sysdiglabs · tembleking · Nov 24, 2025 · Nov 24, 2025
@@ -62,6 +62,7 @@ The handler filters tools dynamically based on `GetMyPermissions` from Sysdig Se
 | `troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `promql.exec` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" |
 | `troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `promql.exec` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" |
 | `troubleshoot_kubernetes_list_top_cpu_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go` | Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores). | `promql.exec` | "Show the top 10 workloads consuming the most CPU in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_cpu_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go` | Identifies the Kubernetes containers consuming the most CPU (in cores). | `promql.exec` | "Show the top 10 containers consuming the most CPU in cluster 'production'" |
 
 Every tool has a companion `_test.go` file that exercises request validation, permission metadata, and Sysdig client calls through mocks.
 Note that if you add more tools you need to also update this file to reflect that.

@@ -173,6 +173,11 @@ The server dynamically filters the available tools based on the permissions asso
     - **Required Permission**: `promql.exec`
     - **Sample Prompt**: "Show the top 10 workloads consuming the most CPU in cluster 'production'"
 
+  - **`troubleshoot_kubernetes_list_top_cpu_consumed_by_container`**
+    - **Description**: Identifies the Kubernetes containers consuming the most CPU (in cores).
+    - **Required Permission**: `promql.exec`
+    - **Sample Prompt**: "Show the top 10 containers consuming the most CPU in cluster 'production'"
+
    ## Requirements
 - [Go](https://go.dev/doc/install) 1.25 or higher (if running without Docker).
 

@@ -107,6 +107,7 @@ func setupHandler(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *mcp
 		tools.NewTroubleshootKubernetesListCountPodsPerCluster(sysdigClient),
 		tools.NewTroubleshootKubernetesListUnderutilizedPodsByCPUQuota(sysdigClient),
 		tools.NewTroubleshootKubernetesListTopCPUConsumedByWorkload(sysdigClient),
+		tools.NewTroubleshootKubernetesListTopCPUConsumedByContainer(sysdigClient),
 		tools.NewTroubleshootKubernetesListUnderutilizedPodsByMemoryQuota(sysdigClient),
 	)
 	return handler

@@ -0,0 +1,94 @@
+package tools
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
+)
+
+type TroubleshootKubernetesListTopCPUConsumedByContainer struct {
+	SysdigClient sysdig.ExtendedClientWithResponsesInterface
+}
+
+func NewTroubleshootKubernetesListTopCPUConsumedByContainer(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *TroubleshootKubernetesListTopCPUConsumedByContainer {
+	return &TroubleshootKubernetesListTopCPUConsumedByContainer{
+		SysdigClient: sysdigClient,
+	}
+}
+
+func (t *TroubleshootKubernetesListTopCPUConsumedByContainer) RegisterInServer(s *server.MCPServer) {
+	tool := mcp.NewTool("troubleshoot_kubernetes_list_top_cpu_consumed_by_container",
+		mcp.WithDescription("Identifies the Kubernetes containers consuming the most CPU (in cores)."),
+		mcp.WithString("cluster_name", mcp.Description("The name of the cluster to filter by.")),
+		mcp.WithString("namespace_name", mcp.Description("The name of the namespace to filter by.")),
+		mcp.WithString("workload_type", mcp.Description("The type of the workload to filter by.")),
+		mcp.WithString("workload_name", mcp.Description("The name of the workload to filter by.")),
+		mcp.WithNumber("limit",
+			mcp.Description("Maximum number of containers to return."),
+			mcp.DefaultNumber(20),
+		),
+		mcp.WithOutputSchema[map[string]any](),
+		WithRequiredPermissions("promql.exec"),
+	)
+	s.AddTool(tool, t.handle)
+}
+
+func (t *TroubleshootKubernetesListTopCPUConsumedByContainer) handle(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+	clusterName := mcp.ParseString(request, "cluster_name", "")
+	namespaceName := mcp.ParseString(request, "namespace_name", "")
+	workloadType := mcp.ParseString(request, "workload_type", "")
+	workloadName := mcp.ParseString(request, "workload_name", "")
+	limit := mcp.ParseInt(request, "limit", 20)
+
+	query := buildTopCPUConsumedByContainerQuery(clusterName, namespaceName, workloadType, workloadName, limit)
+
+	params := &sysdig.GetQueryV1Params{
+		Query: query,
+	}
+
+	httpResp, err := t.SysdigClient.GetQueryV1(ctx, params)
+	if err != nil {
+		return mcp.NewToolResultErrorFromErr("failed to get top cpu consumed by container", err), nil
+	}
+
+	if httpResp.StatusCode != 200 {
+		bodyBytes, _ := io.ReadAll(httpResp.Body)
+		return mcp.NewToolResultErrorf("failed to get top cpu consumed by container: status code %d, body: %s", httpResp.StatusCode, string(bodyBytes)), nil
+	}
+
+	var queryResponse sysdig.QueryResponseV1
+	if err := json.NewDecoder(httpResp.Body).Decode(&queryResponse); err != nil {
+		return mcp.NewToolResultErrorFromErr("failed to decode response", err), nil
+	}
+
+	return mcp.NewToolResultJSON(queryResponse)
+}
+
+func buildTopCPUConsumedByContainerQuery(clusterName, namespaceName, workloadType, workloadName string, limit int) string {
+	filters := []string{}
+	if clusterName != "" {
+		filters = append(filters, fmt.Sprintf(`kube_cluster_name="%s"`, clusterName))
+	}
+	if namespaceName != "" {
+		filters = append(filters, fmt.Sprintf(`kube_namespace_name="%s"`, namespaceName))
+	}
+	if workloadType != "" {
+		filters = append(filters, fmt.Sprintf(`kube_workload_type="%s"`, workloadType))
+	}
+	if workloadName != "" {
+		filters = append(filters, fmt.Sprintf(`kube_workload_name="%s"`, workloadName))
+	}
+
+	filterString := ""
+	if len(filters) > 0 {
+		filterString = fmt.Sprintf("{%s}", strings.Join(filters, ","))
+	}
+
+	return fmt.Sprintf("topk(%d, sum by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, container_label_io_kubernetes_container_name)(sysdig_container_cpu_cores_used%s))", limit, filterString)
+}
@@ -0,0 +1,84 @@
+package tools_test
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/mcp/tools"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig/mocks"
+	"go.uber.org/mock/gomock"
+)
+
+var _ = Describe("TroubleshootKubernetesListTopCPUConsumedByContainer Tool", func() {
+	var (
+		tool       *tools.TroubleshootKubernetesListTopCPUConsumedByContainer
+		mockSysdig *mocks.MockExtendedClientWithResponsesInterface
+		mcpServer  *server.MCPServer
+		ctrl       *gomock.Controller
+	)
+
+	BeforeEach(func() {
+		ctrl = gomock.NewController(GinkgoT())
+		mockSysdig = mocks.NewMockExtendedClientWithResponsesInterface(ctrl)
+		tool = tools.NewTroubleshootKubernetesListTopCPUConsumedByContainer(mockSysdig)
+		mcpServer = server.NewMCPServer("test", "test")
+		tool.RegisterInServer(mcpServer)
+	})
+
+	It("should register successfully in the server", func() {
+		Expect(mcpServer.GetTool("troubleshoot_kubernetes_list_top_cpu_consumed_by_container")).NotTo(BeNil())
+	})
+
+	When("listing top cpu consumed by container", func() {
+		DescribeTable("it succeeds", func(ctx context.Context, toolName string, request mcp.CallToolRequest, expectedParamsRequested sysdig.GetQueryV1Params) {
+			mockSysdig.EXPECT().GetQueryV1(gomock.Any(), &expectedParamsRequested).Return(&http.Response{
+				StatusCode: http.StatusOK,
+				Body:       io.NopCloser(bytes.NewBufferString(`{"status":"success"}`)),
+			}, nil)
+
+			serverTool := mcpServer.GetTool(toolName)
+			result, err := serverTool.Handler(ctx, request)
+			Expect(err).NotTo(HaveOccurred())
+
+			resultData, ok := result.Content[0].(mcp.TextContent)
+			Expect(ok).To(BeTrue())
+			Expect(resultData.Text).To(ContainSubstring(`"status":"success"`))
+		},
+			Entry("with no params", context.Background(), "troubleshoot_kubernetes_list_top_cpu_consumed_by_container",
+				mcp.CallToolRequest{
+					Params: mcp.CallToolParams{
+						Name:      "troubleshoot_kubernetes_list_top_cpu_consumed_by_container",
+						Arguments: map[string]any{},
+					},
+				},
+				sysdig.GetQueryV1Params{
+					Query: `topk(20, sum by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, container_label_io_kubernetes_container_name)(sysdig_container_cpu_cores_used))`,
+				},
+			),
+			Entry("with all params", context.Background(), "troubleshoot_kubernetes_list_top_cpu_consumed_by_container",
+				mcp.CallToolRequest{
+					Params: mcp.CallToolParams{
+						Name: "troubleshoot_kubernetes_list_top_cpu_consumed_by_container",
+						Arguments: map[string]any{
+							"cluster_name":   "test-cluster",
+							"namespace_name": "test-namespace",
+							"workload_type":  "deployment",
+							"workload_name":  "test-workload",
+							"limit":          10,
+						},
+					},
+				},
+				sysdig.GetQueryV1Params{
+					Query: `topk(10, sum by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, container_label_io_kubernetes_container_name)(sysdig_container_cpu_cores_used{kube_cluster_name="test-cluster",kube_namespace_name="test-namespace",kube_workload_type="deployment",kube_workload_name="test-workload"}))`,
+				},
+			),
+		)
+	})
+})