From c4d83f762837aae15505b4ec8ceac704528961ff Mon Sep 17 00:00:00 2001
From: Dan Barr <6922515+danbarr@users.noreply.github.com>
Date: Thu, 9 Oct 2025 08:46:36 -0400
Subject: [PATCH] Remove permissionProfile from K8s examples
Signed-off-by: Dan Barr <6922515+danbarr@users.noreply.github.com>
---
docs/toolhive/guides-cli/build-containers.mdx | 3 -
docs/toolhive/guides-k8s/run-mcp-k8s.mdx | 56 +------------------
docs/toolhive/guides-mcp/context7.mdx | 6 --
docs/toolhive/guides-mcp/fetch.mdx | 3 -
docs/toolhive/guides-mcp/filesystem.mdx | 3 -
docs/toolhive/guides-mcp/github.mdx | 3 -
docs/toolhive/guides-mcp/k8s.mdx | 3 -
docs/toolhive/guides-mcp/osv.mdx | 3 -
docs/toolhive/guides-mcp/playwright.mdx | 9 ---
docs/toolhive/tutorials/vault-integration.mdx | 3 -
10 files changed, 1 insertion(+), 91 deletions(-)
diff --git a/docs/toolhive/guides-cli/build-containers.mdx b/docs/toolhive/guides-cli/build-containers.mdx
index a94ba231..84fbed12 100644
--- a/docs/toolhive/guides-cli/build-containers.mdx
+++ b/docs/toolhive/guides-cli/build-containers.mdx
@@ -222,9 +222,6 @@ you want to pre-build containers before deploying them.
spec:
image: ghcr.io/myorg/mcp-git:v1.0.0
transport: stdio
- permissionProfile:
- type: builtin
- name: network
```
### CI/CD integration
diff --git a/docs/toolhive/guides-k8s/run-mcp-k8s.mdx b/docs/toolhive/guides-k8s/run-mcp-k8s.mdx
index 7597fad2..adadec5e 100644
--- a/docs/toolhive/guides-k8s/run-mcp-k8s.mdx
+++ b/docs/toolhive/guides-k8s/run-mcp-k8s.mdx
@@ -120,9 +120,6 @@ spec:
transport: streamable-http
targetPort: 8080
port: 8080
- permissionProfile:
- type: builtin
- name: network
resources:
limits:
cpu: '100m'
@@ -222,9 +219,6 @@ spec:
transport: streamable-http
targetPort: 8080
port: 8080
- permissionProfile:
- type: builtin
- name: network
podTemplateSpec:
spec:
containers:
@@ -285,9 +279,6 @@ spec:
image: ghcr.io/github/github-mcp-server
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: network
secrets:
- name: github-token
key: token
@@ -334,9 +325,6 @@ spec:
image: ghcr.io/github/github-mcp-server
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: network
secrets:
- name: github-token
key: token
@@ -398,9 +386,6 @@ spec:
image: docker.io/mcp/filesystem
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: none
podTemplateSpec:
spec:
volumes:
@@ -449,18 +434,6 @@ to learn how to connect to MCP servers using different clients.
`MCPServer` Custom Resource Definition (CRD)
- [Deploy the operator using Helm](./deploy-operator-helm.md) - Install the
ToolHive operator
-- [Custom permissions](../guides-cli/custom-permissions.mdx) - Configure
- permission profiles
-
-:::info[Important]
-
-Outbound network filtering using permission profiles isn't currently implemented
-in the ToolHive Operator. This is a roadmap feature planned for future releases.
-
-Contributions to help implement this feature are welcome! You can contribute by
-visiting our [GitHub repository](https://github.com/stacklok/toolhive).
-
-:::
## Troubleshooting
@@ -530,7 +503,7 @@ Common causes include:
- **Missing secrets**: Ensure required secrets exist and are properly referenced
- **Resource constraints**: Check if the pod has sufficient CPU and memory
resources
-- **Permission issues**: Verify the security context and permission profile are
+- **Permission issues**: Verify the security context and RBAC permissions are
correctly configured
- **Invalid arguments**: Check if the `args` field contains valid arguments for
the MCP server
@@ -622,33 +595,6 @@ Common causes include:
-
-Permission profile errors
-
-If the MCP server fails due to permission profile issues:
-
-```bash
-# Check if ConfigMap exists (for custom profiles)
-kubectl -n get configmap
-
-# Verify ConfigMap content
-kubectl -n describe configmap
-
-# Check operator logs for permission errors
-kubectl -n toolhive-system logs -l app.kubernetes.io/name=toolhive-operator | grep -i permission
-```
-
-Common causes include:
-
-- **Invalid profile name**: Ensure built-in profile names are correct (`none`,
- `network`)
-- **ConfigMap not found**: Create the ConfigMap with the custom permission
- profile
-- **Invalid JSON**: Verify the permission profile JSON is valid
-- **Missing key**: Ensure the specified key exists in the ConfigMap
-
-
-
Resource limit issues
diff --git a/docs/toolhive/guides-mcp/context7.mdx b/docs/toolhive/guides-mcp/context7.mdx
index f2838681..77870c5b 100644
--- a/docs/toolhive/guides-mcp/context7.mdx
+++ b/docs/toolhive/guides-mcp/context7.mdx
@@ -112,9 +112,6 @@ spec:
image: ghcr.io/stacklok/dockyard/npx/context7:1.0.14
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: network
```
Apply the manifest to your cluster:
@@ -138,9 +135,6 @@ spec:
- 'YOUR_API_KEY'
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: network
```
diff --git a/docs/toolhive/guides-mcp/fetch.mdx b/docs/toolhive/guides-mcp/fetch.mdx
index 8824c544..1f7d16c5 100644
--- a/docs/toolhive/guides-mcp/fetch.mdx
+++ b/docs/toolhive/guides-mcp/fetch.mdx
@@ -84,9 +84,6 @@ spec:
transport: streamable-http
targetPort: 8080
port: 8080
- permissionProfile:
- type: builtin
- name: network
```
Apply the manifest to your Kubernetes cluster:
diff --git a/docs/toolhive/guides-mcp/filesystem.mdx b/docs/toolhive/guides-mcp/filesystem.mdx
index 25b1dce9..3b503e17 100644
--- a/docs/toolhive/guides-mcp/filesystem.mdx
+++ b/docs/toolhive/guides-mcp/filesystem.mdx
@@ -124,9 +124,6 @@ spec:
image: mcp/filesystem:latest
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: none # Note, network isolation in K8s is not implemented yet
args:
- '/projects' # Update if you use a different mountPath below
podTemplateSpec:
diff --git a/docs/toolhive/guides-mcp/github.mdx b/docs/toolhive/guides-mcp/github.mdx
index c27aeb78..6267fabf 100644
--- a/docs/toolhive/guides-mcp/github.mdx
+++ b/docs/toolhive/guides-mcp/github.mdx
@@ -144,9 +144,6 @@ spec:
image: ghcr.io/github/github-mcp-server:v0.13.0
transport: stdio
port: 8080
- permissionProfile:
- type: builtin
- name: network
secrets:
- name: github-token
key: token
diff --git a/docs/toolhive/guides-mcp/k8s.mdx b/docs/toolhive/guides-mcp/k8s.mdx
index 3f3465fc..e3e76b0b 100644
--- a/docs/toolhive/guides-mcp/k8s.mdx
+++ b/docs/toolhive/guides-mcp/k8s.mdx
@@ -137,9 +137,6 @@ spec:
targetPort: 8080
port: 8080
serviceAccount: mkp-sa
- permissionProfile:
- type: builtin
- name: network
---
apiVersion: v1
kind: ServiceAccount
diff --git a/docs/toolhive/guides-mcp/osv.mdx b/docs/toolhive/guides-mcp/osv.mdx
index c5b7dbdc..b9c15b1d 100644
--- a/docs/toolhive/guides-mcp/osv.mdx
+++ b/docs/toolhive/guides-mcp/osv.mdx
@@ -79,9 +79,6 @@ spec:
transport: streamable-http
targetPort: 8080
port: 8080
- permissionProfile:
- type: builtin
- name: network
```
Apply the manifest to your Kubernetes cluster:
diff --git a/docs/toolhive/guides-mcp/playwright.mdx b/docs/toolhive/guides-mcp/playwright.mdx
index 5a66d826..3a615b97 100644
--- a/docs/toolhive/guides-mcp/playwright.mdx
+++ b/docs/toolhive/guides-mcp/playwright.mdx
@@ -156,9 +156,6 @@ spec:
args:
- '--port'
- '8931'
- permissionProfile:
- type: builtin
- name: network
```
Apply the manifest to your Kubernetes cluster:
@@ -185,9 +182,6 @@ spec:
- '8931'
- '--allowed-origins'
- 'example.com;trusted-domain.org'
- permissionProfile:
- type: builtin
- name: network
```
Mount a persistent volume to save browser output files like screenshots and
@@ -211,9 +205,6 @@ spec:
- '/browser-output'
- '--save-trace'
- '--save-session'
- permissionProfile:
- type: builtin
- name: network
podTemplateSpec:
spec:
volumes:
diff --git a/docs/toolhive/tutorials/vault-integration.mdx b/docs/toolhive/tutorials/vault-integration.mdx
index 767a2bf0..8db1603e 100644
--- a/docs/toolhive/tutorials/vault-integration.mdx
+++ b/docs/toolhive/tutorials/vault-integration.mdx
@@ -168,9 +168,6 @@ spec:
image: ghcr.io/github/github-mcp-server:latest
transport: stdio
port: 9095
- permissionProfile:
- type: builtin
- name: network
resources:
limits:
cpu: '100m'