add kubernetes nginx rift audit

2026-05-26 10:20:50 +00:00 · 2026-05-18 22:01:55 +03:00 · 2026-05-18 22:01:55 +03:00 · a7e9af4ebf
commit a7e9af4ebf
parent 1a2df3957b
3 changed files with 708 additions and 0 deletions
--- a/kube-audit/README.md
+++ b/kube-audit/README.md
@ -0,0 +1,80 @@
+# Kubernetes NGINX Rift Audit
+
+Read-only Kubernetes scanner for NGINX Rift, CVE-2026-42945. It looks for NGINX
+containers in running pods, reads their effective NGINX configuration, and
+reports `rewrite` directives whose replacement contains a literal `?`.
+
+The scanner uses Python standard library plus the local `kubectl` binary. It
+does not create, update, or delete Kubernetes resources.
+
+## Quick Start
+
+Run against the current kubeconfig context:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
+  | python3 -
+```
+
+Run with an explicit kubeconfig:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
+  | python3 - --kubeconfig /path/to/kubeconfig
+```
+
+Run with an explicit context and JSON output:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
+  | python3 - --context my-context --json
+```
+
+## What It Checks
+
+For each running container, the script tries to find `nginx` or `openresty`.
+For containers with NGINX, it collects:
+
+- `nginx -v` version output
+- effective config via `nginx -T`
+- live `/etc/nginx/nginx.conf` fallback for `ingress-nginx` controllers when `nginx -T` fails
+
+It then parses `rewrite` directives and flags replacements containing a literal
+`?`, for example:
+
+```nginx
+rewrite ^/api/(.*)$ /internal?migrated=true;
+```
+
+This is the key NGINX Rift configuration primitive described in the public PoC.
+The script also reports affected NGINX Open Source versions, but version alone
+does not prove exploitability; the dangerous rewrite pattern must be present in
+the active configuration.
+
+## Exit Codes
+
+- `0`: no rewrite replacement containing literal `?` was found
+- `1`: at least one potential NGINX Rift rewrite trigger was found
+- `2`: scan failed or completed with partial errors
+
+## Options
+
+```text
+--kubeconfig PATH       kubeconfig path
+--context NAME          kubeconfig context
+--namespace NAME        scan one namespace instead of all namespaces
+--timeout SECONDS       per-kubectl-call timeout, default 20
+--workers N             parallel kubectl exec workers, default 8
+--json                  emit JSON report
+--verbose               include per-container details
+--no-ingress-conf       disable /etc/nginx/nginx.conf fallback for ingress-nginx when nginx -T fails
+```
+
+## Required Permissions
+
+The current Kubernetes identity needs permission to:
+
+- list pods
+- exec into pods
+
+No write permissions are required.