed in the client configuration when the server has `SYSDIG_MCP_API_HOST` and `SYSDIG_MCP_API_TOKEN` set as environment variables.
+
 3. **Replace the placeholders**:
     - Replace `<your_sysdig_host>` with your Sysdig Secure host URL.
     - Replace `<your_sysdig_secure_api_token>` with your Sysdig Secure API token.
+    - Replace `<server-address>:<port>` with the address of your remote MCP server (Option C only).
 
 4. **Save the file** and restart the Claude Desktop app for the changes to take effect.
 

From 3456b0b09b87aeefa3f63ef886954657c7706be9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Magall=C3=B3n?= <alejandro.magallon@sysdig.com>
Date: Thu, 19 Feb 2026 16:17:44 +0100
Subject: [PATCH 2/3] chore: update nix flake lock

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 827c2e9..21cf7ce 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771177547,
-        "narHash": "sha256-trTtk3WTOHz7hSw89xIIvahkgoFJYQ0G43IlqprFoMA=",
+        "lastModified": 1771207753,
+        "narHash": "sha256-b9uG8yN50DRQ6A7JdZBfzq718ryYrlmGgqkRm9OOwCE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ac055f38c798b0d87695240c7b761b82fc7e5bc2",
+        "rev": "d1c15b7d5806069da59e819999d70e1cec0760bf",
         "type": "github"
       },
       "original": {

From cb4e229cc36f3022c937fbe58f45357b86bd5ad5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Magall=C3=B3n?= <alejandro.magallon@sysdig.com>
Date: Thu, 19 Feb 2026 16:35:56 +0100
Subject: [PATCH 3/3] docs: clarify URL section references configurable mount
 path

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1137582..e7d3bd9 100644
--- a/README.md
+++ b/README.md
@@ -413,9 +413,9 @@ X-Sysdig-Host: <your_sysdig_host>
 
 ### URL
 
-If you are running the server with the `sse` or `streamable-http` transport, the URL will be `http://<host>:<port>/sysdig-mcp-server`.
+If you are running the server with the `sse` or `streamable-http` transport, the URL will be `http://<host>:<port><mount_path>`, where `<mount_path>` is the value of `SYSDIG_MCP_MOUNT_PATH` (defaults to `/sysdig-mcp-server`). Do not include a trailing `/`.
 
-For example, if you are running the server locally on port 8080, the URL will be `http://localhost:8080/sysdig-mcp-server`.
+For example, if you are running the server locally on port 8080 with the default mount path, the URL will be `http://localhost:8080/sysdig-mcp-server`.
 
 ### Claude Desktop App