Welcome to Marvin!
Customize checks to enhance the security and reliability of Kubernetes clusters
Common Expression Language (CEL)
Marvin utilizes a powerful set of CEL expressions to perform extensive checks on your cluster resources.
Flexible custom checks
Marvin enables you to create customized checks that are aligned with the standards of your organization, according to your specific needs.
30+ builtin checks
Marvin includes 30+ built-in checks from well-known frameworks, such as PSS, NSA & CISA Kubernetes Hardening Guidance and MITRE's ATT&CK.
Seamless integration with Zora
Marvin seamlessly integrates with Zora, our Kubernetes scanning tool, which employs other plugins to detect issues.
The power of CEL
CEL offers a range of benefits that make it an excellent choice for creating user-friendly checks for Kubernetes cluster security and reliability:
Flexibility
CEL offers a high degree of flexibility, allowing you to adapt checks to the dynamic nature of Kubernetes environments. You can define variables, leverage conditionals, and loops, and also incorporate external data sources into your checks, making it easier to handle diverse scenarios and adapt to changing cluster conditions.
Coverage
CEL provides a rich set of operators and functions, allowing you to cover complex conditions and rules in a concise and readable manner. Its capabilities enables you to define precise checks tailored to your specific requirements, aiding in aligning your Kubernetes clusters with desired security and reliability standards.
Simplicity
CEL features straightforward syntax that is easy to understand, even for users with limited programming experience. Its simplicity enables administrators to quickly grasp the language and write checks without need of extensive training or complex programming knowledge.
Flexible Custom Checks
Marvin allows you to define and execute custom checks tailored to your unique Kubernetes environment.
You can leverage the expressive CEL capabilities to create verifications that are in alignment with your organization's security and reliability standards.
Here are a few examples showcasing the simplicity and power of CEL for defining custom checks with Marvin:
1
2
3
4
5
6
7
8
9
10
# check if all containers don't defines a hostPort (or a known list)
- expression: >
allContainers.all(container,
!has(container.ports) ||
container.ports.all(port,
!has(port.hostPort) ||
port.hostPort == 0 ||
port.hostPort in params.allowedHostPorts
)
)Built-in checks
Marvin offers a robust set of built-in checks to enhance the security and reliability of your Kubernetes clusters.
With over 20 built-in checks sourced from reputable frameworks, including PSS (Pod Security Standards), CIS benchmark, and MITRE's ATT&CK, Marvin provides administrators with an extensive range of comprehensive assessments.
These frameworks have been established as industry standards for assessing Kubernetes cluster security and serve as a solid foundation for Marvin's comprehensive checks.
To explore all the built-in checks available in Marvin, visit our GitHub repository
View built-in checks
Integration with Zora
Marvin seamlessly integrates with Zora, our Kubernetes scanning tool that detects issues, vulnerabilities, and misconfigurations, based on integrated plugins (popeye and Zora - others are coming soon). As a plugin inside Zora, Marvin's custom checks can be visualized within the Zora dashboard, alongside other integrated plugins. This integration provides a centralized view of all checks, including Marvin's customizable checks, allowing you to monitor and manage your cluster's security and reliability via a single interface.
As a plugin within Zora, Marvin's custom checks can be visualized within the Zora dashboard, alongside other integrated plugins. This integration provides a centralized view of all checks, including Marvin's customizable checks, allowing you to monitor and manage your cluster's security and reliability from a single interface.
Start using Zora nowContribute to Marvin
Marvin is an open source project, and we welcome contributions from the community
Visit our Github