AKS CVE MCP Tools Integration

[bcho]

Hi,

We would like to integrate AKS CVE related data into AKS MCP to provide up-to-date CVE information to the AKS user. We propose to add the following MCP tools:

• az_aks_cve_get_security_bulletins: Get comprehensive AKS security bulletins and CVE advisories
• az_aks_cve_get_active_versions: Get currently supported AKS, VHD, and K8S release versions
• az_aks_get_cve_status_by_component: Get CVE status and impact analysis for specific components across release categories

The data will be retrieved from public data endpoint: https://cve-api.prod-aks.azure.com/ (AKS CVE API, sample data) and https://releases.aks.azure.com/ (release tracker).

We aim to use the above tools allow user to query about live CVEs and mitigation status from their AKS clusters, example scenarios:

• list AKS managed addons impacted by CVE X
• tell me how to mitigate CVE Y in my cluster (using az_aks_get_cve_status_by_component)
• tell me about the impact of nginx ingress CVE CVE-2025-1098 (using az_aks_cve_get_security_bulletins)
• ...

We will also provide sample prompts to help the user troubleshoot / investigate usages around the vulneriabilities in their AKS clusters. @feiskyer / @julia-yin do you have any objections / concerns for us to implement above tools?

cc @riyac12

[feiskyer]

sounds great! @bcho would you like to contribute these tools?

[bcho]

sounds great! @bcho would you like to contribute these tools?

Yes I will! Will send out PR this week

[julia-yin]

Hi @bcho, appreciate the contributions for CVE tools! A few questions:

1. Will customers be able to query the CVEs specific to their cluster environment - e.g. filter for CVEs based on the cluster/nodepool version and all components present?
2. Is there a way to consolidate the tools - e.g. combine first and third and add an additional parameter to specify a component? This is because LLM performance tends to degrade with more tool options.
3. Where are we planning on adding the sample prompts - @feiskyer do we have existing prompts/runbooks resource in place in AKS MCP?

[bcho]

Hi @bcho, appreciate the contributions for CVE tools! A few questions:

1. Will customers be able to query the CVEs specific to their cluster environment - e.g. filter for CVEs based on the cluster/nodepool version and all components present?

Yes as the CVE data is associated with k8s versions / node vhd versions information.

2. Is there a way to consolidate the tools - e.g. combine first and third and add an additional parameter to specify a component? This is because LLM performance tends to degrade with more tool options.

Good point, we can merge them as az_aks_get_cve_status_by_component then attach the related the security bulletins into the result. cc @riyac12 / @stanleyt10