All posts
June 18, 20264 min read

Audit logging for MCP servers on Kubernetes

A frequent misconception is that audit logs for MCP servers can be collected directly from the Kubernetes node without any intermediary. In reality, the MCP runtime writes to standard output, and the only logs you see are those the pod or container chooses to emit. That approach leaves you without a reliable record of who issued which command, what data was returned, or whether a response contained sensitive fields. Audit logging matters because MCP servers often process proprietary code, confi

Free White Paper

K8s Audit Logging + Kubernetes Audit Logs: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A frequent misconception is that audit logs for MCP servers can be collected directly from the Kubernetes node without any intermediary. In reality, the MCP runtime writes to standard output, and the only logs you see are those the pod or container chooses to emit. That approach leaves you without a reliable record of who issued which command, what data was returned, or whether a response contained sensitive fields.

Audit logging matters because MCP servers often process proprietary code, confidential prompts, or regulated data. When a developer or an automated agent talks to an MCP endpoint, the conversation can include API keys, customer PII, or intellectual property. If an incident occurs, teams need a complete replay of the session to understand the scope, prove compliance, and remediate safely. Without a central, protocol‑aware recorder, you end up stitching together container logs, side‑car traces, and ad‑hoc script outputs, none of which guarantee completeness or integrity.

Most organizations today deploy MCP servers inside a Kubernetes cluster and rely on the cluster’s built‑in RBAC to limit who can exec into a pod. The typical workflow looks like this: a user authenticates to the identity provider, receives a JWT, and then uses kubectl exec to open a shell or run a one‑off command inside the MCP container. The Kubernetes API server checks the user’s group membership, grants a bearer token for the pod, and the request is forwarded directly to the container’s process. The pod’s process sees the command, executes it, and streams the response back. No component in that chain inspects the payload, masks secrets, or writes a definitive audit record. The result is a "standing access" model where the user’s token can be reused for the duration of the session, and the only evidence of what happened lives in the pod’s stdout or a transient log file.

This model fixes authentication and basic authorization, but it leaves three critical gaps:

  • The request travels straight from the user to the MCP process, so there is no place to enforce inline masking of secrets that might appear in responses.
  • There is no mandatory approval step for risky commands; a privileged user can run destructive operations without oversight.
  • Audit logging is optional and scattered; if the pod crashes or the node is compromised, the logs disappear.

To close those gaps, the enforcement point must sit on the data path, the exact moment traffic crosses the network boundary between the identity‑aware client and the MCP server. By inserting a Layer 7 gateway that understands the MCP protocol, you gain a single control surface that can:

  • Record every request and response, preserving a replayable session for forensic analysis.
  • Apply real‑time masking rules to redact secrets before they reach the client.
  • Require a just‑in‑time approval workflow for commands that match a high‑risk policy.

That is precisely what hoop.dev provides. hoop.dev deploys a gateway container alongside your Kubernetes cluster. An agent runs inside the same network segment as the MCP service, and the gateway proxies all client connections. When a user presents an OIDC token, hoop.dev validates the token, extracts group membership, and then forwards the request to the MCP server only after applying the configured guardrails. Because the gateway sits in the data path, every enforcement outcome, especially audit logging, originates from hoop.dev.

Continue reading? Get the full guide.

K8s Audit Logging + Kubernetes Audit Logs: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How hoop.dev delivers audit logging for MCP servers on Kubernetes

When a request reaches the gateway, hoop.dev captures the full request payload, the timestamp, and the identity of the caller. It then forwards the request to the MCP container over the same protocol (typically HTTP or gRPC). The response follows the reverse path, where hoop.dev records the response body, status, and any masking actions applied. The entire exchange is stored in a secure session store that retains the recorded data for replay on demand. Because the gateway never exposes the underlying credentials, the agent that runs the MCP process never sees the user’s secret, and the audit trail remains independent of the pod’s lifecycle.

From an operational standpoint, you register the MCP service as a connection in hoop.dev’s configuration. The connection definition includes the service URL, the credential hoop.dev should use to authenticate to the MCP endpoint, and any masking policies (for example, redacting strings that match a regex for API keys). Once the connection is active, any client that authenticates via your corporate OIDC provider can access the MCP server only through the gateway. The gateway enforces just‑in‑time access, meaning the user’s token is valid for the duration of the session and cannot be reused after the session ends.

Getting started with audit logging on Kubernetes

The quickest way to see the control in action is to follow the getting started guide. It walks you through deploying the hoop.dev gateway with Docker Compose or Kubernetes, registering a Kubernetes connection, and enabling the audit logging guardrail for MCP traffic. The guide also shows how to explore recorded sessions in the web UI, filter by user, and replay a session to see exactly what was sent and received.

For deeper insight into the guardrail capabilities, masking, approval workflows, and session replay, visit the learn section. The documentation explains how to craft masking rules, set risk thresholds for command approval, and integrate with existing ticketing systems for just‑in‑time approvals.

The entire solution is open source. The codebase, including the gateway, the agent, and the UI, lives on GitHub. You can clone the repository, customize the policies to match your organization’s compliance requirements, and contribute improvements back to the community.

FAQ

Does hoop.dev replace Kubernetes RBAC?

No. hoop.dev works alongside Kubernetes RBAC. It validates the user’s identity, then adds an extra layer of audit logging and inline masking on the data path.

Can I use hoop.dev with existing MCP deployments?

Yes. You register the existing service as a connection, and the gateway proxies traffic without requiring changes to the MCP server code.

What happens to audit logs after a session ends?

hoop.dev stores the session record in a durable store that can be queried for compliance reporting, replay, or forensic analysis. Retention policies are configurable in the gateway settings.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot