MCP Server – Kubernetes Secrets
Securely manage LinearB API tokens in Kubernetes using Secrets. Learn best practices for injecting credentials into MCP servers and sensors without hard-coding sensitive data.
Securely provide tokens and credentials to LinearB components (such as the MCP server and sensors) by storing them in Kubernetes Secrets instead of hard-coding sensitive values in configuration files.
Summary
- Store LinearB API tokens and credentials in Kubernetes Secrets.
- Inject secrets as environment variables (recommended) or mounted files.
- Reduce credential exposure in manifests and version control.
- Leverage Kubernetes RBAC, auditing, and rotation workflows.
Why use Kubernetes Secrets?
- Avoid storing credentials in plain-text YAML or JSON files.
- Centralize and simplify credential rotation.
- Leverage Kubernetes RBAC and audit controls.
Prerequisites
- A Kubernetes cluster with
kubectlaccess. - A valid LinearB API token (for MCP) or required sensor credentials.
-
If using Claude Code with MCP, the
claudeCLI must be available in the execution environment.
Step 1 – Create a Kubernetes Secret
Create a generic Secret containing your LinearB API token:
kubectl create secret generic linearb-secret \
--from-literal=LINEARB_API_TOKEN=<your-api-key>
Good practices
- Use environment-specific names (for example,
linearb-secret-prod). - Prefer
--from-filewhen rotating tokens via CI/CD pipelines.
Step 2 – Use the Secret as an environment variable (recommended)
Inject the token into a Pod or Deployment and reference it from your startup command or configuration.
apiVersion: apps/v1
kind: Deployment
metadata:
name: linearb-mcp
spec:
replicas: 1
selector:
matchLabels: { app: linearb-mcp }
template:
metadata:
labels: { app: linearb-mcp }
spec:
containers:
- name: mcp
image: <your-image>
env:
- name: LINEARB_API_TOKEN
valueFrom:
secretKeyRef:
name: linearb-secret
key: LINEARB_API_TOKEN
args:
- "sh"
- "-lc"
- |
claude mcp add --transport http linearb https://mcp.linearb.io/mcp \
--header "x-api-key: ${LINEARB_API_TOKEN}" && \
exec your-app
This approach keeps the token out of your manifests and injects it securely at runtime.
Step 3 – Use the Secret as a mounted file (alternative)
Some teams prefer file mounts for compatibility with existing scripts or tooling.
kubectl create secret generic linearb-secret \
--from-literal=api-token=<your-api-key>
volumeMounts:
- name: linearb-secret-vol
mountPath: /var/run/secrets/linearb
readOnly: true
volumes:
- name: linearb-secret-vol
secret:
secretName: linearb-secret
Your container can read the token from the mounted file:
TOKEN=$(cat /var/run/secrets/linearb/api-token)
claude mcp add --transport http linearb https://mcp.linearb.io/mcp \
--header "x-api-key: ${TOKEN}"
Step 4 – Helm values example (pattern)
When deploying with Helm, expose secret references via values.yaml and template them into your chart.
# values.yaml
image: your-image
secretRef:
name: linearb-secret
key: LINEARB_API_TOKEN
extraEnv:
- name: LINEARB_API_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.secretRef.name }}
key: {{ .Values.secretRef.key }}
Security notes
- Grant minimal RBAC permissions to workloads that read the
linearb-secret. - Avoid echoing tokens in logs; rely on environment interpolation.
- Use separate Secrets per environment and rotate credentials regularly.
Troubleshooting
- 401/403 errors: Verify the token is valid and mapped to the correct environment variable.
- Pod cannot read Secret: Check namespace alignment and RBAC (ServiceAccount, Role, RoleBinding).
- CLI not found: Confirm the
claudeCLI is installed and on the container’s PATH.
How did we do?
Configuring the MCP Server
MCP Server – Overview & Use Cases
