All posts
June 18, 20264 min read

Session recording for MCP servers on Kubernetes

How can you trust that every command sent to an MCP server on Kubernetes is captured for later review with session recording? Most teams treat an MCP server like any other in‑cluster service: they deploy the container, expose it via a Service, and let developers reach it with kubectl exec or a custom client. The credential set used by the client is often a long‑lived service account token stored in a shared secret or baked into CI pipelines. Because the connection goes straight from the pod or

Free White Paper

SSH Session Recording + Kubernetes API Server Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

How can you trust that every command sent to an MCP server on Kubernetes is captured for later review with session recording?

Most teams treat an MCP server like any other in‑cluster service: they deploy the container, expose it via a Service, and let developers reach it with kubectl exec or a custom client. The credential set used by the client is often a long‑lived service account token stored in a shared secret or baked into CI pipelines. Because the connection goes straight from the pod or developer workstation to the server, there is no independent record of who ran what, when, or what data was returned. If a bug or a malicious command slips through, the only evidence is the server’s own logs, which may be incomplete, rotated, or already tampered with.

This reality creates a blind spot. Even when an organization mandates that every interaction with an MCP server be auditable, the existing setup supplies only the identity check performed by Kubernetes RBAC. The request still travels directly to the server, bypassing any checkpoint that could enforce recording, mask sensitive fields, or require a human approval step. In other words, the “setup” – the OIDC‑backed service account, the RBAC role, the network policy – decides who may start a session, but it does not guarantee that the session is captured.

The missing piece is a data‑path component that sits between the caller and the MCP server and can enforce session recording as a mandatory guardrail. The component must be able to see the full protocol exchange, store a replayable stream, and tie each record to the authenticated identity that originated the request. Only when that component is present can an organization claim that every command is recorded, that the recordings are preserved for later review, and that they can be replayed for forensic analysis.

Why session recording matters for MCP servers

MCP servers often handle code generation, prompt engineering, or model‑in‑the‑loop workflows. A single stray DELETE or a malformed prompt can corrupt downstream data pipelines. Session recording provides three concrete benefits:

  • Forensic traceability: When an incident occurs, the exact sequence of inputs and outputs can be reconstructed, eliminating guesswork.
  • Compliance evidence: Regulations that require proof of who accessed a system and what they did can be satisfied by reliable logs.
  • Operational learning: Teams can replay successful sessions to extract best‑practice patterns or to train new engineers.

These outcomes are only possible if the recording happens outside the MCP server’s own process. If the server itself is compromised, any logs it writes could be altered. The enforcement must therefore live in a separate, hardened gateway.

How hoop.dev captures every interaction

hoop.dev implements a Layer 7 gateway that proxies traffic to the MCP server. The gateway runs an agent inside the same Kubernetes cluster, close to the target pod, so network latency is minimal. When a user authenticates via OIDC or SAML, hoop.dev validates the token, extracts group membership, and creates a short‑lived session token that represents the user’s intent.

Because the gateway is the only point where the protocol passes, hoop.dev can record the full request‑response stream before it reaches the MCP server. Each session is stored as a replayable artifact that includes the authenticated identity, timestamp, and the raw payload. hoop.dev stores the recording so the original data is retained for later review; the gateway only forwards traffic after the recording has started.

Continue reading? Get the full guide.

SSH Session Recording + Kubernetes API Server Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

In practice, the flow looks like this:

  1. A developer initiates a connection to the MCP server using their standard client.
  2. The request is intercepted by hoop.dev, which checks the user’s OIDC token.
  3. hoop.dev starts a recording session, tags it with the user’s identity, and streams the traffic to the MCP server.
  4. When the interaction ends, hoop.dev finalizes the recording and stores it in the configured backend.

Because hoop.dev is the data‑path, it is the sole authority that can guarantee session recording. If hoop.dev were removed, the request would travel directly to the MCP server and no independent record would exist.

Setting up session recording for an MCP server

Begin with the getting‑started guide. Deploy the hoop.dev gateway using the provided Docker Compose file or the Helm chart for Kubernetes. The deployment includes an agent that automatically discovers the MCP service endpoint.

Next, register the MCP server as a connection in hoop.dev’s configuration. Provide the cluster URL and the service’s internal address; hoop.dev will store the service‑account token that the agent uses to authenticate to the server. No credential ever leaves the gateway, so developers never see the token.

Finally, enable the session‑recording feature for that connection in the UI or via the API. The feature is turned on by default in the quick‑start, but you can verify it in the learn section where the documentation explains the retention policy and replay workflow.

When the setup is complete, any attempt to talk to the MCP server must pass through hoop.dev. The gateway will automatically start a recording, associate it with the caller’s identity, and store the artifact for later review. No additional code changes are required in the client or the server.

Frequently asked questions

Do I need to modify my MCP server code to enable recording?

No. hoop.dev operates at the protocol layer, so the server sees the same traffic it would receive without the gateway. The only change is the network route that points client traffic to hoop.dev instead of directly to the service.

Can I limit who can view the recordings?

Yes. Access to the recorded artifacts is governed by the same OIDC‑based identity checks that protect the gateway. Only users with the appropriate role can retrieve or replay a session.

What happens if the gateway crashes during a session?

hoop.dev writes the recording incrementally. If the process terminates unexpectedly, the partial stream is still persisted, providing a forensic snapshot of the activity up to the failure point.

Next steps

Explore the source code and contribute improvements on GitHub. The repository includes the full implementation of the session‑recording pipeline, integration tests, and guidance for extending the gateway to other protocols.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot