Kubernetes Manifest Audit

Static audit of Kubernetes manifests via MCP. Powered by kube-linter. 63 checks across 7 categories.

Built by Unbearable Labs. Free to use — bring your own Apify token.

---

Available on

• Apify Actor Store — primary
• Smithery

Newsletter: Unbearable TechTips Weekly · All Actors: github.com/UnbearableDev

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Kubernetes manifest or directory of manifests, get back a structured report:

• Severity — high / medium / low / info
• Check ID — kube-linter check name (e.g. privileged-container, unset-cpu-requirements)
• Category — security / resources / availability / network / rbac / images / config
• Message — what kube-linter found and where
• Remediation hint — what to do about it
• Object location — kind, name, namespace of the offending resource

63 checks total. Covers Deployment, Service, Ingress, ConfigMap, Secret, StatefulSet, DaemonSet, Job, CronJob, NetworkPolicy, RBAC, HPA, PDB, and more.

Tools

Tool	Purpose
audit_manifest(yaml_content)	Audit a single YAML string (may contain multi-doc ---)
audit_directory(files)	Audit multiple files — cross-file checks work correctly
list_checks(enabled_only=False)	Browse the full 63-check catalog with severity + category
explain_check(check_id)	Get description + remediation for one specific check

Example

Input:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-server
spec:
  template:
    spec:
      containers:
        - name: api
          image: myapp:latest
          securityContext:
            allowPrivilegeEscalation: true
          resources: {}

Output:

[
  {
    "check_id": "privilege-escalation-container",
    "severity": "high",
    "kind": "Deployment",
    "name": "api-server",
    "container": "api",
    "message": "'allowPrivilegeEscalation: true' permits gaining more privileges than the parent process",
    "remediation": "Set 'allowPrivilegeEscalation: false' in securityContext"
  },
  {
    "check_id": "unset-memory-requirements",
    "severity": "medium",
    "kind": "Deployment",
    "name": "api-server",
    "container": "api",
    "message": "No memory requests/limits — pod can consume unbounded memory",
    "remediation": "Add resources.requests and resources.limits for memory to the container spec"
  },
  {
    "check_id": "latest-tag",
    "severity": "medium",
    "kind": "Deployment",
    "name": "api-server",
    "container": "api",
    "message": "Image uses ':latest' tag — non-deterministic across node restarts",
    "remediation": "Pin to a specific version tag or SHA digest"
  }
]

Check catalog (sample — 63 checks total)

Check ID	Category	Severity (mapped)
privileged-container	security	high
privilege-escalation-container	security	high
run-as-non-root	security	high
env-var-secret	security	high
host-pid / host-ipc / host-network	security	high
wildcard-in-rules	rbac	high
cluster-admin-role-binding	rbac	high
unset-cpu-requirements	resources	medium
unset-memory-requirements	resources	medium
no-liveness-probe / no-readiness-probe	availability	medium
latest-tag	images	medium
minimum-three-replicas	availability	medium
no-rolling-update-strategy	availability	medium
dangling-service / dangling-ingress	config	low
use-namespace	config	low

Use list_checks to get the full, up-to-date catalog.

Pricing

Free to use — hosted on Apify, bring your own Apify token.

Quick start

{
  "mcpServers": {
    "k8s-manifest-audit": {
      "url": "https://unbearable-dev--k8s-manifest-audit.apify.actor/mcp",
      "headers": { "Authorization": "Bearer <YOUR_APIFY_TOKEN>" }
    }
  }
}

Powered by kube-linter (MIT, StackRox/Red Hat).

Sibling MCPs from Unbearable Labs

• docker-compose-audit — docker-compose.yml security audit
• dockerfile-audit — Dockerfile security & quality
• github-actions-audit — GitHub Actions workflow audit
• hu-postcode-validator — Hungarian postcode lookup

---

Built by Noel @ Unbearable Labs — more like this in the weekly newsletter: https://unbearabletechtips.beehiiv.com