Problem
Claude Code can inspect the repo, but it cannot see the running cluster, failing pods, ingress state, or cloud context without a controlled tool surface.
Example workflow
Use Claude Code MCP with Kubernetes
Use this workflow when a coding agent needs live Kubernetes context instead of guessing from repository files alone.
The agent connects to the local Clanker Cloud runtime, asks grounded questions, and leaves high-impact changes behind explicit approval. The open-source CLI is the MCP launcher that powers the same app workflow.
Answer first: give the agent live cluster context through localhost MCP, not raw credentials or a hosted privileged bridge.
App workflow or query
Copy the app query below, then adjust context names, profiles, namespaces, and provider scopes for your environment.
Safety boundary
MCP runs locally through the same runtime that powers the app. Read-only tools expose version, routing, and provider queries through the Clanker safety model. Apply-style changes still require an explicit approved plan.
Next step
Let the agent draft a patch or plan from the evidence, then review the diff or maker plan before applying anything to the cluster.
Proof artifact
Problem, app query, context, output, and safety
Problem
Claude Code can inspect the repo, but it cannot see the running cluster, failing pods, ingress state, or cloud context without a controlled tool surface.
App workflow/query
Clanker Cloud app:
1. Open the app on the machine with kubeconfig and cloud credentials already configured.
2. Use the app as the trusted local context workspace, then connect Claude Code to the local Clanker MCP runtime.
3. Ask the agent:
Why are prod-api pods CrashLoopBackOff, and what cluster evidence supports the answer?Open-source CLI equivalent
clanker mcp --transport stdio
# Example MCP server config shape:
{
"mcpServers": {
"clanker": {
"command": "clanker",
"args": ["mcp", "--transport", "stdio"]
}
}
}Input context
Clanker Cloud app installed or local Clanker runtime available, kubeconfig already trusted on the machine, cloud provider credentials already configured locally, and an MCP-capable agent that can launch a stdio server.
Output example
Agent answer: prod-api pods are CrashLoopBackOff after commit 4f2c1b because the container expects REDIS_URL but the live secret still exposes REDIS_HOST and REDIS_PORT. No cluster write was run. Suggested next step: update the app config or generate a reviewed secret migration plan.Safety boundary
MCP runs locally through the same runtime that powers the app. Read-only tools expose version, routing, and provider queries through the Clanker safety model. Apply-style changes still require an explicit approved plan.
Supported providers
Next step
Let the agent draft a patch or plan from the evidence, then review the diff or maker plan before applying anything to the cluster.
Related examples
Keep going
Debug Kubernetes 502 responses
Users get HTTP 502 from a Kubernetes app even though DNS and the public load balancer are reachable.
Find an AWS cost spike
AWS spend is up sharply this week and the team needs to know which resources, services, and changes explain it.
Scan Cloudflare and EKS together
The team needs to know which Cloudflare routes reach EKS workloads and whether any public paths skip expected authentication or WAF controls.
FAQ
Common questions
Does this workflow change infrastructure?
MCP runs locally through the same runtime that powers the app. Read-only tools expose version, routing, and provider queries through the Clanker safety model. Apply-style changes still require an explicit approved plan.
Can the same pattern run from the open-source CLI?
Yes. The examples lead with the Clanker Cloud app because that is the product workflow. The public Clanker CLI powers the local runtime and remains the equivalent path for terminals, automation, and MCP clients.
Next step
Want the full example library?
Browse the proof-oriented examples for Kubernetes, cost, Cloudflare, MCP, and review-before-apply workflows.