feat: discover istio ns + istioctl analyze

Author: krutsko

PROXY_CONFIG.md

@@ -17,10 +17,11 @@ The Istio MCP Server supports these proxy configuration tools:
 - **get-proxy-bootstrap**: Get Envoy bootstrap configuration from a pod
 - **get-proxy-config-dump**: Get full Envoy configuration dump from a pod
 - **get-proxy-status**: Get proxy status information for all pods or a specific pod
+- **get-istio-analyze**: Analyze Istio configuration and report potential issues
 
 ## Implementation Details
 
-- Uses `istioctl proxy-config` commands under the hood
+- Uses `istioctl proxy-config` commands under the hood (and `istioctl analyze` for configuration analysis)
 - Requires `istioctl` to be installed on the system
 - Returns JSON formatted output for easy parsing
 - Includes proper error handling and timeouts
@@ -30,7 +31,7 @@ The Istio MCP Server supports these proxy configuration tools:
 
 Each tool requires:
 - `namespace` (optional, defaults to 'default')
-- `pod` (required for most tools, except `get-proxy-status`)
+- `pod` (required for most tools, except `get-proxy-status` and `get-istio-analyze`)
 
 ### Examples
 
@@ -49,6 +50,12 @@ get-proxy-status --namespace default
 
 # Get proxy status for a specific pod
 get-proxy-status --namespace default --pod my-app-pod
+
+# Analyze Istio configuration for a specific namespace
+get-istio-analyze --namespace default
+
+# Analyze Istio configuration for the entire cluster
+get-istio-analyze
 ```
 
 ## Prerequisites

pkg/istio/istio.go

@@ -3,6 +3,7 @@ package istio
 import (
 	"context"
 	"fmt"
+	"sort"
 
 	"github.com/fsnotify/fsnotify"
 	"istio.io/client-go/pkg/clientset/versioned"
@@ -443,6 +444,83 @@ func (i *Istio) CheckExternalDependencyAvailability(ctx context.Context, service
 	return result, nil
 }
 
+// DiscoverNamespacesWithSidecars finds namespaces that have pods with Istio sidecars
+// and returns them sorted by the number of sidecars (most injected first)
+func (i *Istio) DiscoverNamespacesWithSidecars(ctx context.Context) (string, error) {
+	namespacesWithSidecars := make(map[string]int)
+
+	// Get running pods only (server-side filtering)
+	pods, err := i.kubeClient.CoreV1().Pods("").List(ctx, metav1.ListOptions{
+		FieldSelector: "status.phase=Running",
+	})
+	if err != nil {
+		return "", fmt.Errorf("failed to list running pods for Istio sidecar discovery: %w", err)
+	}
+
+	// Count sidecars per namespace
+	for _, pod := range pods.Items {
+		// Skip pods that are not running or have no containers
+		if pod.Status.Phase != "Running" || len(pod.Spec.Containers) == 0 {
+			continue
+		}
+
+		// Check if pod has istio-proxy sidecar
+		for _, container := range pod.Spec.Containers {
+			if container.Name == "istio-proxy" {
+				namespacesWithSidecars[pod.Namespace]++
+				break
+			}
+		}
+	}
+
+	if len(namespacesWithSidecars) == 0 {
+		return "No namespaces with Istio sidecars found", nil
+	}
+
+	// Create a slice of namespace counts for sorting
+	type namespaceCount struct {
+		namespace string
+		count     int
+	}
+
+	var namespaceCounts []namespaceCount
+	for ns, count := range namespacesWithSidecars {
+		namespaceCounts = append(namespaceCounts, namespaceCount{namespace: ns, count: count})
+	}
+
+	// Sort by count (descending) and then by namespace name (ascending)
+	sort.Slice(namespaceCounts, func(i, j int) bool {
+		if namespaceCounts[i].count != namespaceCounts[j].count {
+			return namespaceCounts[i].count > namespaceCounts[j].count
+		}
+		return namespaceCounts[i].namespace < namespaceCounts[j].namespace
+	})
+
+	// Build result string
+	result := fmt.Sprintf("Found %d namespaces with Istio sidecars:\n\n", len(namespaceCounts))
+	result += "Rank | Namespace | Sidecar Count | Recommendation\n"
+	result += "-----|-----------|---------------|----------------\n"
+
+	for rank, nc := range namespaceCounts {
+		var recommendation string
+		if rank == 0 {
+			recommendation = "BEST - Most Istio-injected workloads"
+		} else if rank < 3 { // 3 is arbitrary, adjust as needed
+			recommendation = "Good - High Istio adoption"
+		} else if rank < 5 {
+			recommendation = "Moderate - Some Istio usage"
+		} else {
+			recommendation = "Low - Minimal Istio usage"
+		}
+
+		result += fmt.Sprintf("%4d | %-9s | %13d | %s\n", rank+1, nc.namespace, nc.count, recommendation)
+	}
+
+	result += "\n💡 **Recommendation**: Start with the top-ranked namespace for Istio operations as it likely contains the most Istio configuration and traffic."
+
+	return result, nil
+}
+
 func (i *Istio) WatchKubeConfig(onKubeConfigChange func() error) {
 	if i.clientCmdConfig == nil {
 		klog.V(1).Info("No client config available for kubeconfig watching")

pkg/istio/proxy_config.go

@@ -3,7 +3,6 @@ package istio
 import (
 	"context"
 	"fmt"
-	"io"
 	"net/http"
 	"os/exec"
 	"strings"
@@ -69,6 +68,14 @@ func (p *ProxyConfigClient) GetProxyStatusForPod(ctx context.Context, namespace,
 	return p.execIstioctl(ctx, "proxy-status", fmt.Sprintf("%s.%s", podName, namespace))
 }
 
+// GetAnalyze performs Istio configuration analysis and reports potential issues
+func (p *ProxyConfigClient) GetAnalyze(ctx context.Context, namespace string) (string, error) {
+	if namespace != "" {
+		return p.execIstioctl(ctx, "analyze", "-n", namespace)
+	}
+	return p.execIstioctl(ctx, "analyze")
+}
+
 // execIstioctl executes istioctl commands with proper error handling and timeout
 func (p *ProxyConfigClient) execIstioctl(ctx context.Context, args ...string) (string, error) {
 	// Create context with timeout
@@ -106,58 +113,6 @@ func NewEnvoyAdminClient() *EnvoyAdminClient {
 	}
 }
 
-// GetConfigDumpDirect retrieves configuration dump directly from Envoy admin API
-func (e *EnvoyAdminClient) GetConfigDumpDirect(ctx context.Context, podIP string) (string, error) {
-	return e.getEnvoyEndpoint(ctx, podIP, "config_dump")
-}
-
-// GetClustersDirect retrieves clusters directly from Envoy admin API
-func (e *EnvoyAdminClient) GetClustersDirect(ctx context.Context, podIP string) (string, error) {
-	return e.getEnvoyEndpoint(ctx, podIP, "clusters")
-}
-
-// GetListenersDirect retrieves listeners directly from Envoy admin API
-func (e *EnvoyAdminClient) GetListenersDirect(ctx context.Context, podIP string) (string, error) {
-	return e.getEnvoyEndpoint(ctx, podIP, "listeners")
-}
-
-// GetStatsDirect retrieves stats directly from Envoy admin API
-func (e *EnvoyAdminClient) GetStatsDirect(ctx context.Context, podIP string) (string, error) {
-	return e.getEnvoyEndpoint(ctx, podIP, "stats")
-}
-
-// GetServerInfoDirect retrieves server info directly from Envoy admin API
-func (e *EnvoyAdminClient) GetServerInfoDirect(ctx context.Context, podIP string) (string, error) {
-	return e.getEnvoyEndpoint(ctx, podIP, "server_info")
-}
-
-// getEnvoyEndpoint makes HTTP request to Envoy admin endpoint
-func (e *EnvoyAdminClient) getEnvoyEndpoint(ctx context.Context, podIP, endpoint string) (string, error) {
-	url := fmt.Sprintf("http://%s:15000/%s", podIP, endpoint)
-
-	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
-	if err != nil {
-		return "", fmt.Errorf("failed to create request: %w", err)
-	}
-
-	resp, err := e.httpClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("failed to make request to %s: %w", url, err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("unexpected status code %d from %s", resp.StatusCode, url)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", fmt.Errorf("failed to read response body: %w", err)
-	}
-
-	return string(body), nil
-}
-
 // ProxyConfigSummary provides a summary of all proxy configurations in a namespace
 func (p *ProxyConfigClient) ProxyConfigSummary(ctx context.Context, namespace string) (string, error) {
 	// Get proxy status first to identify pods

pkg/mcp/profile.go

@@ -144,6 +144,15 @@ func (s *Server) initSecurityTools() []server.ServerTool {
 // initConfigurationTools initializes configuration-related Istio tools
 func (s *Server) initConfigurationTools() []server.ServerTool {
 	return []server.ServerTool{
+		{
+			Tool: mcp.NewTool("discover-istio-namespaces",
+				mcp.WithDescription("Discover namespaces that have pods with Istio sidecars and rank them by injection density. This tool helps identify the most probable best namespace for Istio operations by analyzing which namespaces have the most Istio-injected workloads. Use this to prioritize which namespaces to investigate first for Istio configuration and traffic analysis."),
+				mcp.WithTitleAnnotation("Istio: Namespace Discovery"),
+				mcp.WithReadOnlyHintAnnotation(true),
+				mcp.WithDestructiveHintAnnotation(false),
+			),
+			Handler: s.discoverIstioNamespaces,
+		},
 		{
 			Tool: mcp.NewTool("get-envoy-filters",
 				mcp.WithDescription("Get Istio Envoy Filters from any namespace. Envoy Filters allow custom configuration of Envoy proxy behavior, including custom filters, listeners, and clusters. Use this to inspect advanced Istio service mesh configurations."),
@@ -317,6 +326,18 @@ func (s *Server) initProxyConfigTools() []server.ServerTool {
 			),
 			Handler: s.getProxyStatus,
 		},
+		{
+			Tool: mcp.NewTool("get-istio-analyze",
+				mcp.WithDescription("Analyze Istio configuration and report potential issues, misconfigurations, and best practice violations. This tool runs 'istioctl analyze' to provide comprehensive analysis of your Istio service mesh configuration."),
+				mcp.WithString("namespace",
+					mcp.Description("Namespace to analyze (optional). If specified, analyzes only the specified namespace. If not provided, analyzes the entire cluster."),
+				),
+				mcp.WithTitleAnnotation("Istio: Configuration Analysis"),
+				mcp.WithReadOnlyHintAnnotation(true),
+				mcp.WithDestructiveHintAnnotation(false),
+			),
+			Handler: s.getIstioAnalyze,
+		},
 	}
 }
 
@@ -431,6 +452,12 @@ func (s *Server) checkExternalDependencyAvailability(ctx context.Context, ctr mc
 	return NewTextResult(content, err), nil
 }
 
+// Handler method for Istio namespace discovery
+func (s *Server) discoverIstioNamespaces(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+	content, err := s.i.DiscoverNamespacesWithSidecars(ctx)
+	return NewTextResult(content, err), nil
+}
+
 // Handler methods for proxy configuration tools
 func (s *Server) getProxyClusters(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 	namespace := "default"
@@ -552,6 +579,17 @@ func (s *Server) getProxyStatus(ctx context.Context, ctr mcp.CallToolRequest) (*
 	return NewTextResult(content, err), nil
 }
 
+// getIstioAnalyze performs Istio configuration analysis
+func (s *Server) getIstioAnalyze(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+	namespace := ""
+	if ns := ctr.GetArguments()["namespace"]; ns != nil {
+		namespace = ns.(string)
+	}
+
+	content, err := s.i.ProxyConfig.GetAnalyze(ctx, namespace)
+	return NewTextResult(content, err), nil
+}
+
 func init() {
 	ProfileNames = make([]string, 0)
 	for _, profile := range Profiles {