From 0580e28db71f6c2dcfd7595371ebc7983492437c Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Thu, 16 Oct 2025 01:32:22 -0700
Subject: [PATCH 1/3] CMP-3589: Add variable for excluded namespaces in routes
 rate limit check

Introduce a new variable 'var_routes_excluded_namespaces_regex' to define namespaces that should be excluded from the routes rate limit compliance check.
---
 .../networking/routes_rate_limit/rule.yml     | 19 +++++++++++--------
 .../var_routes_excluded_namespaces_regex.var  | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+), 8 deletions(-)
 create mode 100644 applications/openshift/networking/var_routes_excluded_namespaces_regex.var

diff --git a/applications/openshift/networking/routes_rate_limit/rule.yml b/applications/openshift/networking/routes_rate_limit/rule.yml
index e7f233819c4..88df537be43 100644
--- a/applications/openshift/networking/routes_rate_limit/rule.yml
+++ b/applications/openshift/networking/routes_rate_limit/rule.yml
@@ -3,10 +3,10 @@ title: Ensure that all Routes has rate limit enabled
 
 description: |-
   OpenShift has an option to set the rate limit for Routes [1] when creating new Routes.
-  All routes outside the openshift namespaces and the kube namespaces should use the
-  rate-limiting annotations.
+  All routes outside the excluded namespaces (as defined by the variable
+  <tt>ocp4-var-routes-excluded-namespaces-regex</tt>) should use the rate-limiting annotations.
 
-  [1] https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
+  [1] https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
   
 rationale: |-
   The usage of rate limit for Routes provides basic protection against distributed denial-of-service (DDoS) attacks.
@@ -19,14 +19,17 @@ references:
   nist: SC-5,SC-5(1),SC-5(2)
   srg: SRG-APP-000246-CTR-000605,SRG-APP-000435-CTR-001070
 
-{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
+{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
 
-ocil_clause: 'Rate limit is not enabled for all routes outside the openshift namespaces'
+ocil_clause: 'Rate limit is not enabled for all routes outside the excluded namespaces'
 
 ocil: |-
-    Run the following command to retrieve a list routes that does not have rate limit enabled:
-    <pre>$  oc get routes --all-namespaces -o json | jq '{{{ jqfilter }}}'</pre>
-    Make sure that there is output nothing in the result.
+    This rule checks routes that do not have rate limiting enabled and fails if there are
+    routes outside the excluded namespaces (as defined by the variable
+    <tt>ocp4-var-routes-excluded-namespaces-regex</tt>) without rate limiting annotations.
+    Use following command to list the routes that would fail the test:
+    <tt>{{{ ocil_oc_pipe_jq_filter('routes', jqfilter) }}}</tt>
+
 
 severity: medium
 
diff --git a/applications/openshift/networking/var_routes_excluded_namespaces_regex.var b/applications/openshift/networking/var_routes_excluded_namespaces_regex.var
new file mode 100644
index 00000000000..d555dc8d034
--- /dev/null
+++ b/applications/openshift/networking/var_routes_excluded_namespaces_regex.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Excluded Namespaces for Routes Rate Limit Check'
+
+description: |-
+    A regular expression that lists all namespaces that should be excluded
+    from the routes rate limit compliance check. This is particularly useful
+    for namespaces managed by operators where direct route modifications
+    are not recommended.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "None"

From 6704fbeb3866964b66d673f55b7fdb1c3a65e72a Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Wed, 22 Oct 2025 22:44:08 -0700
Subject: [PATCH 2/3] Update default regex for excluded namespaces in network
 policies and refine jqfilter in rate limit rule

Change the default value of 'var_network_policies_namespaces_exempt_regex' to match namespaces starting with 'kube-' or 'openshift-'. Additionally, modify the jqfilter in 'rule.yml' to utilize the updated regex for improved namespace exclusion in rate limit checks.
---
 applications/openshift/networking/routes_rate_limit/rule.yml    | 2 +-
 .../networking/var_routes_excluded_namespaces_regex.var         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/applications/openshift/networking/routes_rate_limit/rule.yml b/applications/openshift/networking/routes_rate_limit/rule.yml
index 88df537be43..2d029db0632 100644
--- a/applications/openshift/networking/routes_rate_limit/rule.yml
+++ b/applications/openshift/networking/routes_rate_limit/rule.yml
@@ -19,7 +19,7 @@ references:
   nist: SC-5,SC-5(1),SC-5(2)
   srg: SRG-APP-000246-CTR-000605,SRG-APP-000435-CTR-001070
 
-{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
+{{% set jqfilter = '[.items[] | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
 
 ocil_clause: 'Rate limit is not enabled for all routes outside the excluded namespaces'
 
diff --git a/applications/openshift/networking/var_routes_excluded_namespaces_regex.var b/applications/openshift/networking/var_routes_excluded_namespaces_regex.var
index d555dc8d034..72a06d44979 100644
--- a/applications/openshift/networking/var_routes_excluded_namespaces_regex.var
+++ b/applications/openshift/networking/var_routes_excluded_namespaces_regex.var
@@ -15,4 +15,4 @@ operator: equals
 interactive: false
 
 options:
-  default: "None"
+  default: "^kube-.*|openshift-.*"

From 14b2786d8bfff3d5e708c4b9b8a09f92f50ce800 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Fri, 24 Oct 2025 01:55:33 -0700
Subject: [PATCH 3/3] Update jqfilter in routes rate limit rule to include all
 namespaces

---
 applications/openshift/networking/routes_rate_limit/rule.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/applications/openshift/networking/routes_rate_limit/rule.yml b/applications/openshift/networking/routes_rate_limit/rule.yml
index 2d029db0632..a4c5a2dd9a1 100644
--- a/applications/openshift/networking/routes_rate_limit/rule.yml
+++ b/applications/openshift/networking/routes_rate_limit/rule.yml
@@ -28,7 +28,7 @@ ocil: |-
     routes outside the excluded namespaces (as defined by the variable
     <tt>ocp4-var-routes-excluded-namespaces-regex</tt>) without rate limiting annotations.
     Use following command to list the routes that would fail the test:
-    <tt>{{{ ocil_oc_pipe_jq_filter('routes', jqfilter) }}}</tt>
+    <tt>{{{ ocil_oc_pipe_jq_filter('routes --all-namespaces', jqfilter) }}}</tt>
 
 
 severity: medium