Pricing
from $20.00 / 1,000 kubernetes manifest audit calls
Kubernetes Manifest Audit (kube-linter)
Static audit of Kubernetes manifests via MCP. Powered by kube-linter - 63 checks across security, resources, availability, and config. Pay-per-event. Call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable Labs.
Pricing
from $20.00 / 1,000 kubernetes manifest audit calls
Rating
0.0
(0)
Developer
Actor stats
0
Bookmarked
1
Total users
0
Monthly active users
21 days ago
Last modified
Categories
Share
Kubernetes Manifest Audit
Static audit of Kubernetes manifests via MCP. Powered by kube-linter. 63 checks across 7 categories.
Built by Unbearable Labs. Free to use β bring your own Apify token.
Available on
- Apify Actor Store β primary
- Smithery
Newsletter: Unbearable TechTips Weekly Β· All Actors: github.com/UnbearableDev
What it does
Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Kubernetes manifest or directory of manifests, get back a structured report:
- Severity β high / medium / low / info
- Check ID β kube-linter check name (e.g.
privileged-container,unset-cpu-requirements) - Category β security / resources / availability / network / rbac / images / config
- Message β what kube-linter found and where
- Remediation hint β what to do about it
- Object location β kind, name, namespace of the offending resource
63 checks total. Covers Deployment, Service, Ingress, ConfigMap, Secret, StatefulSet, DaemonSet, Job, CronJob, NetworkPolicy, RBAC, HPA, PDB, and more.
Tools
| Tool | Purpose |
|---|---|
audit_manifest(yaml_content) | Audit a single YAML string (may contain multi-doc ---) |
audit_directory(files) | Audit multiple files β cross-file checks work correctly |
list_checks(enabled_only=False) | Browse the full 63-check catalog with severity + category |
explain_check(check_id) | Get description + remediation for one specific check |
Example
Input:
apiVersion: apps/v1kind: Deploymentmetadata:name: api-serverspec:template:spec:containers:-name: apiimage: myapp:latestsecurityContext:allowPrivilegeEscalation:trueresources:{}
Output:
[{"check_id":"privilege-escalation-container","severity":"high","kind":"Deployment","name":"api-server","container":"api","message":"'allowPrivilegeEscalation: true' permits gaining more privileges than the parent process","remediation":"Set 'allowPrivilegeEscalation: false' in securityContext"},{"check_id":"unset-memory-requirements","severity":"medium","kind":"Deployment","name":"api-server","container":"api","message":"No memory requests/limits β pod can consume unbounded memory","remediation":"Add resources.requests and resources.limits for memory to the container spec"},{"check_id":"latest-tag","severity":"medium","kind":"Deployment","name":"api-server","container":"api","message":"Image uses ':latest' tag β non-deterministic across node restarts","remediation":"Pin to a specific version tag or SHA digest"}]
Check catalog (sample β 63 checks total)
| Check ID | Category | Severity (mapped) |
|---|---|---|
privileged-container | security | high |
privilege-escalation-container | security | high |
run-as-non-root | security | high |
env-var-secret | security | high |
host-pid / host-ipc / host-network | security | high |
wildcard-in-rules | rbac | high |
cluster-admin-role-binding | rbac | high |
unset-cpu-requirements | resources | medium |
unset-memory-requirements | resources | medium |
no-liveness-probe / no-readiness-probe | availability | medium |
latest-tag | images | medium |
minimum-three-replicas | availability | medium |
no-rolling-update-strategy | availability | medium |
dangling-service / dangling-ingress | config | low |
use-namespace | config | low |
Use list_checks to get the full, up-to-date catalog.
Pricing
Free to use β hosted on Apify, bring your own Apify token.
Quick start
{"mcpServers":{"k8s-manifest-audit":{"url":"https://unbearable-dev--k8s-manifest-audit.apify.actor/mcp","headers":{"Authorization":"Bearer <YOUR_APIFY_TOKEN>"}}}}
Powered by kube-linter (MIT, StackRox/Red Hat).
Sibling MCPs from Unbearable Labs
docker-compose-auditβdocker-compose.ymlsecurity auditdockerfile-auditβ Dockerfile security & qualitygithub-actions-auditβ GitHub Actions workflow audithu-postcode-validatorβ Hungarian postcode lookup
Built by Noel @ Unbearable Labs β more like this in the weekly newsletter: https://unbearabletechtips.beehiiv.com
