Toolset profiles
The server advertises a different set of tools depending on thetoolsets query parameter on the endpoint URL. A smaller set keeps the assistant focused and fits comfortably in its context window; the larger sets unlock specialized resource families.
| Profile | Tools | Endpoint | Includes |
|---|---|---|---|
core | 58 | https://mcp.cpln.io/mcp | The default. Everyday workflows — workloads, GVCs, secrets, domains, identities, policies, templates, volume sets, observability, and Terraform export. |
mk8s | 86 | https://mcp.cpln.io/mcp?toolsets=mk8s | Everything in core plus the managed Kubernetes family for provisioning and updating clusters across cloud providers. |
full | 151 | https://mcp.cpln.io/mcp?toolsets=full | Every tool, including agents, cloud accounts, IP sets, service accounts, audit contexts, external logging, quotas, traces, advanced workload configuration, and volume snapshots. |
Connecting to
https://mcp.cpln.io/mcp with no query parameter gives you the core profile. To switch profiles, point your client at the URL with the ?toolsets= parameter — see your tool’s setup page for where the endpoint URL is configured.Reading the tables
Each tool is listed with its name, its label, and what it does. The Access column flags how the tool behaves:| Marker | Meaning |
|---|---|
| Read | Read-only. Fetches data without changing anything. |
| Write | Creates or modifies a resource. |
| Destructive | Deletes, removes, or overwrites data. Assistants present the impact and ask for your confirmation before running these. |
mk8s or full next to the access marker; everything else is in core.
Docs & guidance
Read-only tools the assistant uses to ground itself in accurate Control Plane facts, schemas, and documentation before acting. All are incore.
| Name | Label | Description | Access |
|---|---|---|---|
get_cpln_rules | Get Control Plane Operating Guide | The operating guide — the resource model, production defaults, and how to verify a change landed. | Read |
get_cpln_skill | Get a Control Plane Skill | The runbook for one task family: how to use a feature correctly, the constraints that are easy to miss, and when it’s the wrong tool. | Read |
get_resource_schema | Get Resource Schema & API Endpoints | The exact object schema and REST endpoints for a resource kind, for authoring an accurate manifest or calling the API. | Read |
get_permissions | Get Permissions for a Resource Kind | The grantable permissions for a resource kind, for building policies. | Read |
search_control_plane | Search Control Plane Docs | Search the documentation knowledge base for guides, examples, and API references. | Read |
query_docs_filesystem_control_plane | Query Control Plane Docs Filesystem | Run read-only, shell-like queries against an in-memory filesystem of the docs pages and OpenAPI specs. | Read · full |
Generic resource tools
The single read and delete tools that work for every resource kind. Use these to list, inspect, or delete any resource — pass thekind (workload, secret, gvc, and so on). All are in core.
| Name | Label | Description | Access |
|---|---|---|---|
list_resources | List Resources of a Kind | List resources of one kind as a summary table. | Read |
get_resource | Get a Resource | Fetch one resource by kind and name, with its full JSON. Secret values are masked. | Read |
delete_resource | Delete a Resource | Delete one resource by kind and name. The single delete tool for every deletable kind. | Destructive |
GVCs
Create and manage GVCs and the cloud locations they span.| Name | Label | Description | Access |
|---|---|---|---|
create_gvc | Create a Control Plane GVC | Create a GVC with one or more cloud locations. | Write |
update_gvc | Update a Control Plane GVC | Update a GVC’s settings, such as its description, tags, or pull secrets. | Destructive |
add_gvc_locations | Add locations to a GVC | Add one or more cloud locations to an existing GVC. | Write · full |
remove_gvc_locations | Remove locations from a GVC | Remove cloud locations from a GVC. | Destructive · full |
Workloads
Create, update, run, and operate workloads. The advancedconfigure_workload_* tools each manage one specialized block of the spec and live in the full profile.
| Name | Label | Description | Access |
|---|---|---|---|
create_workload | Create a Workload | Create a serverless, standard, cron, stateful, or VM workload with its containers and exposure. | Write |
update_workload | Update a Workload | Update an existing workload — image, resources, scaling, environment, and more. | Destructive |
workload_reveal_secret | Workload — Grant Secret Access | Grant an existing workload access to a secret by wiring its identity and a reveal policy. | Write |
workload_exec | Workload Exec — Run a Command in a Container | Run a single command in a running container and return its output. Audited. | Destructive |
workload_start_cron | Workload — Start a Cron Run | Trigger an immediate run of a cron workload. | Write · full |
configure_workload_load_balancer | Configure Workload Load Balancer | Set or clear the direct per-location load balancer, geo headers, and replica-direct routing. | Destructive · full |
configure_workload_security | Configure Workload Security Options | Set or clear the pod-level security context (filesystem group, run-as user). | Destructive · full |
configure_workload_rollout | Configure Workload Rollout Options | Set or clear how updates roll out — surge, unavailability, and scaling policy. | Destructive · full |
configure_workload_retry | Configure Workload Request Retry Policy | Set or clear the retry behavior for failed requests. | Destructive · full |
configure_workload_sidecar | Configure Workload Envoy Sidecar | Set or clear the Envoy proxy filter chain. Advanced. | Destructive · full |
configure_workload_local_options | Configure Workload Per-Location Options | Set or clear per-location overrides of the default options. | Destructive · full |
configure_workload_extras | Configure Workload BYOK Extras | Set or clear BYOK-only Kubernetes customizations (affinity, tolerations, spread constraints). | Destructive · full |
Secrets
Create and update secrets by type. Thecore profile covers the most common types; the rest are in mk8s and full. To reveal plaintext, use reveal_secret under Observability.
| Name | Label | Description | Access |
|---|---|---|---|
create_secret_opaque | Create opaque Secret | Create an opaque secret holding arbitrary key-value data. | Write |
update_secret_opaque | Update opaque Secret | Update an opaque secret’s data. | Destructive |
create_secret_dictionary | Create dictionary Secret | Create a dictionary secret of named string values. | Write |
update_secret_dictionary | Update dictionary Secret | Update a dictionary secret’s entries. | Destructive |
create_secret_tls | Create TLS Secret | Create a TLS secret from a certificate and private key. | Write |
update_secret_tls | Update TLS Secret | Update a TLS secret’s certificate or key. | Destructive |
create_secret_docker | Create Docker registry Secret | Create a Docker registry pull secret. | Write |
update_secret_docker | Update Docker registry Secret | Update a Docker registry pull secret. | Destructive |
create_secret_ecr | Create AWS ECR pull Secret | Create an AWS ECR pull secret. | Write |
update_secret_ecr | Update AWS ECR pull Secret | Update an AWS ECR pull secret. | Destructive |
create_secret_aws | Create AWS Secret | Create an AWS access-key secret. | Write · full |
update_secret_aws | Update AWS Secret | Update an AWS access-key secret. | Destructive · full |
create_secret_userpass | Create username/password Secret | Create a username and password secret. | Write · full |
update_secret_userpass | Update username/password Secret | Update a username and password secret. | Destructive · full |
create_secret_azure_connector | Create Azure connector Secret | Create an Azure connector secret. | Write · full |
update_secret_azure_connector | Update Azure connector Secret | Update an Azure connector secret. | Destructive · full |
create_secret_nats_account | Create NATS account Secret | Create a NATS account secret. | Write · full |
update_secret_nats_account | Update NATS account Secret | Update a NATS account secret. | Destructive · full |
create_secret_gcp | Create GCP service account Secret | Create a GCP service-account-key secret, also usable as a GCR pull secret. | Write · mk8s |
update_secret_gcp | Update GCP service account Secret | Update a GCP service-account-key secret. | Destructive · mk8s |
create_secret_azure_sdk | Create Azure SDK Secret | Create an Azure SDK service-principal secret. | Write · mk8s |
update_secret_azure_sdk | Update Azure SDK Secret | Update an Azure SDK service-principal secret. | Destructive · mk8s |
create_secret_keypair | Create key pair Secret | Create a keypair secret from a private key and optional public key. | Write · mk8s |
update_secret_keypair | Update key pair Secret | Update a keypair secret. | Destructive · mk8s |
Custom domains
Configure custom domains, their port listeners, routes, TLS, and CORS. Port, route, TLS, and CORS tools operate on an existing domain.| Name | Label | Description | Access |
|---|---|---|---|
create_domain | Create a Domain | Create a custom domain in cname or ns DNS mode. | Write |
update_domain | Update a Domain | Update a domain’s metadata, host/subdomain acceptance flags, and GVC or workload binding. | Destructive |
add_domain_port | Add a Domain Port Listener | Add a port listener (for example, 443/http2) to a domain. | Write |
remove_domain_port | Remove a Domain Port Listener | Remove a port listener from a domain. | Destructive |
add_domain_route | Add a Route to a Domain Listener | Add a route mapping a path or prefix to a workload. | Write |
update_domain_route | Update a Route on a Domain Listener | Update an existing route on a domain listener. | Destructive |
remove_domain_route | Remove a Route from a Domain Listener | Remove a route from a domain listener. | Destructive |
set_domain_tls | Set TLS on a Domain Listener | Set the TLS configuration on a domain listener. | Destructive |
clear_domain_tls | Clear TLS on a Domain Listener | Clear the TLS configuration from a domain listener. | Destructive |
set_domain_cors | Set CORS on a Domain Listener | Set the CORS policy on a domain listener. | Destructive · full |
clear_domain_cors | Clear CORS on a Domain Listener | Clear the CORS policy from a domain listener. | Destructive · full |
Identity & access
Manage identities, policies, groups, service accounts, and the private-network resources attached to an identity. Groups, service accounts, network resources, and user invitations are infull.
| Name | Label | Description | Access |
|---|---|---|---|
create_identity | Create an Identity | Create a GVC-scoped identity for workload access to secrets, cloud resources, and private networks. | Write |
update_identity | Update an Identity | Update an identity’s settings and bound credentials. | Destructive |
create_policy | Create a Policy | Create a policy that grants permissions on resources to principals. | Write |
update_policy | Update a Policy | Update a policy’s bindings, targets, or permissions. | Destructive |
create_group | Create a Group | Create a group of users and service accounts, with optional tag-based membership. | Write · full |
edit_group | Edit a Group | Update a group’s membership or membership query. | Destructive · full |
create_service_account | Create a Service Account | Create a service account for programmatic access. | Write · full |
update_service_account | Update a Service Account | Update a service account’s description or tags, or revoke its keys by name. | Destructive · full |
add_key_to_service_account | Add Key to Service Account | Create a service account if needed, add a key, and optionally add it to a group. | Write · full |
invite_user_to_org | Invite User to Organization | Invite a user by email to join the organization. | Write · full |
add_identity_network_resource | Add Agent-Based Network Resource | Add an agent-based (wormhole) network resource so a workload can reach a private endpoint. | Write · full |
add_identity_native_network_resource | Add Cloud-Native Network Resource | Add an AWS PrivateLink or GCP Private Service Connect network resource to an identity. | Write · full |
list_identity_network_resources | List Network Resources on an Identity | List the agent-based and cloud-native network resources attached to an identity. | Read · full |
remove_identity_network_resource | Remove Network Resource from Identity | Remove a network resource from an identity. | Destructive · full |
Template catalog
Browse and operate the Template Catalog — production-ready stacks you install instead of hand-authoring resources.| Name | Label | Description | Access |
|---|---|---|---|
browse_templates | Browse Template Catalog | List the catalog — name, category, latest version, and whether each template creates its own GVC. | Read |
get_template | Get Template Detail & Example Values | Show a template’s versions, prerequisites, and example values.yaml. | Read |
preview_template | Preview Template (Dry-Run) | Render the resources an install or upgrade would create, without applying anything. | Read · full |
install_template | Install Template | Install a catalog template as a new release. | Write |
upgrade_template | Upgrade Template | Upgrade an installed release to a new version or updated values. | Destructive |
rollback_template | Rollback a Template Release | Roll a release back to a prior revision. | Destructive · full |
uninstall_template | Uninstall Template | Uninstall a release and remove the resources it created. | Destructive |
list_installed_templates | List Installed Templates | List the template releases installed in an org. | Read |
get_installed_template | Get Installed Template Resources | Show a release’s status, revision, and the resources it created. | Read |
Volume sets & storage
Create volume sets, mount them to workloads, and manage their volumes and snapshots. Snapshot and per-volume operations are infull.
| Name | Label | Description | Access |
|---|---|---|---|
create_volumeset | Create a Volumeset | Create a volume set for persistent storage. | Write |
update_volumeset | Update a Volumeset | Update a volume set’s settings. | Destructive |
mount_volumeset_to_workload | Mount Volumeset to Workload | Mount a volume set to a workload at a path (ext4/xfs require a stateful or VM workload; shared mounts on any type). | Write |
expand_volumeset | Expand Volumeset Volume | Increase a volume’s capacity with no downtime or data loss. | Write |
shrink_volumeset | Shrink Volumeset Volume | Shrink a volume to a smaller capacity. Data is migrated, but if used bytes exceed the new size the excess is lost — snapshot first. | Destructive · full |
create_volumeset_snapshot | Create Volumeset Snapshot | Create a point-in-time snapshot of a volume. | Write · full |
list_volumeset_snapshots | List Volumeset Snapshots | List the snapshots of a volume set. | Read · full |
restore_volumeset_snapshot | Restore Volumeset Snapshot | Restore a snapshot, discarding everything written since it was taken. | Destructive · full |
delete_volumeset_snapshot | Delete Volumeset Snapshot | Delete a volume set snapshot. | Destructive · full |
delete_volumeset_volume | Delete Volumeset Volume | Delete a single volume from a volume set. | Destructive · full |
Observability
Inspect deployments, logs, events, replicas, metrics, traces, the audit trail, and secret plaintext. Most are incore; traces are in full.
| Name | Label | Description | Access |
|---|---|---|---|
list_deployments | List Workload Deployments | A workload’s per-location rollout status — the primary readiness check after a deploy. | Read |
get_workload_logs | Get Workload Logs | Query a workload’s logs by structured parameters or a raw LogQL query. | Read |
get_workload_events | Get Workload Events | Fetch a workload’s event log to diagnose readiness, liveness, and deploy failures. | Read |
list_workload_replicas | List Workload Replicas | List the running replicas of a workload in a location. | Read |
list_metrics | List & Discover Metrics | Discover the metrics and labels you can query, each with a correct PromQL template. | Read |
query_metrics | Query Workload Metrics (PromQL) | Run a PromQL query against Control Plane metrics. | Read |
query_audit_events | Query Audit Events | Query the audit trail for mutations on resources of a kind. | Read |
reveal_secret | Reveal Secret Data | Reveal a secret’s plaintext. Break-glass access; audited. | Read |
query_traces | Query Distributed Traces | Search distributed traces (TraceQL) for slow or failing requests. | Read · full |
get_trace | Get Trace | Fetch one trace by ID and summarize its span tree, durations, and errors. | Read · full |
Terraform & IaC
Convert manifests to Terraform and export existing resources as HCL for infrastructure as code. Batch export and kind discovery are infull.
| Name | Label | Description | Access |
|---|---|---|---|
convert_to_terraform | Convert a manifest to Terraform | Convert a resource manifest to Terraform HCL, dry-run validated against the API first. | Read |
export_terraform | Export an existing resource to Terraform | Generate Terraform HCL for existing resources from a self link, single or in bulk. | Read |
export_terraform_batch | Export many resources to Terraform | Generate merged, de-duplicated Terraform for several existing resources in one call. | Read · full |
list_terraform_kinds | List Terraform-convertible kinds | List the resource kinds the exporter can convert. | Read · full |
Cloud accounts, agents & networking
Onboard cloud accounts, create agents for private connectivity, and reserve IP sets. All are infull.
| Name | Label | Description | Access |
|---|---|---|---|
how_to_create_aws_cloud_account | How to Create an AWS Cloud Account | The canonical IAM steps to onboard an AWS cloud account, filled in with your values. | Read · full |
how_to_create_gcp_cloud_account | How to Create a GCP Cloud Account | The steps to onboard a GCP cloud account. | Read · full |
how_to_create_azure_cloud_account | How to Create an Azure Cloud Account | The steps to onboard an Azure cloud account. | Read · full |
how_to_create_ngs_cloud_account | How to Create an NGS Cloud Account | The steps to onboard a NATS NGS cloud account. | Read · full |
create_cloud_account | Create a Cloud Account | Create a cloud account bridging Control Plane to AWS, GCP, Azure, or NGS. | Write · full |
update_cloud_account | Update a Cloud Account | Update a cloud account’s settings. | Destructive · full |
create_agent | Create an Agent | Create an agent for secure connectivity to a private network. | Write · full |
update_agent | Update an Agent | Update an agent’s settings. | Destructive · full |
get_agent_info | Get Agent Info | Fetch an agent’s real-time status — active state, last heartbeat, peer and service counts. | Read · full |
get_agent_eventlog | Get Agent Event Log | Fetch an agent’s event log. | Read · full |
create_ipset | Create an IP Set | Reserve static public IPs per location. | Write · full |
update_ipset | Update an IP Set | Update an IP set’s settings. | Destructive · full |
add_ipset_location | Add or update IP set locations | Add locations to an IP set or update their retention policy. | Write · full |
remove_ipset_location | Remove IP set locations | Remove locations from an IP set. | Destructive · full |
Organization & operations
Manage org settings, quotas, audit contexts, and external logging. All are infull.
| Name | Label | Description | Access |
|---|---|---|---|
update_org | Update Organization Settings | Update organization-wide settings. | Destructive · full |
list_quotas | List Organization Quotas | List the org’s resource quotas. | Read · full |
get_quota | Get Quota Details | Fetch the details and current usage of one quota. | Read · full |
create_audit_context | Create Audit Context | Create a custom audit context for tamper-proof external events. | Write · full |
edit_audit_context | Edit an Audit Context | Update an audit context’s description and tags. | Write · full |
get_external_logging | Get External Logging Configuration | View the org’s primary and extra external logging providers. | Read · full |
configure_external_logging | Configure External Logging | Configure log shipping to an external provider (S3, Datadog, Coralogix, and more). | Destructive · full |
remove_external_logging | Remove External Logging Provider | Remove an external logging provider from the org. | Destructive · full |
Managed Kubernetes
Provision and update managed Kubernetes clusters across cloud and bare-metal providers. This family is available in themk8s and full profiles — connect to https://mcp.cpln.io/mcp?toolsets=mk8s to use it.
| Name | Label | Description | Access |
|---|---|---|---|
create_mk8s_aws | Create an AWS mk8s cluster | Provision a managed Kubernetes cluster on AWS. | Write · mk8s |
update_mk8s_aws | Update an AWS mk8s cluster | Update an AWS managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_gcp | Create a GCP mk8s cluster | Provision a managed Kubernetes cluster on GCP. | Write · mk8s |
update_mk8s_gcp | Update a GCP mk8s cluster | Update a GCP managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_azure | Create an Azure mk8s cluster | Provision a managed Kubernetes cluster on Azure. | Write · mk8s |
update_mk8s_azure | Update an Azure mk8s cluster | Update an Azure managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_hetzner | Create a Hetzner mk8s cluster | Provision a managed Kubernetes cluster on Hetzner. | Write · mk8s |
update_mk8s_hetzner | Update a Hetzner mk8s cluster | Update a Hetzner managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_digitalocean | Create a DigitalOcean mk8s cluster | Provision a managed Kubernetes cluster on DigitalOcean. | Write · mk8s |
update_mk8s_digitalocean | Update a DigitalOcean mk8s cluster | Update a DigitalOcean managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_linode | Create a Linode mk8s cluster | Provision a managed Kubernetes cluster on Linode. | Write · mk8s |
update_mk8s_linode | Update a Linode mk8s cluster | Update a Linode managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_oblivus | Create an Oblivus mk8s cluster | Provision a managed Kubernetes cluster on Oblivus. | Write · mk8s |
update_mk8s_oblivus | Update an Oblivus mk8s cluster | Update an Oblivus managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_lambdalabs | Create a Lambda Labs mk8s cluster | Provision a managed Kubernetes cluster on Lambda Labs. | Write · mk8s |
update_mk8s_lambdalabs | Update a Lambda Labs mk8s cluster | Update a Lambda Labs managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_paperspace | Create a Paperspace mk8s cluster | Provision a managed Kubernetes cluster on Paperspace. | Write · mk8s |
update_mk8s_paperspace | Update a Paperspace mk8s cluster | Update a Paperspace managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_triton | Create a Triton mk8s cluster | Provision a managed Kubernetes cluster on Triton. | Write · mk8s |
update_mk8s_triton | Update a Triton mk8s cluster | Update a Triton managed Kubernetes cluster. | Destructive · mk8s |
create_mk8s_generic | Create a generic mk8s cluster | Provision a managed Kubernetes cluster on generic or self-managed infrastructure. | Write · mk8s |
update_mk8s_generic | Update a generic mk8s cluster | Update a generic managed Kubernetes cluster. | Destructive · mk8s |
Next steps
MCP Server
Endpoint, authentication, and the compatible-tools list
Usage Examples
Practical prompts that put these tools to work
AI Plugin
Skills, agents, commands, and guardrails on top of the MCP server
Reference
The full configuration and behavior of every Control Plane resource