Odel
Kubernetes Manifest Audit

Kubernetes Manifest Audit

@unbearabledevDeveloper ToolsPythonUpdated 3w ago

kube-linter audit for Kubernetes manifests — 63 checks: security, availability, RBAC, network.

View on GitHubSign in to connect
Server endpointStreamable HTTP
https://unbearable-dev--k8s-manifest-audit.apify.actor/mcp

This is the third-party server itself — Odel doesn't run it. Hitting this URL directly talks straight to the upstream server with no auth or proxying. Connect through Odel to front it with managed auth.

k8s-manifest-audit

k8s-manifest-audit — static audit of Kubernetes manifests via MCP. Powered by kube-linter. Part of the Unbearable Labs audit shop.

Built by Unbearable Labs. Pay-per-event pricing — only billed when a tool is actually called.

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Kubernetes manifest or directory of manifests, get back a structured report:

  • Severity — high / medium / low / info
  • Check ID — kube-linter check name (e.g. privileged-container, unset-cpu-requirements)
  • Category — security / resources / availability / network / rbac / images / config
  • Message — what kube-linter found and where
  • Remediation hint — what to do about it
  • Object location — kind, name, namespace of the offending resource

63 checks total (31 enabled by default). Covers Deployment, Service, Ingress, ConfigMap, Secret, StatefulSet, DaemonSet, Job, CronJob, NetworkPolicy, RBAC, HPA, PDB, and more.

Tools

ToolPricingPurpose
audit_manifest(yaml_content)$0.02Audit a single YAML string (may contain multi-doc ---)
audit_directory(files)$0.02Audit multiple files — cross-file checks work correctly
list_checks(enabled_only=False)$0.005Browse the full 63-check catalog with severity + category
explain_check(check_id)$0.005Get description + remediation for one specific check

Quick start

{
  "mcpServers": {
    "k8s-manifest-audit": {
      "url": "https://unbearable-dev--k8s-manifest-audit.apify.actor/mcp",
      "headers": { "Authorization": "Bearer <YOUR_APIFY_TOKEN>" }
    }
  }
}

Check catalog (sample — 63 checks total)

Check IDCategorySeverity (mapped)
privileged-containersecurityhigh
privilege-escalation-containersecurityhigh
run-as-non-rootsecurityhigh
env-var-secretsecurityhigh
host-pid / host-ipc / host-networksecurityhigh
wildcard-in-rulesrbachigh
cluster-admin-role-bindingrbachigh
unset-cpu-requirementsresourcesmedium
unset-memory-requirementsresourcesmedium
no-liveness-probe / no-readiness-probeavailabilitymedium
latest-tagimagesmedium
minimum-three-replicasavailabilitymedium
no-rolling-update-strategyavailabilitymedium
dangling-service / dangling-ingressconfiglow
use-namespaceconfiglow

Use list_checks to get the full, up-to-date catalog.

Pricing

EventUSD
audit_manifest or audit_directory call$0.02
list_checks or explain_check call$0.005

Powered by kube-linter (MIT, StackRox/Red Hat).

Built by Noel @ Unbearable Labs — more like this in the weekly newsletter.