This is the backend for our MCP UI. Its a simple proxy server which sits between the UI frontend and the Kubernetes API server.
We want to call the kubernetes api server directly from the browser, but we have several problems preventing us from calling the api from the browser:
- TLS certificate is not signed from a well-known CA
- CORS is not configured most of the time
The ui-backend server acts like a proxy when talking to the Crate-Cluster or MCPs from the browser.
The browser sends the request to the ui-backend, with authorization data and optionally the project, workspace and controlplane name of the MCP in header data.
- If requesting the Crate: The request will get send to the crate cluster with the authorization data in the headers
- If requesting an MCP: The
ui-backendwill call the Crate to get thekubeconfigof the MCP and then calls the MCP with that kubeconfig
There are only some modifications done when piping the request to the api server, preventing some headers from going through.
You need to have a running mcp landscape. Then reference the KUBECONFIG for the backend using the KUBECONFIG environment variable.
The backend can be started using:
go run cmd/server/main.goYou can reach the backend on port 3000 and the path as you would directly to the api server.
For example: http://localhost:3000/api/v1/namespacesPut the authorization data in the following headers:
X-Client-Certificate-DataX-Client-Key-Data
or (for OIDC):
Authorization: <token>
Also configure the api-server you want to call:
- Crate: Add the header
X-Use-Crate-Cluster: true - MCP: Add the headers
X-Project-Name,X-Workspace-NameandX-Control-Plane-Name
ui-backend support jsonpath (kubectl version) and jq (gojq) to parse json before sending it to the client, reducing the data transfered to the client.
Usage:
- JsonPath: Add a header
X-jsonpathwith the jsonpath query - JQ: Add a header
X-jqwith the jq query
This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.
If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.
Copyright 2025 SAP SE or an SAP affiliate company and ui-backend contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.