Update default regex for excluded namespaces in network policies and refine jqfilter in rate limit rule

Change the default value of 'var_network_policies_namespaces_exempt_regex' to match namespaces starting with 'kube-' or 'openshift-'. Additionally, modify the jqfilter in 'rule.yml' to utilize the updated regex for improved namespace exclusion in rate limit checks.

Author: Vincent056

applications/openshift/networking/routes_rate_limit/rule.yml

@@ -19,7 +19,7 @@ references:
   nist: SC-5,SC-5(1),SC-5(2)
   srg: SRG-APP-000246-CTR-000605,SRG-APP-000435-CTR-001070
 
-{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
+{{% set jqfilter = '[.items[] | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
 
 ocil_clause: 'Rate limit is not enabled for all routes outside the excluded namespaces'
 

applications/openshift/networking/var_routes_excluded_namespaces_regex.var

@@ -15,4 +15,4 @@ operator: equals
 interactive: false
 
 options:
-  default: "None"
+  default: "^kube-.*|openshift-.*"