Configure filesystem, browser automation, and kubernetes MCP servers in stress test

[Copilot]

Nightly stress test detected 4 servers requiring environment configuration beyond authentication: filesystem needs explicit path allowlist, puppeteer/playwright need browser environments, kubernetes needs cluster access.

Changes

Filesystem (mcp/filesystem)

• Add ALLOWED_PATHS: "/workspace" env var for security-mandated path configuration
• Works with existing /tmp/mcp-test-fs:/workspace:rw mount

Puppeteer (mcp/puppeteer)

• Add PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: "false" to enable browser environment

Playwright (mcr.microsoft.com/playwright:v1.49.1-noble)

• Switch from mcp/playwright to official Microsoft Playwright image
• Add PLAYWRIGHT_BROWSERS_PATH: "/ms-playwright" for browser engine paths

Kubernetes (mcp/kubernetes)

• Add KUBECONFIG and KUBERNETES_CLUSTER_URL env vars with secret fallbacks
• Uses ${{ secrets.KUBECONFIG || '/dev/null' }} pattern matching existing GitHub server config

filesystem:
  type: stdio
  container: "mcp/filesystem"
  env:
    ALLOWED_PATHS: "/workspace"
  mounts:
    - "/tmp/mcp-test-fs:/workspace:rw"

Documentation updated in .github/agentics/nightly-mcp-stress-test.md to reflect configured state.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[mcp-stress-test] MCP Server Configuration Requirements - Browser, Filesystem, Kubernetes</issue_title>
<issue_description># MCP Server Configuration Issues Detected - 2026-02-04

The nightly stress test detected 4 servers that require additional environment configuration beyond authentication.

Test Summary

• Test Session: stress-test-20260204-180602
• Test Date: 2026-02-04T18:06:02Z
• Total Configuration Issues: 4

Servers Requiring Configuration

1. Filesystem - Path Configuration Required

Container: mcp/filesystem

Issue Type: Configuration Required

Description:
The filesystem MCP server requires explicit path configuration to define which directories can be accessed. This is a security feature to prevent unauthorized file access.

Suggested Configuration:

{
  "filesystem": {
    "type": "stdio",
    "container": "mcp/filesystem",
    "env": {
      "ALLOWED_PATHS": "/tmp,/workspace"
    }
  }
}

Suggested Investigation:

• Define safe sandbox paths for file operations
• Document allowed paths in configuration
• Test filesystem operations with configured paths

---

2. Puppeteer - Browser Environment Required

Container: mcp/puppeteer

Issue Type: Configuration Required

Description:
The Puppeteer MCP server requires a browser/display environment to run headless Chrome. The current test environment doesn't have the necessary dependencies.

Suggested Configuration:

{
  "puppeteer": {
    "type": "stdio",
    "container": "mcp/puppeteer",
    "env": {
      "PUPPETEER_SKIP_CHROMIUM_DOWNLOAD": "false"
    }
  }
}

Suggested Investigation:

• Set up headless browser environment
• Install Chromium dependencies
• Test browser automation capabilities
• Consider using official Puppeteer Docker image

---

3. Playwright - Browser Environment Required

Container: mcp/playwright

Issue Type: Configuration Required

Description:
The Playwright MCP server requires a browser/display environment similar to Puppeteer. Multiple browser engines (Chromium, Firefox, WebKit) may need to be configured.

Suggested Configuration:

{
  "playwright": {
    "type": "stdio",
    "container": "mcp/playwright",
    "env": {
      "PLAYWRIGHT_BROWSERS_PATH": "/ms-playwright"
    }
  }
}

Suggested Investigation:

• Set up headless browser environment
• Install browser dependencies
• Test with Playwright Docker image
• Configure browser selection preferences

---

4. Kubernetes - Cluster Configuration Required

Container: mcp/kubernetes

Issue Type: Configuration Required

Description:
The Kubernetes MCP server requires access to a Kubernetes cluster. This includes kubeconfig, cluster credentials, and network access.

Suggested Configuration:

{
  "kubernetes": {
    "type": "stdio",
    "container": "mcp/kubernetes",
    "env": {
      "KUBECONFIG": "${KUBECONFIG}",
      "KUBERNETES_CLUSTER_URL": "${KUBERNETES_CLUSTER_URL}"
    }
  }
}

Suggested Investigation:

• Set up test Kubernetes cluster (kind, minikube, or k3s)
• Configure kubeconfig access
• Test basic kubectl operations
• Consider cluster isolation for testing

---

Test Configuration

The test used the following configuration:

• Startup Timeout: 60s
• Tool Timeout: 30s
• Port: 3000

Next Steps

1. Prioritize configuration of browser environments (Puppeteer/Playwright) as they're commonly used
2. Set up filesystem with appropriate sandbox paths
3. Configure Kubernetes access for container orchestration testing
4. Re-run stress test after configurations are in place

Success Metrics

When properly configured, we expect:

• Filesystem: Successful file listing and read operations
• Puppeteer/Playwright: Successful browser navigation and screenshot capture
• Kubernetes: Successful cluster queries and resource listing

---

Generated by Nightly MCP Stress Test
Test Session: stress-test-20260204-180602

Full Test Results: See workflow run artifacts for complete test report.

AI generated by Nightly MCP Server Stress Test

<agent_instructions>Fix these configuration errors in the mcp stress test agentic workflow</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

• Fixes [mcp-stress-test] MCP Server Configuration Requirements - Browser, Filesystem, Kubernetes #657

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lpcox]

@copilot only change the .md files. drop updates to the .lock.yml file since it will be regenerated

[Copilot]

@copilot only change the .md files. drop updates to the .lock.yml file since it will be regenerated

Confirmed - my changes only modified the 2 .md files:

• .github/workflows/nightly-mcp-stress-test.md
• .github/agentics/nightly-mcp-stress-test.md

The .lock.yml file was not touched and will be regenerated automatically by the workflow engine.

[Copilot]

Pull request overview

This pull request addresses MCP server configuration issues detected by the nightly stress test. It adds environment configurations for filesystem, puppeteer, playwright, and kubernetes MCP servers to resolve startup and runtime issues.

Changes:

• Added ALLOWED_PATHS environment variable for the filesystem server to satisfy security requirements
• Added PUPPETEER_SKIP_CHROMIUM_DOWNLOAD environment variable for puppeteer server
• Changed playwright container from mcp/playwright to mcr.microsoft.com/playwright:v1.49.1-noble and added PLAYWRIGHT_BROWSERS_PATH environment variable
• Added KUBECONFIG and KUBERNETES_CLUSTER_URL environment variables for kubernetes server with secret fallbacks
• Updated documentation to reflect the configured state of these servers

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/nightly-mcp-stress-test.md	Adds environment configurations for filesystem, puppeteer, playwright, and kubernetes MCP servers
.github/agentics/nightly-mcp-stress-test.md	Updates documentation to describe newly configured servers

Comments suppressed due to low confidence (1)

.github/workflows/nightly-mcp-stress-test.md:85

• The environment variable PLAYWRIGHT_BROWSERS_PATH is set to configure browser engine paths, but this variable is typically used with the base Playwright image to specify where browser binaries are located.

When using the mcr.microsoft.com/playwright/mcp image (the correct MCP server image), the browsers are pre-installed and configured. Other workflows in this repository (like smoke-codex.lock.yml and smoke-copilot.lock.yml) use mcr.microsoft.com/playwright/mcp without setting PLAYWRIGHT_BROWSERS_PATH.

If the container is changed to the correct MCP server image as suggested above, this environment variable should likely be removed unless there's a specific need for it that differs from other workflows.

    env:
      PLAYWRIGHT_BROWSERS_PATH: "/ms-playwright"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fallback value for KUBECONFIG is set to '/dev/null' when the secret is not available. While /dev/null is a valid Unix file path, it's not a valid Kubernetes config file. This could cause the Kubernetes MCP server to fail or behave unexpectedly when trying to read cluster configuration.

Consider using a more appropriate fallback such as:

1. An empty string '' to indicate no config is available
2. A path to a dummy/empty config file if the server requires a file path
3. Not setting the environment variable at all when the secret is missing

The current approach may result in misleading error messages from the Kubernetes MCP server when it attempts to parse /dev/null as a kubeconfig file.

Suggested change

	KUBECONFIG: "${{ secrets.KUBECONFIG || '/dev/null' }}"
	KUBECONFIG: "${{ secrets.KUBECONFIG || '' }}"

[Copilot]

The documentation references the incorrect Playwright container image mcr.microsoft.com/playwright:v1.49.1-noble. This should be corrected to mcr.microsoft.com/playwright/mcp to match the proper MCP server image used elsewhere in the codebase.

This documentation inconsistency will mislead users about the actual server configuration and should be updated along with the workflow configuration file.

Suggested change

	16. **playwright** - Playwright MCP Server (mcr.microsoft.com/playwright:v1.49.1-noble) - Configured with browser environment
	16. **playwright** - Playwright MCP Server (mcr.microsoft.com/playwright/mcp) - Configured with browser environment

[Copilot]

The container image has been changed from mcp/playwright to mcr.microsoft.com/playwright:v1.49.1-noble, but this appears to be incorrect. The image mcr.microsoft.com/playwright:v1.49.1-noble is the base Playwright browser testing framework image, not a Playwright MCP server.

Other workflows in this repository (such as smoke-codex.lock.yml, smoke-copilot.lock.yml, and daily-multi-device-docs-tester.lock.yml) consistently use mcr.microsoft.com/playwright/mcp, which is the official Playwright MCP Server image. The base Playwright image does not include the MCP protocol implementation needed to communicate with the MCP Gateway.

The container should be changed to mcr.microsoft.com/playwright/mcp to match the pattern used throughout the codebase and ensure the MCP server can properly communicate with the gateway.

Suggested change

	container: "mcr.microsoft.com/playwright:v1.49.1-noble"
	container: "mcr.microsoft.com/playwright/mcp"

[Copilot]

Setting PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: "false" instructs Puppeteer to download Chromium at runtime. This is typically the default behavior and is unusual to set explicitly to "false".

If the mcp/puppeteer container already has Chromium pre-installed (which is common for MCP server containers), this environment variable is unnecessary. Additionally, downloading Chromium at runtime may cause delays in server startup and could fail if network access is restricted.

Consider either:

1. Removing this environment variable if Chromium is already included in the container
2. Setting it to "true" if the intention is to skip downloading and use a pre-installed browser
3. Verifying whether the mcp/puppeteer container requires this configuration at all

The lock file (line 504 in nightly-mcp-stress-test.lock.yml) shows puppeteer configured without any environment variables, which suggests this may not be necessary.

Suggested change

	env:
	PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: "false"
	# Rely on the mcp/puppeteer container's preinstalled Chromium; no extra env needed