validatedpatterns · minmzzhang · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/...olicies/templates/deployments-should-have-at-least-one-egress-network-policy-as-code.yaml b/...olicies/templates/deployments-should-have-at-least-one-egress-network-policy-as-code.yaml
@@ -7,7 +7,9 @@ spec:
   description: Alerts if deployments are missing an egress Network Policy
   rationale: Pods that lack engress Network Policies have unrestricted reachability on the network and may leveraged for a data exfiltration attack or as a jumpoing board to move laterally across the namespace or cluster.
   remediation: "Create and apply an appropriate Network Policy of type engress to all Deployments. \nAs a best practice, all namespaces should have a default deny-all rule, that way individual deployments do not need a network policy unless the deployment has egress  communication requirements \nSee https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details"
-  disabled: {{ .Values.policies.deploymentsShouldHaveAtLeastOneEgressNetworkPolicyAsCode.disabled | default false }}
+  {{- if .Values.policies.deploymentsShouldHaveAtLeastOneEgressNetworkPolicyAsCode.disabled }}
+  disabled: true
+  {{- end }}
   categories:
     - Security Best Practices
     - Zero Trust

diff --git a/...licies/templates/deployments-should-have-at-least-one-ingress-network-policy-as-code.yaml b/...licies/templates/deployments-should-have-at-least-one-ingress-network-policy-as-code.yaml
@@ -7,7 +7,9 @@ spec:
   description: Alerts if deployments are missing an ingress Network Policy
   rationale: Pods that lack ingress Network Policies have unrestricted reachability on the network and may be exposed to attacks
   remediation: "Create and apply an appropriate Network Policy of type ingress to all Deployments. See https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details"
-  disabled: {{ .Values.policies.deploymentsShouldHaveAtLeastOneIngressNetworkPolicyAsCode.disabled | default false }}
+  {{- if .Values.policies.deploymentsShouldHaveAtLeastOneIngressNetworkPolicyAsCode.disabled }}
+  disabled: true
+  {{- end }}
   categories:
     - Security Best Practices
     - Zero Trust

diff --git a/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml b/charts/acs-policies/templates/prevent-runtime-privilege-escalation.yaml
@@ -20,7 +20,9 @@ spec:
     2. Remove privileged binaries from container image
     3. Use proper RBAC and service accounts instead of privilege escalation
     4. Investigate if this indicates a security incident
-  disabled: {{ .Values.policies.preventRuntimePrivilegeEscalation.disabled | default false }}
+  {{- if .Values.policies.preventRuntimePrivilegeEscalation.disabled }}
+  disabled: true
+  {{- end }}
   categories:
     - "Security Best Practices"
     - "Zero Trust"
@@ -31,36 +33,9 @@ spec:
   enforcementActions:
     - "KILL_POD_ENFORCEMENT"
 
-  # Exclude system components that legitimately need privilege
-  exclusions:
-    - name: "OpenShift System Namespaces"
-      image: {}
-      deployment:
-        scope:
-          label: {}
-          namespace: "openshift-.*"
-
-    - name: "Kubernetes System Namespaces"
-      image: {}
-      deployment:
-        scope:
-          label: {}
-          namespace: "kube-system|kube-public|kube-node-lease"
-
-    - name: "ACS/RHACS"
-      image: {}
-      deployment:
-        scope:
-          label: {}
-          namespace: "stackrox|rhacs-operator"
-
-    - name: "Default Namespace"
-      image: {}
-      deployment:
-        scope:
-          label: {}
-          namespace: "default"
-
+  scope:
+    - label: {}
+      namespace: "qtodo"
 
   policySections:
     - sectionName: "Privilege Escalation Binary Execution"

diff --git a/charts/acs-policies/templates/stop-suspicious-exec.yaml b/charts/acs-policies/templates/stop-suspicious-exec.yaml
@@ -8,7 +8,9 @@ spec:
   policyName: "Stop Suspicious Exec"
   description: "Stops a pod if a suspicious command is executed"
   remediation: "Review the pod's security context and command execution history."
-  disabled: {{ .Values.policies.stopSuspiciousExec.disabled | default false }}
+  {{- if .Values.policies.stopSuspiciousExec.disabled }}
+  disabled: true
+  {{- end }}
   categories:
     - "Security Best Practices"
     - "Zero Trust"
@@ -19,6 +21,10 @@ spec:
   enforcementActions:
     - "KILL_POD_ENFORCEMENT"
 
+  scope:
+    - label: {}
+      namespace: "qtodo"
+
   policySections:
     - sectionName: "Suspicious Command Execution"
       policyGroups:
@@ -27,5 +33,10 @@ spec:
           values:
             - value: "ncat"
             - value: "nmap"
-            - value: "curl"
-            - value: "wget"
+            - value: "nc"
+            - value: "netcat"
+            # curl and wget removed -- too broadly used by system components
+            # (router, keepalived, prometheus, build tasks) to be kill triggers.
+            # Re-enable only with tight namespace scoping and specific image exclusions.
+            # - value: "curl"
+            # - value: "wget"