MCP Integration
Available Tools Complete reference of MCP tools available in PodWarden
PodWarden exposes 121 tools through MCP, organized by category. Tools are classified as read-only , mutating (create/update/deploy), or destructive (delete). The MCP Access Level setting (Settings → MCP) controls which tiers are exposed.
Renamed tools: The list_workload_definitions / get_workload_definition / etc. tools have been renamed to list_stacks / get_stack / etc. Similarly, list_workload_assignments / get_workload_assignment / etc. are now list_deployments / get_deployment / etc. The old names still work as backward-compatible aliases.
Infrastructure overview
Tool Type Description get_infrastructure_overviewRead High-level summary: cluster count, host count, GPU totals, workload status, recent deployments find_gpu_capacityRead Find available GPU capacity across all hosts and clusters, grouped by GPU model check_cluster_capacityRead Check available CPU and memory capacity across clusters, compare against deployed workloads troubleshoot_workloadRead Diagnose issues: fetches deployment, stack, cluster status, pod events, and logs
Clusters
Tool Type Description list_clustersRead List all Kubernetes clusters with node counts, network types, and live status get_clusterRead Detailed cluster info including nodes, managers, and live Kubernetes status get_cluster_extendedRead Extended live info: K8s version, namespaces, node details with CPU/memory/GPU, running pods get_cluster_storage_classesRead List StorageClasses available in a cluster get_cluster_affectedRead Get resources that would be affected by deleting a cluster (hosts, deployments, endpoints) create_clusterMutating Create a new cluster — provide kubeconfig directly or fetch via SSH from a control-plane node update_clusterMutating Update cluster settings: name, kubeconfig, namespace, SSH fetch host, protection delete_clusterDestructive Delete a cluster record from PodWarden (does NOT uninstall K8s from hosts) delete_cluster_nodeDestructive Remove a stale node from a Kubernetes cluster (deletes the K8s node object)
Hosts
Tool Type Description list_hostsRead List all managed hosts with hardware info, status, GPU details, cluster membership get_hostRead Full host details including hardware specs, GPU info, cluster assignment update_hostMutating Update host metadata: display name, notes, network types probe_hostMutating SSH into a host to gather hardware info (CPU, RAM, disk, GPU) and detect Kubernetes discover_hostsMutating Trigger Tailscale host discovery — fetches devices and upserts into PodWarden set_gateway_roleMutating Enable or disable the gateway role on a host (ingress entry point) detect_host_public_ipMutating Detect the public IP of a host via SSH (for DNS validation) add_hostMutating Add a host manually by IP or hostname (for non-Tailscale hosts) provision_hostMutating Install K3s agent and join the host to a cluster (runs in background) wipe_hostMutating Remove K3s from a host and reset to discovered state (runs in background) register_cluster_from_hostMutating Register an existing K3s/K8s installation on a host as a PodWarden cluster provision_as_control_planeMutating Install K3s server on a host and create a new cluster (runs in background) detach_host_from_clusterMutating Remove a worker node from its cluster (K8s + PodWarden DB) delete_hostDestructive Delete a manually-added host from PodWarden
Stacks
Templates that define what to deploy (image, resources, GPU requirements).
Tool Type Description list_stacksRead List all stacks with resource summaries get_stackRead Full stack details including env schema, volume mounts, registry credentials create_stackMutating Create a new stack (container template) update_stackMutating Update an existing stack — only provided fields are changed delete_stackDestructive Permanently delete a stack
Deployments
Bindings of stacks to clusters — the actual deployments.
Tool Type Description list_deploymentsRead List deployments with status, cluster, stack, and deploy info get_deploymentRead Full deployment details including env values, resolved volumes, deployment log get_workload_logsRead Get container logs and pod status from a deployed workload check_network_compatibilityRead Pre-flight check: verify workload network requirements match cluster capabilities create_deploymentMutating Bind a stack to a cluster (starts in "pending" status) update_deploymentMutating Update deployment config — changes take effect on next deploy deploy_workloadMutating Deploy a deployment to its target Kubernetes cluster (runs in background) undeploy_workloadMutating Remove a workload from Kubernetes — deletes Deployment and non-retained PVCs update_config_templateMutating Update a single config template in a deployment without resending all config_values run_in_podMutating Execute a command inside a running pod belonging to a managed deployment proxy_to_serviceMutating Send an HTTP request to a deployment's ClusterIP service via in-cluster proxy migrate_workloadMutating Migrate a deployed workload to a different node (pre-flight PV affinity checks) delete_deploymentDestructive Delete a deployment record (does NOT undeploy — undeploy first)
Apps
Tool Type Description list_appsRead List apps with their stacks, deployments, and current status get_appRead Full app details including stack config, deployment status, and history rollback_deploymentMutating Rollback to a previous deployment version — updates the K8s deployment image tag
Ingress rules
Tool Type Description list_ingress_rulesRead List all ingress rules with domain, backend, gateway, and status get_ingress_ruleRead Full ingress rule details including DNS check results and proxy status create_ingress_ruleMutating Create a new ingress rule — supports managed (K8s) and manual (IP:port) backends update_ingress_ruleMutating Update an existing ingress rule — only provided fields are changed check_ingress_dnsMutating Check DNS resolution — resolves domain A record and compares to gateway IP check_ingress_httpMutating HTTP health check — verifies the full chain: DNS → gateway → ingress → backend check_ingress_tlsMutating Check TLS certificate validity: issuer, expiration date, days remaining apply_ingress_ruleMutating Generate and deploy proxy config for a single ingress rule apply_all_ingress_rulesMutating Regenerate and deploy the full proxy config for a gateway host delete_ingress_ruleDestructive Permanently delete an ingress rule and remove its proxy config
DDNS
Tool Type Description list_ddns_configsRead List all DDNS configurations with provider, status, current IP, and last update get_ddns_configRead Full DDNS config details (sensitive fields like API tokens are masked) get_ddns_statusRead Current public IP and status summary of all DDNS configurations create_ddns_configMutating Create a new DDNS config (Cloudflare, DuckDNS, Webhook, or Hub provider) update_ddns_configMutating Update a DDNS config — use "***" for token fields to preserve existing values test_ddns_configMutating Force a DNS record update to verify credentials and provider connectivity delete_ddns_configDestructive Delete a DDNS config (DNS records are NOT removed — clean up at provider)
Hub catalog
Browse and import stack templates from PodWarden Hub.
Tool Type Description test_hub_connectionRead Test connectivity to the configured PodWarden Hub list_hub_categoriesRead List template categories (e.g. "AI & Machine Learning", "Databases") list_hub_templatesRead Browse templates with search and category filtering get_hub_templateRead Full template details: image, resources, env schema, ports, volumes check_hub_updatesRead Check for updates on Hub-imported stacks import_hub_templateMutating Import a Hub template as a local stack
Hub DDNS
Manage DDNS subdomains allocated through PodWarden Hub.
Tool Type Description list_hub_ddns_domainsRead List available DDNS domains from Hub (e.g. vxloc.com) list_hub_ddns_subdomainsRead List allocated subdomains with current IP addresses allocate_hub_ddns_subdomainMutating Allocate a new subdomain (e.g. "myapp.vxloc.com") update_hub_ddns_subdomain_ipMutating Update the IP address for an allocated subdomain delete_hub_ddns_subdomainDestructive Release a Hub DDNS subdomain (stops resolving, cannot be undone)
Storage
Tool Type Description list_storage_connectionsRead List all storage connections (NFS/S3 backends) with config and status get_storage_connectionRead Storage connection details including connectivity test results test_storage_connectionMutating Test connectivity — NFS: TCP/RPC/export/mount+speed test; S3: endpoint/upload/download speed create_storage_connectionMutating Create a new storage connection (NFS or S3) update_storage_connectionMutating Update an existing storage connection — only provided fields are changed create_nfs_storage_classMutating Deploy NFS provisioner to a cluster and create a StorageClass from an NFS storage connection delete_storage_connectionDestructive Delete a storage connection (workloads using it will lose access)
Provisioning jobs
Tool Type Description list_provisioning_jobsRead List provisioning jobs with status, host, playbook, and timing get_provisioning_jobRead Full job details including stdout and stderr output cancel_provisioning_jobMutating Request cancellation of a running provisioning job
Users
Tool Type Description list_usersRead List system users with role, status, and last active time get_userRead Full user details create_userMutating Create a new system user with email and role update_userMutating Update a user's name, email, role, or status set_user_passwordMutating Set or change a user's local password (8-72 characters) delete_userDestructive Remove a system user
Secrets
Tool Type Description list_secretsRead List all secret keys — values are NOT returned, only key names and metadata list_ssh_key_pairsRead List SSH key pair names (each pair is {name}_ssh_private + {name}_ssh_public) get_secretMutating Get a decrypted secret value by key (handle with care) set_secretMutating Create or update a secret — value is encrypted at rest (AES-256-GCM) generate_ssh_key_pairMutating Generate a new SSH key pair and store both halves in secrets delete_secretDestructive Delete a secret by key — cannot delete SSH keys in use by provisioned hosts
Settings
Tool Type Description get_settingsRead Get registry default settings (default registry URL and image tag) get_tailscale_settingsRead Get Tailscale configuration (tailnet, API key status, discovery tags) update_settingsMutating Update registry default settings update_tailscale_settingsMutating Update Tailscale configuration (tailnet, API key, discovery tags)
System configuration
Tool Type Description get_system_configRead Get SMTP, OIDC, and Hub settings (env vars override DB values) update_system_configMutating Update system config — only pass sections to change (SMTP, OIDC, Hub) test_smtpMutating Send a test email using the configured SMTP settings test_oidcMutating Test OIDC discovery — validates issuer URL, fetches provider metadata
Role restrictions
Not all tools are available to all token roles. The token's role is enforced on the internal API calls each tool makes:
Action viewer operator admin Read tools (list, get, logs) Yes Yes Yes Mutating tools (create, update, deploy) No Yes Yes Destructive tools (delete, undeploy) No No Yes Secret values (get_secret) No No Yes System config (update) No No Yes User management (create, update, delete) No No Yes
If a tool is called with insufficient permissions, the internal API returns 403 Forbidden, which the AI assistant sees as a tool error.