Functions as MCP Tools

The Model Context Protocol (MCP) is an open protocol that lets LLM agents discover and call external tools. Starting with Fission v1.26.0 you can advertise a function as an MCP tool: any agent that speaks MCP (for example Claude) can then list it and invoke it over Fission’s existing internal invocation path, with no hand-written adapter code.

Exposing a function as a tool is opt-in per function and additive — functions you don’t mark stay private.

flowchart TB
  agent["LLM Agent"]:::user -->|"<b>1.</b> list / call tool (JWT)"| mcp["MCP Server"]:::fission
  mcp -->|"<b>2.</b> watch Function CRDs"| fns["Tool-exposed Functions"]:::store
  mcp -->|"<b>3.</b> invoke via internal path"| router["Router"]:::fission
  router -->|"<b>4.</b> HTTP request"| pod["Function Pod"]:::pod
  classDef user fill:#ffffff,stroke:#94a3b8,color:#1f2a43
  classDef fission fill:#e8f0fe,stroke:#2d70de,color:#1f2a43
  classDef pod fill:#e6f7f1,stroke:#11a37f,color:#1f2a43,stroke-dasharray:5 3
  classDef store fill:#fff7e0,stroke:#dba514,color:#1f2a43,stroke-dasharray:5 3

Enable the MCP server

The MCP server is off by default. Enable it with a Helm value:

helm upgrade --install fission fission-charts/fission-all \
  --namespace fission \
  --set mcp.enabled=true

This deploys a stateless MCP server that watches Function resources and hot-updates its advertised tool list. It listens on a ClusterIP Service on port 8890 by default (mcp.port).

In production, leave mcp.allowInsecure: false and run with authentication enabled. Agents then authenticate with a signed JWT whose allowed_namespaces claim scopes which functions they may see and call.

Expose a function as a tool

Create (or update) a function with --expose-as-mcp and a required agent-facing description:

fission fn create --name weather --env nodejs --code weather.js \
  --expose-as-mcp \
  --tool-description "Return the current weather for a city" \
  --tool-input-schema weather-schema.json

--tool-input-schema points at a JSON Schema (draft 2020-12) file describing the tool’s arguments; it is advertised verbatim as the MCP tool inputSchema. When omitted, the tool advertises an open object schema ({"type":"object"}).

List exposed tools

$ fission function tools
NAME              FUNCTION   NAMESPACE   DESCRIPTION
default-weather   weather    default     Return the current weather for a city

Use -o wide, -o json, or -o yaml for more detail.

Declarative spec

Exposing a function as a tool is controlled by the presence of spec.tool on the Function resource — there is no separate enabled flag:

apiVersion: fission.io/v1
kind: Function
metadata:
  name: weather
spec:
  environment:
    name: nodejs
  package:
    packageref:
      name: weather
  tool:
    description: Return the current weather for a city   # required
    # Optional JSON Schema (draft 2020-12) for the tool's arguments.
    inputSchema:
      type: object
      properties:
        city:
          type: string
      required: [city]
    # Optional: override the advertised tool name (defaults to <namespace>-<name>).
    toolName: get-weather

How agents reach the tools

Point an MCP-capable agent at the MCP server’s endpoint (the mcp Service on port 8890, exposed however you route in-cluster traffic — for example through an HTTP trigger or your ingress/gateway). With authentication enabled, the agent presents a bearer JWT and only sees tools in its allowed_namespaces. When the agent calls a tool, the MCP server invokes the underlying function through Fission’s internal invocation path and returns the response.

Related

• Create and run functions — the everyday function workflow.
• Internal Service Authentication — the signing used to scope agent access.
• Functions — the Function resource and the tool field.
• Custom Resource Definition Specification — the ToolConfig spec fields.