MCP Directory

How to add Radar to Windsurf

Built-in MCP server for the open-source Kubernetes UI — lets AI assistants query and operate your cluster. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.

Last updated June 14, 2026 · 2.4k · http · no auth · official

Windsurf config for Radar

curl -fsSL https://get.radarhq.io | sh
{
  "mcpServers": {
    "radar": {
      "serverUrl": "http://localhost:9280/mcp"
    }
  }
}

Remote server — no local install needed. Restart the client after saving the config.

Setup steps

  1. 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
  2. 2Paste the Radar config below.
  3. 3Fill in placeholder secrets, then save.
  4. 4Click Refresh in the MCP panel.
  5. 5Radar's tools become available to Cascade.

Before you start

  • A running Radar instance (radar or kubectl radar) — the MCP server is enabled by default on http://localhost:9280/mcp
  • Access to a Kubernetes cluster via kubeconfig (GKE, EKS, AKS, minikube, kind, k3s, or any conformant cluster)
  • An MCP-compatible AI client (Claude Code, Claude Desktop, Cursor, Windsurf, VS Code Copilot, Cline, JetBrains AI, OpenAI Codex, or Gemini CLI)

What Radar can do in Windsurf

issues

Ranked, curated stream of live operational failures (failing workloads/pods, dangling references, pod-startup blockers, False CRD conditions). Each row carries a source label sliceable via filter.

diagnose

Root-cause one workload or GitOps reconciler in a single call — minified resource + resourceContext + current and previous container logs + filtered events + startupBlockers (workloads), or reconciler status + parsed issues (Application/Kustomization/HelmRelease).

get_dashboard

Cluster/namespace health overview — resource counts, failing pods, unhealthy workloads, warning events, Helm status. Inventory-style triage before drilling in.

top_resources

Live metrics ranked like `kubectl top | sort`, joined with K8s context (status, restarts, owner, requests/limits). For CPU/memory/OOM/load symptoms.

list_resources

List resources of a kind with minified summaries plus per-row summaryContext (managedBy / health / issueCount).

search

Find resources by content/term match (config keys, env refs, images, label values, CRD fields, status messages). Supports kind:/ns:/label:/image: modifiers and CEL filter; secret values never indexed.

get_resource

Detailed view of a single resource — minified spec + status + metadata + default-on resourceContext, with optional supplemental events/metrics.

get_topology

Whole-namespace/cluster topology graph (nodes + edges). Supports a summary format for LLM-friendly text chains.

Security

Read tools are strictly read-only (readOnlyHint); write tools are RBAC-enforced and annotated destructiveHint. Some are genuinely destructive — apply_resource force=true can take field ownership from Helm/Flux, manage_node drain evicts pods, and rollback/terminate overwrite or abort desired state. RBAC-aware: the local binary uses your kubeconfig identity, so MCP can only see what kubectl can see for that user. Secret .data/.stringData are never exposed (key names only); env var values and pod logs are scrubbed for known secret patterns. With in-cluster no-auth deployment every MCP caller shares the pod ServiceAccount's view — only deploy this way behind a trusted boundary.

Radar + Windsurf FAQ

Where is the Windsurf config file?

Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the Radar config there under the "mcpServers" key and restart the client.

Is Radar safe to use with Windsurf?

Read tools are strictly read-only (readOnlyHint); write tools are RBAC-enforced and annotated destructiveHint. Some are genuinely destructive — apply_resource force=true can take field ownership from Helm/Flux, manage_node drain evicts pods, and rollback/terminate overwrite or abort desired state. RBAC-aware: the local binary uses your kubeconfig identity, so MCP can only see what kubectl can see for that user. Secret .data/.stringData are never exposed (key names only); env var values and pod logs are scrubbed for known secret patterns. With in-cluster no-auth deployment every MCP caller shares the pod ServiceAccount's view — only deploy this way behind a trusted boundary.

What transport and endpoint does the MCP server use?

HTTP transport with JSON-RPC at http://localhost:9280/mcp. The port matches Radar's --port flag (default 9280). Clients configure it as an http/streamableHttp server pointing at that URL.

Do I need an API key or other auth?

No. For local use there is no auth — the MCP server uses your kubeconfig identity, so it can only see what kubectl can see for that user. Shared in-cluster deployments can add proxy or OIDC auth with per-user Kubernetes RBAC.

How do I connect Claude Code?

With Radar running, run: claude mcp add radar --transport http http://localhost:9280/mcp

View repo Full Radar page