VOOZH about

URL: https://apify.com/unbearable_dev/k8s-manifest-audit

⇱ Kubernetes Manifest Audit (kube-linter) Β· Apify


πŸ‘ Kubernetes Manifest Audit (kube-linter) avatar

Kubernetes Manifest Audit (kube-linter)

Pricing

from $20.00 / 1,000 kubernetes manifest audit calls

Go to Apify Store

Kubernetes Manifest Audit (kube-linter)

Static audit of Kubernetes manifests via MCP. Powered by kube-linter - 63 checks across security, resources, availability, and config. Pay-per-event. Call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable Labs.

Pricing

from $20.00 / 1,000 kubernetes manifest audit calls

Rating

0.0

(0)

Developer

πŸ‘ Noel Himer

Noel Himer

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

21 days ago

Last modified

Share

Kubernetes Manifest Audit

Static audit of Kubernetes manifests via MCP. Powered by kube-linter. 63 checks across 7 categories.

Built by Unbearable Labs. Free to use β€” bring your own Apify token.


Available on

Newsletter: Unbearable TechTips Weekly Β· All Actors: github.com/UnbearableDev

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Kubernetes manifest or directory of manifests, get back a structured report:

  • Severity β€” high / medium / low / info
  • Check ID β€” kube-linter check name (e.g. privileged-container, unset-cpu-requirements)
  • Category β€” security / resources / availability / network / rbac / images / config
  • Message β€” what kube-linter found and where
  • Remediation hint β€” what to do about it
  • Object location β€” kind, name, namespace of the offending resource

63 checks total. Covers Deployment, Service, Ingress, ConfigMap, Secret, StatefulSet, DaemonSet, Job, CronJob, NetworkPolicy, RBAC, HPA, PDB, and more.

Tools

ToolPurpose
audit_manifest(yaml_content)Audit a single YAML string (may contain multi-doc ---)
audit_directory(files)Audit multiple files β€” cross-file checks work correctly
list_checks(enabled_only=False)Browse the full 63-check catalog with severity + category
explain_check(check_id)Get description + remediation for one specific check

Example

Input:

apiVersion: apps/v1
kind: Deployment
metadata:
name: api-server
spec:
template:
spec:
containers:
-name: api
image: myapp:latest
securityContext:
allowPrivilegeEscalation:true
resources:{}

Output:

[
{
"check_id":"privilege-escalation-container",
"severity":"high",
"kind":"Deployment",
"name":"api-server",
"container":"api",
"message":"'allowPrivilegeEscalation: true' permits gaining more privileges than the parent process",
"remediation":"Set 'allowPrivilegeEscalation: false' in securityContext"
},
{
"check_id":"unset-memory-requirements",
"severity":"medium",
"kind":"Deployment",
"name":"api-server",
"container":"api",
"message":"No memory requests/limits β€” pod can consume unbounded memory",
"remediation":"Add resources.requests and resources.limits for memory to the container spec"
},
{
"check_id":"latest-tag",
"severity":"medium",
"kind":"Deployment",
"name":"api-server",
"container":"api",
"message":"Image uses ':latest' tag β€” non-deterministic across node restarts",
"remediation":"Pin to a specific version tag or SHA digest"
}
]

Check catalog (sample β€” 63 checks total)

Check IDCategorySeverity (mapped)
privileged-containersecurityhigh
privilege-escalation-containersecurityhigh
run-as-non-rootsecurityhigh
env-var-secretsecurityhigh
host-pid / host-ipc / host-networksecurityhigh
wildcard-in-rulesrbachigh
cluster-admin-role-bindingrbachigh
unset-cpu-requirementsresourcesmedium
unset-memory-requirementsresourcesmedium
no-liveness-probe / no-readiness-probeavailabilitymedium
latest-tagimagesmedium
minimum-three-replicasavailabilitymedium
no-rolling-update-strategyavailabilitymedium
dangling-service / dangling-ingressconfiglow
use-namespaceconfiglow

Use list_checks to get the full, up-to-date catalog.

Pricing

Free to use β€” hosted on Apify, bring your own Apify token.

Quick start

{
"mcpServers":{
"k8s-manifest-audit":{
"url":"https://unbearable-dev--k8s-manifest-audit.apify.actor/mcp",
"headers":{"Authorization":"Bearer <YOUR_APIFY_TOKEN>"}
}
}
}

Powered by kube-linter (MIT, StackRox/Red Hat).

Sibling MCPs from Unbearable Labs


Built by Noel @ Unbearable Labs β€” more like this in the weekly newsletter: https://unbearabletechtips.beehiiv.com

You might also like

Dockerfile Security & Quality Audit

unbearable_dev/dockerfile-audit

Hadolint-grade Dockerfile audit, MCP-native. 18+ checks across 5 categories (base image, instructions, security, efficiency, secrets) with severity, line numbers, remediation, and fix snippets. Pay-per-event. Call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable Labs.

Docker Compose Security Audit

unbearable_dev/docker-compose-audit

Audits docker-compose.yml files for security misconfigurations. 25 checks across 9 categories with severity, remediation, and YAML fix snippets. Pay-per-event. MCP-native - call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable Labs.

n8n-mcp

nourishing_courier/web-data-for-ai

n8n-mcp

πŸ‘ User avatar

Ani BjΓΆrkstrΓΆm

4

MCP Connector Policy Linter

zentrafoundry/zentra-mcp-connector-policy-linter

Audit MCP tool manifests and generate least-privilege policy guidance.

n8n Documentation MCP Server

agentify/n8n-mcp-server

n8n MCP Server provides AI assistants with structured access to n8n node documentation, properties, and validation tools for building and verifying workflows efficiently.

Related articles

How to publish your Apify Actor as an n8n node
Read more