Hello — in this lesson we install and verify two AWS MCP (Managed Chat/Compute Provider) servers using KAgent: one via the KAgent UI and one via a manifest (YAML). We’ll:
Install a minimal KAgent deployment (with a provided 01-values-min).
Expose the KAgent UI.
Create an AWS Pricing MCP Server via the UI.
Create an AWS Well-Architected Security MCP Server via a manifest.
Verify the MCP servers and view their exposed tools.
Prerequisites: the CRD and model config for KAgent are already installed and the 01-values-min file has been provided.
The values file used below enables only the minimal components required to run KAgent and disables optional agents. This reduces resource usage while you work through the lab.
Minimal values file (01-values-min) Use the following values to install KAgent with minimal components enabled:
cilium-debug-agent : enabled : false cilium-manager-agent : enabled : false cilium-policy-agent : enabled : false helm-agent : enabled : false istio-agent : enabled : false k8s-agent : enabled : false kgateway-agent : enabled : false observability-agent : enabled : false promql-agent : enabled : false kmcp : enabled : true kagent-tools : enabled : false tools : grafana-mcp : enabled : false querydoc : enabled : false ui : service : type : NodePort ports : port : 8080 targetPort : 8080
Install KAgent using the provided values (installation command is assumed to be performed in the lab environment). After applying the chart/manifest, monitor the controller logs if you need to troubleshoot:
# Controller logs kubectl -n kagent logs -l app.kubernetes.io/component=controller -f
Inspect KAgent pods and services Confirm pods and services in the kagent namespace:
kubectl get pod -n kagent
Example output:
NAME READY STATUS RESTARTS AGE kagent-controller-6886fc4f5c-4t7gd 0/1 ContainerCreating 0 16s kagent-kmcp-controller-manager-76645f577f-fbqqs 1/1 Running 0 16s kagent-ui-59d5bbd564-lssv4 0/1 Running 0 16s
kubectl get svc -n kagent
Example output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kagent-controller ClusterIP 172.20.160.95 <none> 8083/TCP 30s kagent-kmcp-controller-manager-metrics-service ClusterIP 172.20.74.151 <none> 8443/TCP 30s kagent-ui NodePort 172.20.42.19 <none> 8080:32165/TCP 30s
If you want to access the UI on a specific NodePort (for example 30080), patch the kagent-ui service:
kubectl patch svc kagent-ui -n kagent \ -p '{"spec":{"type":"NodePort","ports":[{"name":"ui","port":8080,"targetPort":8080,"nodePort":30080}]}}'
After image pulls and initialization complete, pods should reach Running:
kubectl get pod -n kagent
Example final output:
NAME READY STATUS RESTARTS AGE kagent-controller-6886fc4f5c-4t7gd 1/1 Running 0 63s kagent-kmcp-controller-manager-76645f577f-fbqqs 1/1 Running 0 63s kagent-ui-59d5bbd564-lssv4 1/1 Running 0 63s
AWS credentials used by MCP servers MCP servers require AWS credentials (or other supported credential delivery methods). In this lab environment, credentials are stored at /root/.aws/credentials:
cat /root/.aws/credentials
Example output:
[default] aws_access_key_id = AKIAWFKYLURA4GFSSD70 aws_secret_access_key = 5JG8kqNhMMSZMDbLjNJMYKqKS5rFxRPREqysVRPF
Region used in this lesson: us-east-1.
MCP servers support multiple credential delivery methods (plain keys, IAM roles, etc.). Follow security best practices for credential handling and avoid checking credentials into source control.
Install AWS Pricing MCP Server via the KAgent UI
Ensure the KAgent UI is accessible (port-forward or use the NodePort you set, e.g., 30080).
Open the KAgent UI in your browser (use the lab environment link or Node IP + NodePort).
In the UI:
Click Create → New MCPServer.
Click Add MCP Server.
Enter the server name exactly: AWS Pricing MCP Server.
Namespace: kagent (default).
Choose the “Command” option (not URL).
Command executor: select uvx (Python-based executor).
Package name: awslabs.aws-pricing-mcp-server@latest.
Provide environment variables copied from /root/.aws/credentials using these exact keys:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGION (for example, us-east-1)
Example command used by the package:
uvx awslabs.aws-pricing-mcp-server@latest
After adding the server, KAgent creates a pod for the MCP Server. Monitor resources:
kubectl get pod -n kagent -w kubectl get mcpserver -n kagent
You may first see the MCPServer with False readiness while images are pulling:
NAME READY AGE aws-pricing-mcp-server False 51s
Wait until the MCPServer is True and the pod is Running:
kubectl get mcpserver -n kagent kubectl get pod -n kagent
Example final output:
# kubectl get mcpserver -n kagent # kubectl get pod -n kagent # aws-pricing-mcp-server-6f59fd7dd8-5j7wh 1/1 Running 0 2m40s
If readiness stays False, inspect events, pod describe, and pod logs:
kubectl describe mcpserver aws-pricing-mcp-server -n kagent kubectl describe pod < pod-nam e > -n kagent kubectl logs < pod-nam e > -n kagent
Install AWS Well-Architected Security MCP Server via manifest Create a file named mcp-server.yaml with the following MCPServer manifest. Populate AWS credentials in the env section before applying:
apiVersion : kagent.dev/v1alpha1 kind : MCPServer metadata : name : awslabs-well-architected-security-mcp-server namespace : kagent spec : deployment : args : - awslabs.well-architected-security-mcp-server cmd : uvx env : AWS_ACCESS_KEY_ID : AWS_REGION : us-east-1 AWS_SECRET_ACCESS_KEY : image : ghcr.io/astral-sh/uv:debian port : 3000 stdioTransport : {} transportType : stdio
Important: do not change the port (must remain 3000) or the transportType (stdio) — these are required by the package.
Steps:
Edit mcp-server.yaml and set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with values from /root/.aws/credentials.
Apply the manifest:
kubectl apply -f mcp-server.yaml
Example output:
mcpserver.kagent.dev/awslabs-well-architected-security-mcp-server created
Check status and pods:
kubectl get mcpserver -n kagent kubectl get pod -n kagent
Example output:
# kubectl get mcpserver -n kagent # NAME READY AGE # aws-pricing-mcp-server True 6m31s # kubectl get pod -n kagent # NAME READY STATUS RESTARTS AGE # aws-pricing-mcp-server-6f59fd7dd8-5j7wh 1/1 Running 0 6m44s # awslabs-well-architected-security-mcp-server-8b68c79f9-v6x7v 1/1 Running 0 26s
In the KAgent UI:
Click the MCPServer entry, then click View → Tools.
Each MCP Server lists how many tools it exposes. Example:
AWS Well-Architected Security MCP Server — may show 6 tools.
AWS Pricing MCP Server — may show 9 tools.
Click the number to inspect individual tools exposed by the MCP Server.
Notes and troubleshooting tips
Environment variables must use the exact key names required by the package: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION.
uvx runs Python-based packages. Some packages may use npx (npm). Choose the executor that matches the package.Image pulls and container initialization can take time. Use kubectl logs, kubectl describe, and kubectl get -w to monitor readiness.
For persistent issues, inspect controller logs:
kubectl -n kagent logs -l app.kubernetes.io/component=controller -f
Links and references That’s it — you installed one MCP Server via the UI and one via a manifest, verified both, and viewed the tools each server exposes. See you in the next lab.
