From 6ffecd507ed3125ddfb2fe1d7016660cb5344de6 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Wed, 1 Apr 2026 21:41:44 +0200 Subject: [PATCH 1/3] Changing the runtime ACS policies scope from global to targeted. --- .../prevent-runtime-privilege-escalation.yaml | 33 ++----------------- .../templates/stop-suspicious-exec.yaml | 4 +++ 2 files changed, 7 insertions(+), 30 deletions(-) diff --git a/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml b/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml index 09a8bc89..1eb22148 100644 --- a/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml +++ b/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml @@ -31,36 +31,9 @@ spec: enforcementActions: - "KILL_POD_ENFORCEMENT" - # Exclude system components that legitimately need privilege - exclusions: - - name: "OpenShift System Namespaces" - image: {} - deployment: - scope: - label: {} - namespace: "openshift-.*" - - - name: "Kubernetes System Namespaces" - image: {} - deployment: - scope: - label: {} - namespace: "kube-system|kube-public|kube-node-lease" - - - name: "ACS/RHACS" - image: {} - deployment: - scope: - label: {} - namespace: "stackrox|rhacs-operator" - - - name: "Default Namespace" - image: {} - deployment: - scope: - label: {} - namespace: "default" - + scope: + - label: {} + namespace: "qtodo" policySections: - sectionName: "Privilege Escalation Binary Execution" diff --git a/charts/acs-policies/templates/stop-suspicious-exec.yaml b/charts/acs-policies/templates/stop-suspicious-exec.yaml index d11322fd..e7f71e0f 100644 --- a/charts/acs-policies/templates/stop-suspicious-exec.yaml +++ b/charts/acs-policies/templates/stop-suspicious-exec.yaml @@ -19,6 +19,10 @@ spec: enforcementActions: - "KILL_POD_ENFORCEMENT" + scope: + - label: {} + namespace: "qtodo" + policySections: - sectionName: "Suspicious Command Execution" policyGroups: From 59aad3cc844fdf404609cf654b8c7a730830f89e Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Wed, 1 Apr 2026 22:25:07 +0200 Subject: [PATCH 2/3] ACS Central normalizes SecurityPolicy resources after ArgoCD creates them. It strips all zero-value booleans from the spec which can lead to OutOfSync status in ArgoCD. --- ...hould-have-at-least-one-egress-network-policy-as-code.yaml | 4 +++- ...ould-have-at-least-one-ingress-network-policy-as-code.yaml | 4 +++- .../templates/prevent-runtime-privilege-escalation.yaml | 4 +++- charts/acs-policies/templates/stop-suspicious-exec.yaml | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/acs-policies/templates/deployments-should-have-at-least-one-egress-network-policy-as-code.yaml b/charts/acs-policies/templates/deployments-should-have-at-least-one-egress-network-policy-as-code.yaml index 4d5ef762..8e89c630 100644 --- a/charts/acs-policies/templates/deployments-should-have-at-least-one-egress-network-policy-as-code.yaml +++ b/charts/acs-policies/templates/deployments-should-have-at-least-one-egress-network-policy-as-code.yaml @@ -7,7 +7,9 @@ spec: description: Alerts if deployments are missing an egress Network Policy rationale: Pods that lack engress Network Policies have unrestricted reachability on the network and may leveraged for a data exfiltration attack or as a jumpoing board to move laterally across the namespace or cluster. remediation: "Create and apply an appropriate Network Policy of type engress to all Deployments. \nAs a best practice, all namespaces should have a default deny-all rule, that way individual deployments do not need a network policy unless the deployment has egress communication requirements \nSee https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details" - disabled: {{ .Values.policies.deploymentsShouldHaveAtLeastOneEgressNetworkPolicyAsCode.disabled | default false }} + {{- if .Values.policies.deploymentsShouldHaveAtLeastOneEgressNetworkPolicyAsCode.disabled }} + disabled: true + {{- end }} categories: - Security Best Practices - Zero Trust diff --git a/charts/acs-policies/templates/deployments-should-have-at-least-one-ingress-network-policy-as-code.yaml b/charts/acs-policies/templates/deployments-should-have-at-least-one-ingress-network-policy-as-code.yaml index 9494d97e..17b003b1 100644 --- a/charts/acs-policies/templates/deployments-should-have-at-least-one-ingress-network-policy-as-code.yaml +++ b/charts/acs-policies/templates/deployments-should-have-at-least-one-ingress-network-policy-as-code.yaml @@ -7,7 +7,9 @@ spec: description: Alerts if deployments are missing an ingress Network Policy rationale: Pods that lack ingress Network Policies have unrestricted reachability on the network and may be exposed to attacks remediation: "Create and apply an appropriate Network Policy of type ingress to all Deployments. See https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details" - disabled: {{ .Values.policies.deploymentsShouldHaveAtLeastOneIngressNetworkPolicyAsCode.disabled | default false }} + {{- if .Values.policies.deploymentsShouldHaveAtLeastOneIngressNetworkPolicyAsCode.disabled }} + disabled: true + {{- end }} categories: - Security Best Practices - Zero Trust diff --git a/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml b/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml index 1eb22148..31bddc8d 100644 --- a/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml +++ b/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml @@ -20,7 +20,9 @@ spec: 2. Remove privileged binaries from container image 3. Use proper RBAC and service accounts instead of privilege escalation 4. Investigate if this indicates a security incident - disabled: {{ .Values.policies.preventRuntimePrivilegeEscalation.disabled | default false }} + {{- if .Values.policies.preventRuntimePrivilegeEscalation.disabled }} + disabled: true + {{- end }} categories: - "Security Best Practices" - "Zero Trust" diff --git a/charts/acs-policies/templates/stop-suspicious-exec.yaml b/charts/acs-policies/templates/stop-suspicious-exec.yaml index e7f71e0f..4ed812e0 100644 --- a/charts/acs-policies/templates/stop-suspicious-exec.yaml +++ b/charts/acs-policies/templates/stop-suspicious-exec.yaml @@ -8,7 +8,9 @@ spec: policyName: "Stop Suspicious Exec" description: "Stops a pod if a suspicious command is executed" remediation: "Review the pod's security context and command execution history." - disabled: {{ .Values.policies.stopSuspiciousExec.disabled | default false }} + {{- if .Values.policies.stopSuspiciousExec.disabled }} + disabled: true + {{- end }} categories: - "Security Best Practices" - "Zero Trust" From 68e934deadb5ec8ad2cb8e840afaad25851395a9 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Wed, 1 Apr 2026 23:37:20 +0200 Subject: [PATCH 3/3] Removing wget and curl from runtime ACS custom policy, because it's used too broadly in many system components or init scripts --- charts/acs-policies/templates/stop-suspicious-exec.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/acs-policies/templates/stop-suspicious-exec.yaml b/charts/acs-policies/templates/stop-suspicious-exec.yaml index 4ed812e0..a8882619 100644 --- a/charts/acs-policies/templates/stop-suspicious-exec.yaml +++ b/charts/acs-policies/templates/stop-suspicious-exec.yaml @@ -33,5 +33,10 @@ spec: values: - value: "ncat" - value: "nmap" - - value: "curl" - - value: "wget" \ No newline at end of file + - value: "nc" + - value: "netcat" + # curl and wget removed -- too broadly used by system components + # (router, keepalived, prometheus, build tasks) to be kill triggers. + # Re-enable only with tight namespace scoping and specific image exclusions. + # - value: "curl" + # - value: "wget" \ No newline at end of file