diff --git a/examples/ControllerAffinityNode/policy.yaml b/examples/ControllerAffinityNode/policy.yaml
index d7ee503a..2e0c75cc 100644
--- a/examples/ControllerAffinityNode/policy.yaml
+++ b/examples/ControllerAffinityNode/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.affinity-node-simple
diff --git a/examples/ControllerAffinityNodeSelector/policy.yaml b/examples/ControllerAffinityNodeSelector/policy.yaml
index 87756a02..6110f286 100644
--- a/examples/ControllerAffinityNodeSelector/policy.yaml
+++ b/examples/ControllerAffinityNodeSelector/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.affinity-node-selector
diff --git a/examples/ControllerAffinityPods/policy.yaml b/examples/ControllerAffinityPods/policy.yaml
index 95d82135..76e1122d 100644
--- a/examples/ControllerAffinityPods/policy.yaml
+++ b/examples/ControllerAffinityPods/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.affinity-pod-simple
diff --git a/examples/ControllerAntiAffinityPods/policy.yaml b/examples/ControllerAntiAffinityPods/policy.yaml
index 3759e61b..092f89f8 100644
--- a/examples/ControllerAntiAffinityPods/policy.yaml
+++ b/examples/ControllerAntiAffinityPods/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.antiaffinity-pod-simple
diff --git a/examples/ControllerContainerEnforceEnvVar/policy.yaml b/examples/ControllerContainerEnforceEnvVar/policy.yaml
index 223e1a21..1a430a49 100644
--- a/examples/ControllerContainerEnforceEnvVar/policy.yaml
+++ b/examples/ControllerContainerEnforceEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-enforce-environment-variable
diff --git a/examples/ControllerContainerProhibitEnvVar/policy.yaml b/examples/ControllerContainerProhibitEnvVar/policy.yaml
index 1f00899e..3a94a16f 100644
--- a/examples/ControllerContainerProhibitEnvVar/policy.yaml
+++ b/examples/ControllerContainerProhibitEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-prohibit-environment-variable
diff --git a/examples/ControllerImageApprovedRegistry/policy.yaml b/examples/ControllerImageApprovedRegistry/policy.yaml
index c51b2a22..a7d8c46a 100644
--- a/examples/ControllerImageApprovedRegistry/policy.yaml
+++ b/examples/ControllerImageApprovedRegistry/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.approved-registry
diff --git a/examples/ControllerImageName/policy.yaml b/examples/ControllerImageName/policy.yaml
index f756e30c..a9991903 100644
--- a/examples/ControllerImageName/policy.yaml
+++ b/examples/ControllerImageName/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.containers-block-specific-image-names
diff --git a/examples/ControllerMissingLabelValue/policy.yaml b/examples/ControllerMissingLabelValue/policy.yaml
index fd40d6cf..be0236df 100644
--- a/examples/ControllerMissingLabelValue/policy.yaml
+++ b/examples/ControllerMissingLabelValue/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.metadata-missing-label-and-value
diff --git a/examples/ControllerMissingMatchLabelKey/policy.yaml b/examples/ControllerMissingMatchLabelKey/policy.yaml
index e3d37a41..d1849b2b 100644
--- a/examples/ControllerMissingMatchLabelKey/policy.yaml
+++ b/examples/ControllerMissingMatchLabelKey/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.missing-matchlabels-key
diff --git a/examples/ControllerProbesCustom/policy.yaml b/examples/ControllerProbesCustom/policy.yaml
index fafc3c7d..68603cf5 100644
--- a/examples/ControllerProbesCustom/policy.yaml
+++ b/examples/ControllerProbesCustom/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-custom-probe
diff --git a/examples/ControllerProbesNamedPort/policy.yaml b/examples/ControllerProbesNamedPort/policy.yaml
index 6eb691a5..d21e82fc 100644
--- a/examples/ControllerProbesNamedPort/policy.yaml
+++ b/examples/ControllerProbesNamedPort/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-named-port
diff --git a/examples/ControllerResourcesMaxCPULimits/policy.yaml b/examples/ControllerResourcesMaxCPULimits/policy.yaml
index e92c56eb..06a4cd3d 100644
--- a/examples/ControllerResourcesMaxCPULimits/policy.yaml
+++ b/examples/ControllerResourcesMaxCPULimits/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-maximum-cpu-limits
diff --git a/examples/ControllerResourcesMaxCPURequests/policy.yaml b/examples/ControllerResourcesMaxCPURequests/policy.yaml
index 42a24882..b28aa46d 100644
--- a/examples/ControllerResourcesMaxCPURequests/policy.yaml
+++ b/examples/ControllerResourcesMaxCPURequests/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-maximum-cpu-requests
diff --git a/examples/ControllerResourcesMaxMemoryLimits/policy.yaml b/examples/ControllerResourcesMaxMemoryLimits/policy.yaml
index 3b704893..41674ee7 100644
--- a/examples/ControllerResourcesMaxMemoryLimits/policy.yaml
+++ b/examples/ControllerResourcesMaxMemoryLimits/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-maximum-memory-limits
diff --git a/examples/ControllerResourcesMaxMemoryRequests/policy.yaml b/examples/ControllerResourcesMaxMemoryRequests/policy.yaml
index 05a37dc6..16bc7735 100644
--- a/examples/ControllerResourcesMaxMemoryRequests/policy.yaml
+++ b/examples/ControllerResourcesMaxMemoryRequests/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-maximum-memory-requests
diff --git a/examples/ControllerResourcesMinCPULimits/policy.yaml b/examples/ControllerResourcesMinCPULimits/policy.yaml
index d5189952..a9225654 100644
--- a/examples/ControllerResourcesMinCPULimits/policy.yaml
+++ b/examples/ControllerResourcesMinCPULimits/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-minimum-cpu-limits
diff --git a/examples/ControllerResourcesMinCPURequests/policy.yaml b/examples/ControllerResourcesMinCPURequests/policy.yaml
index a276de50..896c3431 100644
--- a/examples/ControllerResourcesMinCPURequests/policy.yaml
+++ b/examples/ControllerResourcesMinCPURequests/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-minimum-cpu-requests
diff --git a/examples/ControllerResourcesMinMemoryLimits/policy.yaml b/examples/ControllerResourcesMinMemoryLimits/policy.yaml
index 93f83968..650e8802 100644
--- a/examples/ControllerResourcesMinMemoryLimits/policy.yaml
+++ b/examples/ControllerResourcesMinMemoryLimits/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-minimum-memory-limits
diff --git a/examples/ControllerResourcesMinMemoryRequests/policy.yaml b/examples/ControllerResourcesMinMemoryRequests/policy.yaml
index 210d7a58..9dfe94e7 100644
--- a/examples/ControllerResourcesMinMemoryRequests/policy.yaml
+++ b/examples/ControllerResourcesMinMemoryRequests/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.container-minimum-memory-requests
diff --git a/examples/ControllerSpecGeneric/policy.yaml b/examples/ControllerSpecGeneric/policy.yaml
index ff31be14..c32ebc09 100644
--- a/examples/ControllerSpecGeneric/policy.yaml
+++ b/examples/ControllerSpecGeneric/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.containers-are-missing-a-controller-spec-key
diff --git a/examples/ControllerSpecTemplateLabels/policy.yaml b/examples/ControllerSpecTemplateLabels/policy.yaml
index 756bd49c..0ea834ab 100644
--- a/examples/ControllerSpecTemplateLabels/policy.yaml
+++ b/examples/ControllerSpecTemplateLabels/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.containers-are-missing-a-spec-template-label
diff --git a/examples/IngressClass/policy.yaml b/examples/IngressClass/policy.yaml
index fd16ece4..6e56e9e7 100644
--- a/examples/IngressClass/policy.yaml
+++ b/examples/IngressClass/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.enforce-specific-ingress-class
diff --git a/examples/IngressHostname/policy.yaml b/examples/IngressHostname/policy.yaml
index de7d970e..82821631 100644
--- a/examples/IngressHostname/policy.yaml
+++ b/examples/IngressHostname/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.ingress-approved-hostnames
diff --git a/examples/IstioGatewayHosts/policy.yaml b/examples/IstioGatewayHosts/policy.yaml
index 04907edb..b274c526 100644
--- a/examples/IstioGatewayHosts/policy.yaml
+++ b/examples/IstioGatewayHosts/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.istio-gateway-approved-hosts
diff --git a/examples/IstioNamespaceLabelInjection/policy.yaml b/examples/IstioNamespaceLabelInjection/policy.yaml
index f9703489..ecd5b9b7 100644
--- a/examples/IstioNamespaceLabelInjection/policy.yaml
+++ b/examples/IstioNamespaceLabelInjection/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.istio-injected-namespaces
diff --git a/examples/KubernetesKubeletVersion/policy.yaml b/examples/KubernetesKubeletVersion/policy.yaml
index 2cb2c290..474d0b86 100644
--- a/examples/KubernetesKubeletVersion/policy.yaml
+++ b/examples/KubernetesKubeletVersion/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.kubernetes-minimum-kubelet-version
diff --git a/examples/KubernetesProhibitKind/policy.yaml b/examples/KubernetesProhibitKind/policy.yaml
index f0aebf1b..00cdf2a5 100644
--- a/examples/KubernetesProhibitKind/policy.yaml
+++ b/examples/KubernetesProhibitKind/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.prohibit-specific-kind-from-being-scheduled
diff --git a/examples/NamespaceLimitRangeMinMax/policy.yaml b/examples/NamespaceLimitRangeMinMax/policy.yaml
index ff2e2d75..71186907 100644
--- a/examples/NamespaceLimitRangeMinMax/policy.yaml
+++ b/examples/NamespaceLimitRangeMinMax/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.namespace-resources-limitrange
diff --git a/examples/NamespacePodQuota/policy.yaml b/examples/NamespacePodQuota/policy.yaml
index 5106d636..183bd0b2 100644
--- a/examples/NamespacePodQuota/policy.yaml
+++ b/examples/NamespacePodQuota/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.namespace-pod-quota
diff --git a/examples/NamespaceResourceQuotas/policy.yaml b/examples/NamespaceResourceQuotas/policy.yaml
index 16df6a05..87340949 100644
--- a/examples/NamespaceResourceQuotas/policy.yaml
+++ b/examples/NamespaceResourceQuotas/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.resource-quota-setting-is-missing
diff --git a/examples/NetworkPolicyAllowEgressAllFromNamespace/policy.yaml b/examples/NetworkPolicyAllowEgressAllFromNamespace/policy.yaml
index 98778251..b8a5060d 100644
--- a/examples/NetworkPolicyAllowEgressAllFromNamespace/policy.yaml
+++ b/examples/NetworkPolicyAllowEgressAllFromNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-all-egress-traffic-from-namespace
diff --git a/examples/NetworkPolicyAllowEgressAllFromNamespaceToCIDR/policy.yaml b/examples/NetworkPolicyAllowEgressAllFromNamespaceToCIDR/policy.yaml
index afaf17b6..97da77b1 100644
--- a/examples/NetworkPolicyAllowEgressAllFromNamespaceToCIDR/policy.yaml
+++ b/examples/NetworkPolicyAllowEgressAllFromNamespaceToCIDR/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-all-egress-traffic-from-namespace-to-cidr-block
diff --git a/examples/NetworkPolicyAllowEgressDNSFromNamespace/policy.yaml b/examples/NetworkPolicyAllowEgressDNSFromNamespace/policy.yaml
index 3420551e..9f458ed0 100644
--- a/examples/NetworkPolicyAllowEgressDNSFromNamespace/policy.yaml
+++ b/examples/NetworkPolicyAllowEgressDNSFromNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-egress-dns-to-coredns
diff --git a/examples/NetworkPolicyAllowEgressFromNamespaceToNamespace/policy.yaml b/examples/NetworkPolicyAllowEgressFromNamespaceToNamespace/policy.yaml
index 315f2b3a..d0ff123f 100644
--- a/examples/NetworkPolicyAllowEgressFromNamespaceToNamespace/policy.yaml
+++ b/examples/NetworkPolicyAllowEgressFromNamespaceToNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-egress-traffic-from-namespace-to-another
diff --git a/examples/NetworkPolicyAllowIngressAllToNamespace/policy.yaml b/examples/NetworkPolicyAllowIngressAllToNamespace/policy.yaml
index 1ba94a8b..446ae03a 100644
--- a/examples/NetworkPolicyAllowIngressAllToNamespace/policy.yaml
+++ b/examples/NetworkPolicyAllowIngressAllToNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-all-ingress-traffic-to-namespace
diff --git a/examples/NetworkPolicyAllowIngressAllToNamespaceFromCIDR/policy.yaml b/examples/NetworkPolicyAllowIngressAllToNamespaceFromCIDR/policy.yaml
index 57463997..d920f32c 100644
--- a/examples/NetworkPolicyAllowIngressAllToNamespaceFromCIDR/policy.yaml
+++ b/examples/NetworkPolicyAllowIngressAllToNamespaceFromCIDR/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-all-ingress-traffic-to-namespace-from-cidr-block
diff --git a/examples/NetworkPolicyAllowIngressFromNamespaceToNamespace/policy.yaml b/examples/NetworkPolicyAllowIngressFromNamespaceToNamespace/policy.yaml
index 55fdcbf5..4c9240fc 100644
--- a/examples/NetworkPolicyAllowIngressFromNamespaceToNamespace/policy.yaml
+++ b/examples/NetworkPolicyAllowIngressFromNamespaceToNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-allow-ingress-traffic-from-namespace-to-another
diff --git a/examples/NetworkPolicyBlockEgressAllFromNamespace/policy.yaml b/examples/NetworkPolicyBlockEgressAllFromNamespace/policy.yaml
index d90edb68..cd097158 100644
--- a/examples/NetworkPolicyBlockEgressAllFromNamespace/policy.yaml
+++ b/examples/NetworkPolicyBlockEgressAllFromNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-block-all-egress-traffic-from-namespace
diff --git a/examples/NetworkPolicyBlockEgressAllFromNamespaceToCIDR/policy.yaml b/examples/NetworkPolicyBlockEgressAllFromNamespaceToCIDR/policy.yaml
index 6fa55d25..959ac251 100644
--- a/examples/NetworkPolicyBlockEgressAllFromNamespaceToCIDR/policy.yaml
+++ b/examples/NetworkPolicyBlockEgressAllFromNamespaceToCIDR/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-block-all-egress-traffic-for-namespace-to-cidr-block
diff --git a/examples/NetworkPolicyBlockIngressAllToNamespace/policy.yaml b/examples/NetworkPolicyBlockIngressAllToNamespace/policy.yaml
index 74e6c06d..b9a2b78f 100644
--- a/examples/NetworkPolicyBlockIngressAllToNamespace/policy.yaml
+++ b/examples/NetworkPolicyBlockIngressAllToNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-block-all-ingress-traffic-to-namespace
diff --git a/examples/NetworkPolicyBlockIngressAllToNamespaceFromCIDR/policy.yaml b/examples/NetworkPolicyBlockIngressAllToNamespaceFromCIDR/policy.yaml
index 67f10253..08646d9c 100644
--- a/examples/NetworkPolicyBlockIngressAllToNamespaceFromCIDR/policy.yaml
+++ b/examples/NetworkPolicyBlockIngressAllToNamespaceFromCIDR/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.network-block-all-ingress-traffic-to-namespace-from-cidr-block
diff --git a/examples/NodeCustomLabel/policy.yaml b/examples/NodeCustomLabel/policy.yaml
index 780110c7..f7fd96b3 100644
--- a/examples/NodeCustomLabel/policy.yaml
+++ b/examples/NodeCustomLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.node-custom-label
diff --git a/examples/NodeKernelVersion/policy.yaml b/examples/NodeKernelVersion/policy.yaml
index 4b68043e..2684b955 100644
--- a/examples/NodeKernelVersion/policy.yaml
+++ b/examples/NodeKernelVersion/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.node-kernel-versions
diff --git a/examples/NodeMissingLabel/policy.yaml b/examples/NodeMissingLabel/policy.yaml
index ace183ca..d811feef 100644
--- a/examples/NodeMissingLabel/policy.yaml
+++ b/examples/NodeMissingLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.node-missing-label
diff --git a/examples/NodeOSVersion/policy.yaml b/examples/NodeOSVersion/policy.yaml
index de66a5cc..9cdc8d1e 100644
--- a/examples/NodeOSVersion/policy.yaml
+++ b/examples/NodeOSVersion/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.node-os-version
diff --git a/examples/PersistentVolumeAccessModes/policy.yaml b/examples/PersistentVolumeAccessModes/policy.yaml
index dd9dc0d6..5125c5f2 100644
--- a/examples/PersistentVolumeAccessModes/policy.yaml
+++ b/examples/PersistentVolumeAccessModes/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.persistent-volume-access-modes
diff --git a/examples/PersistentVolumeClaimMaxSize/policy.yaml b/examples/PersistentVolumeClaimMaxSize/policy.yaml
index 35007586..464db3a3 100644
--- a/examples/PersistentVolumeClaimMaxSize/policy.yaml
+++ b/examples/PersistentVolumeClaimMaxSize/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.persistent-volume-claim-max-size
diff --git a/examples/PersistentVolumeClaimSnapshot/policy.yaml b/examples/PersistentVolumeClaimSnapshot/policy.yaml
index 7c48abeb..4e1679d9 100644
--- a/examples/PersistentVolumeClaimSnapshot/policy.yaml
+++ b/examples/PersistentVolumeClaimSnapshot/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.persistent-volume-claim-snapshot
diff --git a/examples/PersistentVolumeMaxSize/policy.yaml b/examples/PersistentVolumeMaxSize/policy.yaml
index 10a4c21b..4411ee66 100644
--- a/examples/PersistentVolumeMaxSize/policy.yaml
+++ b/examples/PersistentVolumeMaxSize/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.persistent-volume-max-size
diff --git a/examples/PrometheusAnnotationKey/policy.yaml b/examples/PrometheusAnnotationKey/policy.yaml
index ae5cd369..a20d47ce 100644
--- a/examples/PrometheusAnnotationKey/policy.yaml
+++ b/examples/PrometheusAnnotationKey/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.enforce-prometheus-annotation-key
diff --git a/examples/PrometheusAnnotationValue/policy.yaml b/examples/PrometheusAnnotationValue/policy.yaml
index 90c47430..f88758a9 100644
--- a/examples/PrometheusAnnotationValue/policy.yaml
+++ b/examples/PrometheusAnnotationValue/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.enforce-prometheus-annotation-value
diff --git a/examples/PrometheusServiceAnnontationKey/policy.yaml b/examples/PrometheusServiceAnnontationKey/policy.yaml
index baffb064..60a05a03 100644
--- a/examples/PrometheusServiceAnnontationKey/policy.yaml
+++ b/examples/PrometheusServiceAnnontationKey/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.enforce-prometheus-service-annotation-key
diff --git a/examples/RBACProhibitEditingConfigMaps/policy.yaml b/examples/RBACProhibitEditingConfigMaps/policy.yaml
index 94584dd6..44eff0ab 100644
--- a/examples/RBACProhibitEditingConfigMaps/policy.yaml
+++ b/examples/RBACProhibitEditingConfigMaps/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.rbac-prohibit-updating-configmaps
diff --git a/examples/RBACProhibitVerbsOnResources/policy.yaml b/examples/RBACProhibitVerbsOnResources/policy.yaml
index b812a924..58b557de 100644
--- a/examples/RBACProhibitVerbsOnResources/policy.yaml
+++ b/examples/RBACProhibitVerbsOnResources/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.rbac-prohibit-verbs-on-resources
diff --git a/examples/RBACProhibitWildcards/policy.yaml b/examples/RBACProhibitWildcards/policy.yaml
index f6fe2b9e..9f618aee 100644
--- a/examples/RBACProhibitWildcards/policy.yaml
+++ b/examples/RBACProhibitWildcards/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.templates.rbac-prohibit-resources-wildcards
diff --git a/policies/ControllerContainerAllowingPrivilegeEscalation/policy.yaml b/policies/ControllerContainerAllowingPrivilegeEscalation/policy.yaml
index 3bf7b4bc..fdec7f7a 100644
--- a/policies/ControllerContainerAllowingPrivilegeEscalation/policy.yaml
+++ b/policies/ControllerContainerAllowingPrivilegeEscalation/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-running-with-privilege-escalation
diff --git a/policies/ControllerContainerBlockHostPath/policy.yaml b/policies/ControllerContainerBlockHostPath/policy.yaml
index ee7ee270..46ff6817 100644
--- a/policies/ControllerContainerBlockHostPath/policy.yaml
+++ b/policies/ControllerContainerBlockHostPath/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-using-hostpath
diff --git a/policies/ControllerContainerBlockPortsRange/policy.yaml b/policies/ControllerContainerBlockPortsRange/policy.yaml
index e92247b5..3f2dccda 100644
--- a/policies/ControllerContainerBlockPortsRange/policy.yaml
+++ b/policies/ControllerContainerBlockPortsRange/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-block-ports-range
diff --git a/policies/ControllerContainerBlockSSHPort/policy.yaml b/policies/ControllerContainerBlockSSHPort/policy.yaml
index 55375667..0ca28bd3 100644
--- a/policies/ControllerContainerBlockSSHPort/policy.yaml
+++ b/policies/ControllerContainerBlockSSHPort/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-block-ssh-port
diff --git a/policies/ControllerContainerBlockSysctls/policy.yaml b/policies/ControllerContainerBlockSysctls/policy.yaml
index fc1bb5d1..c0e7e374 100644
--- a/policies/ControllerContainerBlockSysctls/policy.yaml
+++ b/policies/ControllerContainerBlockSysctls/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.container-block-sysctl
diff --git a/policies/ControllerContainerBlockSysctls_CVE-2022-0811/policy.yaml b/policies/ControllerContainerBlockSysctls_CVE-2022-0811/policy.yaml
index c2fef506..1cc76c7e 100644
--- a/policies/ControllerContainerBlockSysctls_CVE-2022-0811/policy.yaml
+++ b/policies/ControllerContainerBlockSysctls_CVE-2022-0811/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.container-block-sysctl.cve-2022-0811
diff --git a/policies/ControllerContainerLinuxCapabilities/policy.yaml b/policies/ControllerContainerLinuxCapabilities/policy.yaml
index 31e380cd..f3ad5746 100644
--- a/policies/ControllerContainerLinuxCapabilities/policy.yaml
+++ b/policies/ControllerContainerLinuxCapabilities/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-running-with-unapproved-linux-capabilities
diff --git a/policies/ControllerContainerRunningAsRoot/policy.yaml b/policies/ControllerContainerRunningAsRoot/policy.yaml
index 76f3105e..a786eb4e 100644
--- a/policies/ControllerContainerRunningAsRoot/policy.yaml
+++ b/policies/ControllerContainerRunningAsRoot/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.container-running-as-root
diff --git a/policies/ControllerContainerRunningAsUser/policy.yaml b/policies/ControllerContainerRunningAsUser/policy.yaml
index 7cefbb6d..2290cccd 100644
--- a/policies/ControllerContainerRunningAsUser/policy.yaml
+++ b/policies/ControllerContainerRunningAsUser/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.container-running-as-user
diff --git a/policies/ControllerContainerRunningPrivilegedMode/policy.yaml b/policies/ControllerContainerRunningPrivilegedMode/policy.yaml
index fec231a2..93ad331e 100644
--- a/policies/ControllerContainerRunningPrivilegedMode/policy.yaml
+++ b/policies/ControllerContainerRunningPrivilegedMode/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-running-in-privileged-mode
diff --git a/policies/ControllerContainerServiceAccountTokenAutomount/policy.yaml b/policies/ControllerContainerServiceAccountTokenAutomount/policy.yaml
index f4d8fa1e..fda7a8cd 100644
--- a/policies/ControllerContainerServiceAccountTokenAutomount/policy.yaml
+++ b/policies/ControllerContainerServiceAccountTokenAutomount/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.controller-serviceaccount-tokens-automount
diff --git a/policies/ControllerContainerUsingHostPort/policy.yaml b/policies/ControllerContainerUsingHostPort/policy.yaml
index cc9a2635..8a82248a 100644
--- a/policies/ControllerContainerUsingHostPort/policy.yaml
+++ b/policies/ControllerContainerUsingHostPort/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-using-hostport
diff --git a/policies/ControllerDockerSocketMount/policy.yaml b/policies/ControllerDockerSocketMount/policy.yaml
index 8246edb0..7fcd6ff0 100644
--- a/policies/ControllerDockerSocketMount/policy.yaml
+++ b/policies/ControllerDockerSocketMount/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-mounting-docker-socket
diff --git a/policies/ControllerImagePullPolicy/policy.yaml b/policies/ControllerImagePullPolicy/policy.yaml
index 490dd5e6..4314006f 100644
--- a/policies/ControllerImagePullPolicy/policy.yaml
+++ b/policies/ControllerImagePullPolicy/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.container-image-pull-policy
diff --git a/policies/ControllerImageTag/policy.yaml b/policies/ControllerImageTag/policy.yaml
index 1b5f2e28..e80c413e 100644
--- a/policies/ControllerImageTag/policy.yaml
+++ b/policies/ControllerImageTag/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.container-prohibit-image-tag
diff --git a/policies/ControllerMinimumReplicaCount/policy.yaml b/policies/ControllerMinimumReplicaCount/policy.yaml
index 642ae4e3..f1f172d0 100644
--- a/policies/ControllerMinimumReplicaCount/policy.yaml
+++ b/policies/ControllerMinimumReplicaCount/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-minimum-replica-count
diff --git a/policies/ControllerMissingKubernetesAppComponentLabel/policy.yaml b/policies/ControllerMissingKubernetesAppComponentLabel/policy.yaml
index 1db8332a..9cd9bec1 100644
--- a/policies/ControllerMissingKubernetesAppComponentLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppComponentLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-component-label
diff --git a/policies/ControllerMissingKubernetesAppCreatedByLabel/policy.yaml b/policies/ControllerMissingKubernetesAppCreatedByLabel/policy.yaml
index c515fd19..b1dcba43 100644
--- a/policies/ControllerMissingKubernetesAppCreatedByLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppCreatedByLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-created-by-label
diff --git a/policies/ControllerMissingKubernetesAppInstanceLabel/policy.yaml b/policies/ControllerMissingKubernetesAppInstanceLabel/policy.yaml
index e911e249..68e3554a 100644
--- a/policies/ControllerMissingKubernetesAppInstanceLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppInstanceLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-instance-label
diff --git a/policies/ControllerMissingKubernetesAppLabel/policy.yaml b/policies/ControllerMissingKubernetesAppLabel/policy.yaml
index 483a9d09..93f04254 100644
--- a/policies/ControllerMissingKubernetesAppLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-label
diff --git a/policies/ControllerMissingKubernetesAppManagedByLabel/policy.yaml b/policies/ControllerMissingKubernetesAppManagedByLabel/policy.yaml
index 00288cb3..480be935 100644
--- a/policies/ControllerMissingKubernetesAppManagedByLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppManagedByLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-managed-by-label
diff --git a/policies/ControllerMissingKubernetesAppPartOfLabel/policy.yaml b/policies/ControllerMissingKubernetesAppPartOfLabel/policy.yaml
index 014880da..667091d2 100644
--- a/policies/ControllerMissingKubernetesAppPartOfLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppPartOfLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-part-of-label
diff --git a/policies/ControllerMissingKubernetesAppVersionLabel/policy.yaml b/policies/ControllerMissingKubernetesAppVersionLabel/policy.yaml
index b08fa050..04736f8c 100644
--- a/policies/ControllerMissingKubernetesAppVersionLabel/policy.yaml
+++ b/policies/ControllerMissingKubernetesAppVersionLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-kubernetes-app-version-label
diff --git a/policies/ControllerMissingLivenessProbe/policy.yaml b/policies/ControllerMissingLivenessProbe/policy.yaml
index a625b078..c984b11d 100644
--- a/policies/ControllerMissingLivenessProbe/policy.yaml
+++ b/policies/ControllerMissingLivenessProbe/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-missing-liveness-probe
diff --git a/policies/ControllerMissingNamespace/policy.yaml b/policies/ControllerMissingNamespace/policy.yaml
index b10a10e3..cc5569cd 100644
--- a/policies/ControllerMissingNamespace/policy.yaml
+++ b/policies/ControllerMissingNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.block-workloads-created-without-specifying-namespace
diff --git a/policies/ControllerMissingOwnerLabel/policy.yaml b/policies/ControllerMissingOwnerLabel/policy.yaml
index d4bbe902..4674acb1 100644
--- a/policies/ControllerMissingOwnerLabel/policy.yaml
+++ b/policies/ControllerMissingOwnerLabel/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.missing-owner-label
diff --git a/policies/ControllerMissingReadinessProbe/policy.yaml b/policies/ControllerMissingReadinessProbe/policy.yaml
index 3d17eb7b..0490ee62 100644
--- a/policies/ControllerMissingReadinessProbe/policy.yaml
+++ b/policies/ControllerMissingReadinessProbe/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-missing-readiness-probe
diff --git a/policies/ControllerMissingSecurityContext/policy.yaml b/policies/ControllerMissingSecurityContext/policy.yaml
index 96678911..9613d2b5 100644
--- a/policies/ControllerMissingSecurityContext/policy.yaml
+++ b/policies/ControllerMissingSecurityContext/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-missing-security-context
diff --git a/policies/ControllerMissingStartupProbe/policy.yaml b/policies/ControllerMissingStartupProbe/policy.yaml
index b8697829..19be05b7 100644
--- a/policies/ControllerMissingStartupProbe/policy.yaml
+++ b/policies/ControllerMissingStartupProbe/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-missing-startup-probe
diff --git a/policies/ControllerProhibitNamespace/policy.yaml b/policies/ControllerProhibitNamespace/policy.yaml
index c85cd9d7..5a5860eb 100644
--- a/policies/ControllerProhibitNamespace/policy.yaml
+++ b/policies/ControllerProhibitNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-should-not-run-in-namespace
diff --git a/policies/ControllerReadOnlyFileSystem/policy.yaml b/policies/ControllerReadOnlyFileSystem/policy.yaml
index 84b4c26d..e3d01cf4 100644
--- a/policies/ControllerReadOnlyFileSystem/policy.yaml
+++ b/policies/ControllerReadOnlyFileSystem/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-read-only-root-filesystem
diff --git a/policies/ControllerRestartPolicy/policy.yaml b/policies/ControllerRestartPolicy/policy.yaml
index 9ef9db28..2e36fb30 100644
--- a/policies/ControllerRestartPolicy/policy.yaml
+++ b/policies/ControllerRestartPolicy/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-enforce-restart-policy
diff --git a/policies/ControllerSeccompRuntimeDefault/policy.yaml b/policies/ControllerSeccompRuntimeDefault/policy.yaml
index 2d43d3ab..9cf74718 100644
--- a/policies/ControllerSeccompRuntimeDefault/policy.yaml
+++ b/policies/ControllerSeccompRuntimeDefault/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-not-using-runtime-default-seccomp-profile
diff --git a/policies/ControllerShareHostIPC/policy.yaml b/policies/ControllerShareHostIPC/policy.yaml
index 5df8ae57..bcb4b39f 100644
--- a/policies/ControllerShareHostIPC/policy.yaml
+++ b/policies/ControllerShareHostIPC/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-sharing-host-ipc
diff --git a/policies/ControllerShareHostNetwork/policy.yaml b/policies/ControllerShareHostNetwork/policy.yaml
index 09393577..99d72784 100644
--- a/policies/ControllerShareHostNetwork/policy.yaml
+++ b/policies/ControllerShareHostNetwork/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-sharing-host-network
diff --git a/policies/ControllerShareHostPID/policy.yaml b/policies/ControllerShareHostPID/policy.yaml
index c9111948..f3629ed6 100644
--- a/policies/ControllerShareHostPID/policy.yaml
+++ b/policies/ControllerShareHostPID/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-sharing-host-pid
diff --git a/policies/ControllerShareProcessNamespace/policy.yaml b/policies/ControllerShareProcessNamespace/policy.yaml
index 50f2370b..e37ff624 100644
--- a/policies/ControllerShareProcessNamespace/policy.yaml
+++ b/policies/ControllerShareProcessNamespace/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-sharing-process-namespace
diff --git a/policies/ControllerTolerations/policy.yaml b/policies/ControllerTolerations/policy.yaml
index f4f5d7cf..5b6102f8 100644
--- a/policies/ControllerTolerations/policy.yaml
+++ b/policies/ControllerTolerations/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.containers-should-not-run-on-kubernetes-control-plane-nodes
diff --git a/policies/InfluxDBEnforceAdminTokenEnvVar/policy.yaml b/policies/InfluxDBEnforceAdminTokenEnvVar/policy.yaml
index 825067f9..3de7c39c 100644
--- a/policies/InfluxDBEnforceAdminTokenEnvVar/policy.yaml
+++ b/policies/InfluxDBEnforceAdminTokenEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.influxdb-enforce-admin-token-env-var
diff --git a/policies/InfluxDBEnforceBucketEnvVar/policy.yaml b/policies/InfluxDBEnforceBucketEnvVar/policy.yaml
index a518012b..c2b3033f 100644
--- a/policies/InfluxDBEnforceBucketEnvVar/policy.yaml
+++ b/policies/InfluxDBEnforceBucketEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.influxdb-enforce-bucket-env-var
diff --git a/policies/InfluxDBEnforceOrgEnvVar/policy.yaml b/policies/InfluxDBEnforceOrgEnvVar/policy.yaml
index d9abd765..9c6c62c4 100644
--- a/policies/InfluxDBEnforceOrgEnvVar/policy.yaml
+++ b/policies/InfluxDBEnforceOrgEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.influxdb-enforce-org-env-var
diff --git a/policies/InfluxDBEnforcePasswordEnvVar/policy.yaml b/policies/InfluxDBEnforcePasswordEnvVar/policy.yaml
index 61596f7a..5d2059ac 100644
--- a/policies/InfluxDBEnforcePasswordEnvVar/policy.yaml
+++ b/policies/InfluxDBEnforcePasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.influxdb-enforce-password-env-var
diff --git a/policies/InfluxDBEnforceRetentionEnvVar/policy.yaml b/policies/InfluxDBEnforceRetentionEnvVar/policy.yaml
index a379a377..c0dd9df8 100644
--- a/policies/InfluxDBEnforceRetentionEnvVar/policy.yaml
+++ b/policies/InfluxDBEnforceRetentionEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.influxdb-enforce-retention-env-var
diff --git a/policies/InfluxDBEnforceUsernameEnvVar/policy.yaml b/policies/InfluxDBEnforceUsernameEnvVar/policy.yaml
index d9d09009..90a967d3 100644
--- a/policies/InfluxDBEnforceUsernameEnvVar/policy.yaml
+++ b/policies/InfluxDBEnforceUsernameEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.influxdb-enforce-username-env-var
diff --git a/policies/KubernetesProhibitNakedPods/policy.yaml b/policies/KubernetesProhibitNakedPods/policy.yaml
index f512e0ee..f6abd97e 100644
--- a/policies/KubernetesProhibitNakedPods/policy.yaml
+++ b/policies/KubernetesProhibitNakedPods/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.prohibit-naked-pods-from-being-scheduled
diff --git a/policies/MYSQLEnforceDatabaseEnvVar/policy.yaml b/policies/MYSQLEnforceDatabaseEnvVar/policy.yaml
index c91360f7..5cecca76 100644
--- a/policies/MYSQLEnforceDatabaseEnvVar/policy.yaml
+++ b/policies/MYSQLEnforceDatabaseEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-database-env-var
diff --git a/policies/MYSQLEnforceOnetimePasswordEnvVar/policy.yaml b/policies/MYSQLEnforceOnetimePasswordEnvVar/policy.yaml
index e2c6a870..e454cff0 100644
--- a/policies/MYSQLEnforceOnetimePasswordEnvVar/policy.yaml
+++ b/policies/MYSQLEnforceOnetimePasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-onetime-password-env-var
diff --git a/policies/MYSQLEnforcePasswordEnvVar/policy.yaml b/policies/MYSQLEnforcePasswordEnvVar/policy.yaml
index dc63f6bf..d7bd2759 100644
--- a/policies/MYSQLEnforcePasswordEnvVar/policy.yaml
+++ b/policies/MYSQLEnforcePasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-password-env-var
diff --git a/policies/MYSQLEnforceRandomRootPasswordEnvVar/policy.yaml b/policies/MYSQLEnforceRandomRootPasswordEnvVar/policy.yaml
index ec33c78c..64c9ce11 100644
--- a/policies/MYSQLEnforceRandomRootPasswordEnvVar/policy.yaml
+++ b/policies/MYSQLEnforceRandomRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-random-root-password-env-var
diff --git a/policies/MYSQLEnforceRootPasswordEnvVar/policy.yaml b/policies/MYSQLEnforceRootPasswordEnvVar/policy.yaml
index 468d93c5..6a2a1a55 100644
--- a/policies/MYSQLEnforceRootPasswordEnvVar/policy.yaml
+++ b/policies/MYSQLEnforceRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-root-password-env-var
diff --git a/policies/MYSQLEnforceSkipTzinfoEnvVar/policy.yaml b/policies/MYSQLEnforceSkipTzinfoEnvVar/policy.yaml
index a27ed409..f70d7c45 100644
--- a/policies/MYSQLEnforceSkipTzinfoEnvVar/policy.yaml
+++ b/policies/MYSQLEnforceSkipTzinfoEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-skip-tzinfo-env-var
diff --git a/policies/MYSQLEnforceUserEnvVar/policy.yaml b/policies/MYSQLEnforceUserEnvVar/policy.yaml
index 9ca06102..7d353c85 100644
--- a/policies/MYSQLEnforceUserEnvVar/policy.yaml
+++ b/policies/MYSQLEnforceUserEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-enforce-user-env-var
diff --git a/policies/MYSQLProhibitEmptyPasswordEnvVar/policy.yaml b/policies/MYSQLProhibitEmptyPasswordEnvVar/policy.yaml
index dee72518..b93de86f 100644
--- a/policies/MYSQLProhibitEmptyPasswordEnvVar/policy.yaml
+++ b/policies/MYSQLProhibitEmptyPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mysql-prohibit-empty-password-env-var
diff --git a/policies/MariaDBEnforceDatabaseEnvVar/policy.yaml b/policies/MariaDBEnforceDatabaseEnvVar/policy.yaml
index ceac324c..2f44da3c 100644
--- a/policies/MariaDBEnforceDatabaseEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceDatabaseEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-database-env-var
diff --git a/policies/MariaDBEnforceMysqlDatabaseEnvVar/policy.yaml b/policies/MariaDBEnforceMysqlDatabaseEnvVar/policy.yaml
index d13a878d..0e9543eb 100644
--- a/policies/MariaDBEnforceMysqlDatabaseEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceMysqlDatabaseEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-mysql-database-env-var
diff --git a/policies/MariaDBEnforceMysqlPasswordEnvVar/policy.yaml b/policies/MariaDBEnforceMysqlPasswordEnvVar/policy.yaml
index 815078b8..706f3d1a 100644
--- a/policies/MariaDBEnforceMysqlPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceMysqlPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-mysql-password-env-var
diff --git a/policies/MariaDBEnforceMysqlRandomRootPasswordEnvVar/policy.yaml b/policies/MariaDBEnforceMysqlRandomRootPasswordEnvVar/policy.yaml
index 5e80b2a2..e47dd7c6 100644
--- a/policies/MariaDBEnforceMysqlRandomRootPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceMysqlRandomRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-mysql-random-root-password-env-var
diff --git a/policies/MariaDBEnforceMysqlRootPasswordEnvVar/policy.yaml b/policies/MariaDBEnforceMysqlRootPasswordEnvVar/policy.yaml
index 184cedd8..6db4d842 100644
--- a/policies/MariaDBEnforceMysqlRootPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceMysqlRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-mysql-root-password-env-var
diff --git a/policies/MariaDBEnforceMysqlSkipTzinfoEnvVar/policy.yaml b/policies/MariaDBEnforceMysqlSkipTzinfoEnvVar/policy.yaml
index fb8194cd..64f7804a 100644
--- a/policies/MariaDBEnforceMysqlSkipTzinfoEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceMysqlSkipTzinfoEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-mysql-initdb-skip-tzinfo-env-var
diff --git a/policies/MariaDBEnforceMysqlUserEnvVar/policy.yaml b/policies/MariaDBEnforceMysqlUserEnvVar/policy.yaml
index 83083361..1811a24d 100644
--- a/policies/MariaDBEnforceMysqlUserEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceMysqlUserEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-mysql-user-env-var
diff --git a/policies/MariaDBEnforcePasswordEnvVar/policy.yaml b/policies/MariaDBEnforcePasswordEnvVar/policy.yaml
index 8a536c2b..05178f9f 100644
--- a/policies/MariaDBEnforcePasswordEnvVar/policy.yaml
+++ b/policies/MariaDBEnforcePasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-password-env-var
diff --git a/policies/MariaDBEnforceRandomRootPasswordEnvVar/policy.yaml b/policies/MariaDBEnforceRandomRootPasswordEnvVar/policy.yaml
index 55a7812b..6ca9ae38 100644
--- a/policies/MariaDBEnforceRandomRootPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceRandomRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-random-root-password-env-var
diff --git a/policies/MariaDBEnforceRootPasswordEnvVar/policy.yaml b/policies/MariaDBEnforceRootPasswordEnvVar/policy.yaml
index 4b74c45f..c35ddc9b 100644
--- a/policies/MariaDBEnforceRootPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-root-password-env-var
diff --git a/policies/MariaDBEnforceSkipTzinfoEnvVar/policy.yaml b/policies/MariaDBEnforceSkipTzinfoEnvVar/policy.yaml
index 92f0b512..c1d242d0 100644
--- a/policies/MariaDBEnforceSkipTzinfoEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceSkipTzinfoEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-initdb-skip-tzinfo-env-var
diff --git a/policies/MariaDBEnforceUserEnvVar/policy.yaml b/policies/MariaDBEnforceUserEnvVar/policy.yaml
index 1eb6b450..a5490b38 100644
--- a/policies/MariaDBEnforceUserEnvVar/policy.yaml
+++ b/policies/MariaDBEnforceUserEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-enforce-user-env-var
diff --git a/policies/MariaDBProhibitEmptyPasswordEnvVar/policy.yaml b/policies/MariaDBProhibitEmptyPasswordEnvVar/policy.yaml
index d32704dc..c0f2e291 100644
--- a/policies/MariaDBProhibitEmptyPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBProhibitEmptyPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-prohibit-empty-password-env-var
diff --git a/policies/MariaDBProhibitMysqlEmptyPasswordEnvVar/policy.yaml b/policies/MariaDBProhibitMysqlEmptyPasswordEnvVar/policy.yaml
index 4ad211ce..0f27461a 100644
--- a/policies/MariaDBProhibitMysqlEmptyPasswordEnvVar/policy.yaml
+++ b/policies/MariaDBProhibitMysqlEmptyPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mariadb-prohibit-mysql-empty-password-env-var
diff --git a/policies/MongoDBEnforceDatabaseEnvVar/policy.yaml b/policies/MongoDBEnforceDatabaseEnvVar/policy.yaml
index 216cf561..00852817 100644
--- a/policies/MongoDBEnforceDatabaseEnvVar/policy.yaml
+++ b/policies/MongoDBEnforceDatabaseEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongodb-enforce-database-env-var
diff --git a/policies/MongoDBEnforceRootPasswordEnvVar/policy.yaml b/policies/MongoDBEnforceRootPasswordEnvVar/policy.yaml
index 5bb87e47..d77eed95 100644
--- a/policies/MongoDBEnforceRootPasswordEnvVar/policy.yaml
+++ b/policies/MongoDBEnforceRootPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongodb-enforce-root-password-env-var
diff --git a/policies/MongoDBEnforceRootPasswordFileEnvVar/policy.yaml b/policies/MongoDBEnforceRootPasswordFileEnvVar/policy.yaml
index 38aa0efc..9faee67d 100644
--- a/policies/MongoDBEnforceRootPasswordFileEnvVar/policy.yaml
+++ b/policies/MongoDBEnforceRootPasswordFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongodb-enforce-root-password-file-env-var
diff --git a/policies/MongoDBEnforceRootUsernameEnvVar/policy.yaml b/policies/MongoDBEnforceRootUsernameEnvVar/policy.yaml
index fec7ad3c..5478675b 100644
--- a/policies/MongoDBEnforceRootUsernameEnvVar/policy.yaml
+++ b/policies/MongoDBEnforceRootUsernameEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongodb-enforce-root-username-env-var
diff --git a/policies/MongoDBEnforceRootUsernameFileEnvVar/policy.yaml b/policies/MongoDBEnforceRootUsernameFileEnvVar/policy.yaml
index 1748d4d9..35a5c9ad 100644
--- a/policies/MongoDBEnforceRootUsernameFileEnvVar/policy.yaml
+++ b/policies/MongoDBEnforceRootUsernameFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongodb-enforce-root-username-file-env-var
diff --git a/policies/MongoExpressEnforceAdminPasswordEnvVar/policy.yaml b/policies/MongoExpressEnforceAdminPasswordEnvVar/policy.yaml
index 8546cfd8..d707e363 100644
--- a/policies/MongoExpressEnforceAdminPasswordEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceAdminPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-admin-password-env-var
diff --git a/policies/MongoExpressEnforceAdminUsernameEnvVar/policy.yaml b/policies/MongoExpressEnforceAdminUsernameEnvVar/policy.yaml
index c557129f..ceed2536 100644
--- a/policies/MongoExpressEnforceAdminUsernameEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceAdminUsernameEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-admin-username-env-var
diff --git a/policies/MongoExpressEnforceAuthPasswordEnvVar/policy.yaml b/policies/MongoExpressEnforceAuthPasswordEnvVar/policy.yaml
index 44a88a18..eeb04c04 100644
--- a/policies/MongoExpressEnforceAuthPasswordEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceAuthPasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-auth-password-env-var
diff --git a/policies/MongoExpressEnforceAuthUsernameEnvVar/policy.yaml b/policies/MongoExpressEnforceAuthUsernameEnvVar/policy.yaml
index 4fb2c87f..88de0296 100644
--- a/policies/MongoExpressEnforceAuthUsernameEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceAuthUsernameEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-auth-username-env-var
diff --git a/policies/MongoExpressEnforceBaseURLEnvVar/policy.yaml b/policies/MongoExpressEnforceBaseURLEnvVar/policy.yaml
index 2b381f14..fe923093 100644
--- a/policies/MongoExpressEnforceBaseURLEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceBaseURLEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-base-url-env-var
diff --git a/policies/MongoExpressEnforceCookieSecretEnvVar/policy.yaml b/policies/MongoExpressEnforceCookieSecretEnvVar/policy.yaml
index 80d554e1..ab6f0ba7 100644
--- a/policies/MongoExpressEnforceCookieSecretEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceCookieSecretEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-cookie-secret-env-var
diff --git a/policies/MongoExpressEnforceEditorThemeEnvVar/policy.yaml b/policies/MongoExpressEnforceEditorThemeEnvVar/policy.yaml
index 2f649bcb..05561cb9 100644
--- a/policies/MongoExpressEnforceEditorThemeEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceEditorThemeEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-editor-theme-env-var
diff --git a/policies/MongoExpressEnforceEnableAdminEnvVar/policy.yaml b/policies/MongoExpressEnforceEnableAdminEnvVar/policy.yaml
index 6e719ddb..d9e38f55 100644
--- a/policies/MongoExpressEnforceEnableAdminEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceEnableAdminEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-enable-admin-env-var
diff --git a/policies/MongoExpressEnforceMongoPortEnvVar/policy.yaml b/policies/MongoExpressEnforceMongoPortEnvVar/policy.yaml
index 08b14e05..5fa8bff8 100644
--- a/policies/MongoExpressEnforceMongoPortEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceMongoPortEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-mongodb-port-env-var
diff --git a/policies/MongoExpressEnforceMongoServerEnvVar/policy.yaml b/policies/MongoExpressEnforceMongoServerEnvVar/policy.yaml
index ace7fd8e..7cae0230 100644
--- a/policies/MongoExpressEnforceMongoServerEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceMongoServerEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-mongodb-server-env-var
diff --git a/policies/MongoExpressEnforceRequestSizeEnvVar/policy.yaml b/policies/MongoExpressEnforceRequestSizeEnvVar/policy.yaml
index 256333ca..78c9be6a 100644
--- a/policies/MongoExpressEnforceRequestSizeEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceRequestSizeEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-request-size-env-var
diff --git a/policies/MongoExpressEnforceSSLCrtPathEnvVar/policy.yaml b/policies/MongoExpressEnforceSSLCrtPathEnvVar/policy.yaml
index f71d947c..8b6a0c6c 100644
--- a/policies/MongoExpressEnforceSSLCrtPathEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceSSLCrtPathEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-ssl-crt-path-env-var
diff --git a/policies/MongoExpressEnforceSSLEnabledEnvVar/policy.yaml b/policies/MongoExpressEnforceSSLEnabledEnvVar/policy.yaml
index ce6a6036..093f6c26 100644
--- a/policies/MongoExpressEnforceSSLEnabledEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceSSLEnabledEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-ssl-enabled-env-var
diff --git a/policies/MongoExpressEnforceSSLKeyPathEnvVar/policy.yaml b/policies/MongoExpressEnforceSSLKeyPathEnvVar/policy.yaml
index c3323929..77c9ebbc 100644
--- a/policies/MongoExpressEnforceSSLKeyPathEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceSSLKeyPathEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-ssl-key-path-env-var
diff --git a/policies/MongoExpressEnforceSessionSecretEnvVar/policy.yaml b/policies/MongoExpressEnforceSessionSecretEnvVar/policy.yaml
index 3ff4199c..b342847d 100644
--- a/policies/MongoExpressEnforceSessionSecretEnvVar/policy.yaml
+++ b/policies/MongoExpressEnforceSessionSecretEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.mongo-express-enforce-session-secret-env-var
diff --git a/policies/NamespaceProhibitName/policy.yaml b/policies/NamespaceProhibitName/policy.yaml
index 73e751b4..8b4d9df2 100644
--- a/policies/NamespaceProhibitName/policy.yaml
+++ b/policies/NamespaceProhibitName/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.prohibit-creating-namespace-starting-with-prefix
diff --git a/policies/NetworkPolicyDefaultRulesBlockAllEgress/policy.yaml b/policies/NetworkPolicyDefaultRulesBlockAllEgress/policy.yaml
index 385347eb..9bbdd656 100644
--- a/policies/NetworkPolicyDefaultRulesBlockAllEgress/policy.yaml
+++ b/policies/NetworkPolicyDefaultRulesBlockAllEgress/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.block-all-egress-traffic
diff --git a/policies/NetworkPolicyDefaultRulesBlockAllIngress/policy.yaml b/policies/NetworkPolicyDefaultRulesBlockAllIngress/policy.yaml
index 72b0017a..20a7f2d8 100644
--- a/policies/NetworkPolicyDefaultRulesBlockAllIngress/policy.yaml
+++ b/policies/NetworkPolicyDefaultRulesBlockAllIngress/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.block-all-ingress-traffic
diff --git a/policies/PersistentVolumeReclaimPolicy/policy.yaml b/policies/PersistentVolumeReclaimPolicy/policy.yaml
index 042f12b2..d87e987c 100644
--- a/policies/PersistentVolumeReclaimPolicy/policy.yaml
+++ b/policies/PersistentVolumeReclaimPolicy/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.persistent-volume-reclaim-policy-should-be-set-to-retain
diff --git a/policies/PostgresEnforceAuthMethodEnvVar/policy.yaml b/policies/PostgresEnforceAuthMethodEnvVar/policy.yaml
index b3e02095..60dcff18 100644
--- a/policies/PostgresEnforceAuthMethodEnvVar/policy.yaml
+++ b/policies/PostgresEnforceAuthMethodEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-auth-method-env-var
diff --git a/policies/PostgresEnforceDBEnvVar/policy.yaml b/policies/PostgresEnforceDBEnvVar/policy.yaml
index 71f1558f..3ed4b2c8 100644
--- a/policies/PostgresEnforceDBEnvVar/policy.yaml
+++ b/policies/PostgresEnforceDBEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-db-env-var
diff --git a/policies/PostgresEnforceInitDBArgsEnvVar/policy.yaml b/policies/PostgresEnforceInitDBArgsEnvVar/policy.yaml
index 371f8910..84805768 100644
--- a/policies/PostgresEnforceInitDBArgsEnvVar/policy.yaml
+++ b/policies/PostgresEnforceInitDBArgsEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-initdb-args-env-var
diff --git a/policies/PostgresEnforceInitDBWaldirEnvVar/policy.yaml b/policies/PostgresEnforceInitDBWaldirEnvVar/policy.yaml
index f5ca08ef..1f2b4de6 100644
--- a/policies/PostgresEnforceInitDBWaldirEnvVar/policy.yaml
+++ b/policies/PostgresEnforceInitDBWaldirEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-initdb-waldir-env-var
diff --git a/policies/PostgresEnforcePGDataEnvVar/policy.yaml b/policies/PostgresEnforcePGDataEnvVar/policy.yaml
index c9e1477f..da72af75 100644
--- a/policies/PostgresEnforcePGDataEnvVar/policy.yaml
+++ b/policies/PostgresEnforcePGDataEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-pgdata-env-var
diff --git a/policies/PostgresEnforcePasswordEnvVar/policy.yaml b/policies/PostgresEnforcePasswordEnvVar/policy.yaml
index 318f4ff5..8f865e20 100644
--- a/policies/PostgresEnforcePasswordEnvVar/policy.yaml
+++ b/policies/PostgresEnforcePasswordEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-password-env-var
diff --git a/policies/PostgresEnforceUserEnvVar/policy.yaml b/policies/PostgresEnforceUserEnvVar/policy.yaml
index 7e72ec77..04b76ff1 100644
--- a/policies/PostgresEnforceUserEnvVar/policy.yaml
+++ b/policies/PostgresEnforceUserEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.postgres-enforce-user-env-var
diff --git a/policies/PrometheusRBACClusterRole/policy.yaml b/policies/PrometheusRBACClusterRole/policy.yaml
index 9fc3c20d..be3b7f80 100644
--- a/policies/PrometheusRBACClusterRole/policy.yaml
+++ b/policies/PrometheusRBACClusterRole/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.prometheus-rbac-prohibit-verbs
diff --git a/policies/PrometheusRBACClusterRoleBinding/policy.yaml b/policies/PrometheusRBACClusterRoleBinding/policy.yaml
index 7ed6db0d..4ead28e1 100644
--- a/policies/PrometheusRBACClusterRoleBinding/policy.yaml
+++ b/policies/PrometheusRBACClusterRoleBinding/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.prometheus-clusterrolebinding-has-incorrect-bindings
diff --git a/policies/RBACClusterRoleClusterAdmin/policy.yaml b/policies/RBACClusterRoleClusterAdmin/policy.yaml
index 96354722..ab3fe506 100644
--- a/policies/RBACClusterRoleClusterAdmin/policy.yaml
+++ b/policies/RBACClusterRoleClusterAdmin/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rbac-protect-cluster-admin-clusterrolebindings
diff --git a/policies/RabbitMQEnforceConfigFileEnvVar/policy.yaml b/policies/RabbitMQEnforceConfigFileEnvVar/policy.yaml
index 228c222c..7d89547b 100644
--- a/policies/RabbitMQEnforceConfigFileEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceConfigFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-config-file-env-var
diff --git a/policies/RabbitMQEnforceDefaultPassEnvVar/policy.yaml b/policies/RabbitMQEnforceDefaultPassEnvVar/policy.yaml
index 39b52b3a..78cbe78c 100644
--- a/policies/RabbitMQEnforceDefaultPassEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceDefaultPassEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-default-pass-env-var
diff --git a/policies/RabbitMQEnforceDefaultUserEnvVar/policy.yaml b/policies/RabbitMQEnforceDefaultUserEnvVar/policy.yaml
index bf69410f..ad882748 100644
--- a/policies/RabbitMQEnforceDefaultUserEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceDefaultUserEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-default-user-env-var
diff --git a/policies/RabbitMQEnforceDefaultVHostEnvVar/policy.yaml b/policies/RabbitMQEnforceDefaultVHostEnvVar/policy.yaml
index 2c81e880..19ec5cda 100644
--- a/policies/RabbitMQEnforceDefaultVHostEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceDefaultVHostEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-default-vhost-env-var
diff --git a/policies/RabbitMQEnforceERLArgsEnvVar/policy.yaml b/policies/RabbitMQEnforceERLArgsEnvVar/policy.yaml
index c0a385da..b2174dbf 100644
--- a/policies/RabbitMQEnforceERLArgsEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceERLArgsEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-additional-erl-args-env-var
diff --git a/policies/RabbitMQEnforceEnabledPluginsEnvVar/policy.yaml b/policies/RabbitMQEnforceEnabledPluginsEnvVar/policy.yaml
index 24ebb05c..5351ea1b 100644
--- a/policies/RabbitMQEnforceEnabledPluginsEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceEnabledPluginsEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-enabled-plugins-env-var
diff --git a/policies/RabbitMQEnforceGeneratedConfigDirEnvVar/policy.yaml b/policies/RabbitMQEnforceGeneratedConfigDirEnvVar/policy.yaml
index 37601882..1ac39c38 100644
--- a/policies/RabbitMQEnforceGeneratedConfigDirEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceGeneratedConfigDirEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-generated-config-dir-env-var
diff --git a/policies/RabbitMQEnforceLogBaseEnvVar/policy.yaml b/policies/RabbitMQEnforceLogBaseEnvVar/policy.yaml
index 10b77f0a..e9190a76 100644
--- a/policies/RabbitMQEnforceLogBaseEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceLogBaseEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-log-base-env-var
diff --git a/policies/RabbitMQEnforceLogsEnvVar/policy.yaml b/policies/RabbitMQEnforceLogsEnvVar/policy.yaml
index d83d2032..f4f5a443 100644
--- a/policies/RabbitMQEnforceLogsEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceLogsEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-logs-env-var
diff --git a/policies/RabbitMQEnforceMnesiaBaseEnvVar/policy.yaml b/policies/RabbitMQEnforceMnesiaBaseEnvVar/policy.yaml
index b997ebe4..f02dd73a 100644
--- a/policies/RabbitMQEnforceMnesiaBaseEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceMnesiaBaseEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-mnesia-base-env-var
diff --git a/policies/RabbitMQEnforceMnesiaDirEnvVar/policy.yaml b/policies/RabbitMQEnforceMnesiaDirEnvVar/policy.yaml
index 49c1161f..83f47a83 100644
--- a/policies/RabbitMQEnforceMnesiaDirEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceMnesiaDirEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-mnesia-dir-env-var
diff --git a/policies/RabbitMQEnforcePidFileEnvVar/policy.yaml b/policies/RabbitMQEnforcePidFileEnvVar/policy.yaml
index f7b0b8c0..80bfa06e 100644
--- a/policies/RabbitMQEnforcePidFileEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforcePidFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-pid-file-env-var
diff --git a/policies/RabbitMQEnforcePluginsDirEnvVar/policy.yaml b/policies/RabbitMQEnforcePluginsDirEnvVar/policy.yaml
index 2092021d..d6c47ed2 100644
--- a/policies/RabbitMQEnforcePluginsDirEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforcePluginsDirEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-plugins-dir-env-var
diff --git a/policies/RabbitMQEnforcePluginsExpandDirEnvVar/policy.yaml b/policies/RabbitMQEnforcePluginsExpandDirEnvVar/policy.yaml
index 28e128b5..7b180ea8 100644
--- a/policies/RabbitMQEnforcePluginsExpandDirEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforcePluginsExpandDirEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-plugins-expand-dir-env-var
diff --git a/policies/RabbitMQEnforceSSLCACertFileEnvVar/policy.yaml b/policies/RabbitMQEnforceSSLCACertFileEnvVar/policy.yaml
index 52cc49c7..66173e5a 100644
--- a/policies/RabbitMQEnforceSSLCACertFileEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSSLCACertFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-ssl-ca-cert-file-env-var
diff --git a/policies/RabbitMQEnforceSSLCertFileEnvVar/policy.yaml b/policies/RabbitMQEnforceSSLCertFileEnvVar/policy.yaml
index ce77a39d..4e125f0b 100644
--- a/policies/RabbitMQEnforceSSLCertFileEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSSLCertFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-ssl-cert-file-env-var
diff --git a/policies/RabbitMQEnforceSSLDepthEnvVar/policy.yaml b/policies/RabbitMQEnforceSSLDepthEnvVar/policy.yaml
index 6b92aae4..3590a68c 100644
--- a/policies/RabbitMQEnforceSSLDepthEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSSLDepthEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-ssl-depth-env-var
diff --git a/policies/RabbitMQEnforceSSLFailNoPeerEnvVar/policy.yaml b/policies/RabbitMQEnforceSSLFailNoPeerEnvVar/policy.yaml
index 9e404fe0..033a6e7b 100644
--- a/policies/RabbitMQEnforceSSLFailNoPeerEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSSLFailNoPeerEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-fail-if-no-peer-cert-env-var
diff --git a/policies/RabbitMQEnforceSSLKeyFileEnvVar/policy.yaml b/policies/RabbitMQEnforceSSLKeyFileEnvVar/policy.yaml
index ac8d972f..08675d3b 100644
--- a/policies/RabbitMQEnforceSSLKeyFileEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSSLKeyFileEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-ssl-keyfile-env-var
diff --git a/policies/RabbitMQEnforceSSLVerifyEnvVar/policy.yaml b/policies/RabbitMQEnforceSSLVerifyEnvVar/policy.yaml
index d7bd7dbb..85238c14 100644
--- a/policies/RabbitMQEnforceSSLVerifyEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSSLVerifyEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-ssl-verify-env-var
diff --git a/policies/RabbitMQEnforceSchemaDirEnvVar/policy.yaml b/policies/RabbitMQEnforceSchemaDirEnvVar/policy.yaml
index 0bb5f3ce..db2240c6 100644
--- a/policies/RabbitMQEnforceSchemaDirEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceSchemaDirEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-schema-dir-env-var
diff --git a/policies/RabbitMQEnforceVMMemoryEnvVar/policy.yaml b/policies/RabbitMQEnforceVMMemoryEnvVar/policy.yaml
index 1c9f0fea..bcfa5b55 100644
--- a/policies/RabbitMQEnforceVMMemoryEnvVar/policy.yaml
+++ b/policies/RabbitMQEnforceVMMemoryEnvVar/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.rabbitmq-enforce-vm-memory-env-var
diff --git a/policies/ServiceAccountDisableTokenAutomount/policy.yaml b/policies/ServiceAccountDisableTokenAutomount/policy.yaml
index c230eec6..17d94bc1 100644
--- a/policies/ServiceAccountDisableTokenAutomount/policy.yaml
+++ b/policies/ServiceAccountDisableTokenAutomount/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.disable-service-account-token-automount-in-specific-namespace
diff --git a/policies/ServiceProhibitPortsRange/policy.yaml b/policies/ServiceProhibitPortsRange/policy.yaml
index a62d5318..95c2a7c7 100644
--- a/policies/ServiceProhibitPortsRange/policy.yaml
+++ b/policies/ServiceProhibitPortsRange/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.services-prohibit-ports-range
diff --git a/policies/ServiceProhibitType/policy.yaml b/policies/ServiceProhibitType/policy.yaml
index bff07830..15cfeb48 100644
--- a/policies/ServiceProhibitType/policy.yaml
+++ b/policies/ServiceProhibitType/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.services-prohibit-type
diff --git a/policies/ServiceRestrictProtocols/policy.yaml b/policies/ServiceRestrictProtocols/policy.yaml
index 55b7cdb5..298b7e6d 100644
--- a/policies/ServiceRestrictProtocols/policy.yaml
+++ b/policies/ServiceRestrictProtocols/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: pac.weave.works/v2beta1
+apiVersion: pac.weave.works/v2beta2
 kind: Policy
 metadata:
   name: weave.policies.services-restrict-protocols
diff --git a/policies/datastudio.csv b/policies/datastudio.csv
index b55d0489..8063c004 100644
--- a/policies/datastudio.csv
+++ b/policies/datastudio.csv
@@ -1,127 +1,127 @@
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Running As Root','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_DATABASE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_USER','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Using Hostpath','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SESSIONSECRET','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Read Only Root Filesystem','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_LOGS','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_ENABLED','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_SERVER','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Service','Services Restrict Protocols','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Owner Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Pod','Prohibit Naked Pods From Being Scheduled','False','False','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Host IPC','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD_FILE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_BASEURL','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Part Of Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Process Namespace','False','True','True''False','False','False','False','False','False','False'
 'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SCHEMA_DIR','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.reliability','Deployment,StatefulSet,ReplicaSet,ReplicationController,HorizontalPodAutoscaler','Containers Minimum Replica Count','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_VHOST','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Mounting Docker Socket','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_DB','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_EXPAND_DIR','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','ServiceAccount','Disable ServiceAccount Token Automount In Specific Namespace','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Host PID','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINUSERNAME','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.capacity-management','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Should Not Run On Kubernetes Control Plane Nodes','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_USER','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_PASS','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_INITDB_WALDIR','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - PGDATA','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Block Ssh Port','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Should Not Run In Namespace','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_USER','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Using Hostpath','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Prohibit Environment Variable - MARIADB_ALLOW_EMPTY_PASSWORD','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_USERNAME','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_PID_FILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_DATABASE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.reliability','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Liveness Probe','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_BASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Running As Root','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Version Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Block Workloads Created Without Specifying Namespace','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_COOKIESECRET','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Running In Privileged Mode','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_VERIFY','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_GENERATED_CONFIG_DIR','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Service','Services Prohibit Ports Range','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_RETENTION','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_DIR','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Namespace','Prohibit Creating Namespace Starting With Prefix','False','False','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_REQUEST_SIZE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Running With Unapproved Linux Capabilities','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Host Network','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Controller ServiceAccount Tokens Automount','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_DIR','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_USERNAME','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Block Ports Range','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_DATABASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_CONFIG_FILE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Read Only Root Filesystem','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','ServiceAccount','Disable ServiceAccount Token Automount In Specific Namespace','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_BUCKET','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Block Sysctls','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_LOGS','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_USER','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.software-supply-chain','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Prohibit Image Tag','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_CRT_PATH','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_USER','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_ONETIME_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Enforce Restart Policy','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SESSIONSECRET','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.reliability','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Startup Probe','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Host PID','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_OPTIONS_EDITORTHEME','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_ENABLED_PLUGINS_FILE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Component Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_KEYFILE','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CACERTFILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Using Hostport','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_BASEURL','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.data-protection','PersistentVolume','Persistent Volume Reclaim Policy Should Be Set To Retain','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_COOKIESECRET','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Process Namespace','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_DB','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_DATABASE','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Running With Privilege Escalation','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_CONFIG_FILE','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_VERIFY','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Not Using Runtime Default Seccomp Profile','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINPASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_DATABASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_INITDB_WALDIR','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - PGDATA','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINUSERNAME','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Block Ports Range','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Owner Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Mounting Docker Socket','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.data-protection','PersistentVolume','Persistent Volume Reclaim Policy Should Be Set To Retain','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_DATABASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.reliability','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Readiness Probe','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Service','Services Prohibit Type','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Block Sysctls CVE-2022-0811','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Version Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Service','Services Prohibit Ports Range','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Prohibit Environment Variable - MARIADB_ALLOW_EMPTY_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ORG','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CERTFILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_ENABLED_PLUGINS_FILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_OPTIONS_EDITORTHEME','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Should Not Run In Namespace','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_VM_MEMORY_HIGH_WATERMARK','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.reliability','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Liveness Probe','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_ENABLED','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Managed By Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINPASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_PORT','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Not Using Runtime Default Seccomp Profile','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_INITDB_ARGS','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','ClusterRoleBinding','Rbac Protect Cluster Admin Clusterrolebindings','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Running As User','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_PASS','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_INITDB_SKIP_TZINFO','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Running With Unapproved Linux Capabilities','False','True','True''False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME_FILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','NetworkPolicy','Block All Egress Traffic','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Security Context','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Controller ServiceAccount Tokens Automount','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_HOST_AUTH_METHOD','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','ClusterRoleBinding','Prometheus Clusterrolebinding Has Incorrect Bindings','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_BASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_USERNAME','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.capacity-management','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Should Not Run On Kubernetes Control Plane Nodes','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.software-supply-chain','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Image Pull Policy','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Enforce Restart Policy','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_INITDB_SKIP_TZINFO','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Security Context','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_DIR','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CERTFILE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_PID_FILE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_DATABASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_DATABASE','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_KEY_PATH','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_RANDOM_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Part Of Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_GENERATED_CONFIG_DIR','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Pod','Prohibit Naked Pods From Being Scheduled','False','False','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_VHOST','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Service','Services Restrict Protocols','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Block Ssh Port','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Instance Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Running As User','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Block Sysctls','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.reliability','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Startup Probe','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_USER','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Using Hostport','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ORG','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_LOG_BASE','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.network-security','NetworkPolicy','Block All Ingress Traffic','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_DEPTH','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_USER','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','NetworkPolicy','Block All Egress Traffic','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_DIR','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Created By Label','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Host Network','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','ClusterRole','Prometheus Rbac Prohibit Verbs','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_USER','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.reliability','Deployment,StatefulSet,ReplicaSet,ReplicationController,HorizontalPodAutoscaler','Containers Minimum Replica Count','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.organizational-standards','Namespace','Prohibit Creating Namespace Starting With Prefix','False','False','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Block Workloads Created Without Specifying Namespace','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Managed By Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_KEY_PATH','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Sharing Host IPC','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_VM_MEMORY_HIGH_WATERMARK','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.software-supply-chain','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Container Prohibit Image Tag','False','True','True''False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MYSQL Enforce Environment Variable - MYSQL_ONETIME_PASSWORD','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_CRT_PATH','False','True','False','False','False','False','False','False','False','False'
+'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_SERVER','False','True','False','False','False','False','False','False','False','False'
 'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ENABLE_ADMIN','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MARIADB_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_PORT','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_KEYFILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_BUCKET','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_DEPTH','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD_FILE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_INITDB_ARGS','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Missing Kubernetes App Component Label','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.network-security','Service','Services Prohibit Type','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','ClusterRoleBinding','Rbac Protect Cluster Admin Clusterrolebindings','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','MariaDB Enforce Environment Variable - MYSQL_ROOT_PASSWORD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.access-control','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Postgres Enforce Environment Variable - POSTGRES_HOST_AUTH_METHOD','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_LOG_BASE','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.reliability','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Missing Readiness Probe','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.pod-security','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','Containers Running In Privileged Mode','False','True','True''False','False','False','False','False','False','False'
-'weave.categories.access-control','ClusterRole','Prometheus Rbac Prohibit Verbs','False','True','False','False','False','False','False','False','False','False'
-'weave.categories.organizational-standards','Deployment,Job,ReplicationController,ReplicaSet,DaemonSet,StatefulSet,CronJob','RabbitMQ Enforce Environment Variable - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS','False','True','False','False','False','False','False','False','False','False'
diff --git a/policies/policies.md b/policies/policies.md
index 297e8743..80254142 100644
--- a/policies/policies.md
+++ b/policies/policies.md
@@ -1,21 +1,64 @@
-## Container Running As Root
+## Prohibit Naked Pods From Being Scheduled
 
 ### ID
-weave.policies.container-running-as-root
+weave.policies.prohibit-naked-pods-from-being-scheduled
 
 ### Description
-Running as root gives the container full access to all resources in the VM it is running on. Containers should not run with such access rights unless required by design. This Policy enforces that the `securityContext.runAsNonRoot` attribute is set to `true`. 
+This Policy checks for a `kind` and can prohibit it from being schedule to your cluster. A common example is running "naked" pods. 
 
 
 ### How to solve?
-You should set `securityContext.runAsNonRoot` to `true`. Not setting it will default to giving the container root user rights on the VM that it is running on. 
+Ensure you are not using a kind that is specified within the Policy.
+```
+kind: <kind>
+```
+
+https://kubernetes.io/docs/concepts/configuration/overview/#naked-pods-vs-replicasets-deployments-and-jobs
+
+
+### Category
+weave.categories.organizational-standards
+
+### Severity
+medium
+
+### Targets
+{'kinds': ['Pod']}
+
+### Tags
+['cis-benchmark']
+
+---
+
+## Containers Sharing Host IPC
+
+### ID
+weave.policies.containers-sharing-host-ipc
+
+### Description
+This Policy allows check if sharing host IPC namespace with the container should be allowed or not. Resources that can be shared with the container include:
+
+### hostNetwork
+Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
+
+### hostPID
+Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
+
+### shareProcessNamespace
+When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
+
+### hostIPC
+Controls whether the pod containers can share the host IPC namespace.
+
+
+### How to solve?
+Match the shared resource with either true or false, as set in your constraint. 
 ```
 ...
   spec:
-    securityContext:
-      runAsNonRoot: true
+    <shared_resource>: <resource_enabled>
 ```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
 
 
 ### Category
@@ -28,25 +71,25 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+['nist800-190', 'gdpr', 'default']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MongoDB Enforce Environment Variable - MONGO_INITDB_DATABASE
+## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD_FILE
 
 ### ID
-weave.policies.mongodb-enforce-database-env-var
+weave.policies.mongodb-enforce-root-password-file-env-var
 
 ### Description
-This Policy ensures MONGO_INITDB_DATABASE environment variable are in place when using the official container images from Docker Hub.
-MONGO_INITDB_DATABASE: The MONGO_INITDB_DATABASE environment variable allows you to specify the name of a database to be used for creation scripts.
+This Policy ensures MONGO_INITDB_ROOT_PASSWORD_FILE environment variable are in place when using the official container images from Docker Hub.
+MONGO_INITDB_ROOT_PASSWORD_FILE: The MONGO_INITDB_ROOT_PASSWORD_FILE environment variable is an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MONGO_INITDB_DATABASE environment variables is set.
+If you encounter a violation, ensure the MONGO_INITDB_ROOT_PASSWORD_FILE environment variables is set.
 For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
@@ -59,28 +102,31 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'mitre-attack', 'hipaa']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_USER
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_BASEURL
 
 ### ID
-weave.policies.rabbitmq-enforce-default-user-env-var
+weave.policies.mongo-express-enforce-base-url-env-var
 
 ### Description
-This Policy ensures RABBITMQ_DEFAULT_USER environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_DEFAULT_USER: The RABBITMQ_DEFAULT_USER environment variable sets the User name to create when RabbitMQ creates a new database from scratch.
+This Policy ensures ME_CONFIG_SITE_BASEURL environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_SITE_BASEURL: The ME_CONFIG_SITE_BASEURL environment variable sets the baseUrl to ease mounting at a subdirectory. Remember to include a leading and trailing slash.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_DEFAULT_USER environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the ME_CONFIG_SITE_BASEURL environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -89,66 +135,109 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'hipaa', 'gdpr']
+['pci-dss']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD
+## Missing Kubernetes App Part Of Label
 
 ### ID
-weave.policies.mysql-prohibit-empty-password-env-var
+weave.policies.missing-kubernetes-app-part-of-label
 
 ### Description
-This Policy ensures MYSQL_ALLOW_EMPTY_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_ALLOW_EMPTY_PASSWORD: MYSQL_ALLOW_EMPTY_PASSWORD set to true will allow the container to be started with a blank password for the root user
+Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
+
+### owner
+A label key of `owner` will help identify who the owner of this entity is. 
+
+### app.kubernetes.io/name
+The name of the application	
+
+### app.kubernetes.io/instance
+A unique name identifying the instance of an application	  
+
+### app.kubernetes.io/version
+The current version of the application (e.g., a semantic version, revision hash, etc.)
+
+### app.kubernetes.io/part-of
+The name of a higher level application this one is part of	
+
+### app.kubernetes.io/managed-by
+The tool being used to manage the operation of an application	
+
+### app.kubernetes.io/created-by
+The controller/user who created this resource	
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_ALLOW_EMPTY_PASSWORD environment variables is set.
-For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
+Add these custom labels to `metadata`.
+* owner
+* app.kubernetes.io/name
+* app.kubernetes.io/instance
+* app.kubernetes.io/version
+* app.kubernetes.io/name
+* app.kubernetes.io/part-of
+* app.kubernetes.io/managed-by
+* app.kubernetes.io/created-by
+
+```
+metadata:
+  labels:
+    <label>: value
+```  
+For additional information, please check
+* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
-high
+low
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'hipaa']
+[]
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Using Hostpath
+## Containers Sharing Process Namespace
 
 ### ID
-weave.policies.containers-using-hostpath
+weave.policies.containers-sharing-process-namespace
 
 ### Description
-This Policy checks for containers that are trying to use HostPath. 
+This Policy allows check if sharing process namespace with other containers in the pod should be allowed or not. Resources that can be shared with the container include:
 
-A `hostPath` volume mounts a file or directory from the host node's filesystem into your Pod. This is not something that most Pods will need, but it offers a powerful escape hatch for some applications.
+### hostNetwork
+Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
+
+### hostPID
+Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
+
+### shareProcessNamespace
+When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
+
+### hostIPC
+Controls whether the pod containers can share the host IPC namespace.
 
 
 ### How to solve?
-Using HostPath could allow mounting the entire host’s filesystem into your pod, giving you read/write access on the host’s filesystem. This leaves your cluster vulnerable to escape Kubernetes constraints and access components at the Node (OS) level. 
+Match the shared resource with either true or false, as set in your constraint. 
 ```
 ...
   spec:
-    template:
-      spec:
-        volumes:
-          - hostPath:
+    <shared_resource>: <resource_enabled>
 ```
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
 
 
 ### Category
@@ -161,30 +250,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['mitre-attack', 'nist800-190', 'gdpr', 'default']
+['nist800-190', 'gdpr', 'default']
 
 ### Parameters
-[{'name': 'hostpath_key', 'type': 'string', 'required': True, 'value': 'hostPath'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SESSIONSECRET
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SCHEMA_DIR
 
 ### ID
-weave.policies.mongo-express-enforce-session-secret-env-var
+weave.policies.rabbitmq-enforce-schema-dir-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_SITE_SESSIONSECRET environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_SITE_SESSIONSECRET: The ME_CONFIG_SITE_SESSIONSECRET environment variable is used to sign the session ID cookie by [express-session middleware](https://www.npmjs.com/package/express-session).
+This Policy ensures RABBITMQ_SCHEMA_DIR environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SCHEMA_DIR: The directory where RabbitMQ keeps its configuration schema used by the new style configuration file.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_SITE_SESSIONSECRET environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the RABBITMQ_SCHEMA_DIR environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -192,31 +281,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_PASSWORD
+## Postgres Enforce Environment Variable - POSTGRES_DB
 
 ### ID
-weave.policies.mysql-enforce-password-env-var
+weave.policies.postgres-enforce-db-env-var
 
 ### Description
-This Policy ensures MYSQL_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_PASSWORD: The MYSQL_PASSWORD environment variable specifies a password for MYSQL_USER user. 
+This Policy ensures POSTGRES_DB environment variable are in place when using the official container images from Docker Hub.
+POSTGRES_DB: The POSTGRES_DB environment variable defines a different name for the default database that is created when the image is first started. If it is not specified, then the value of POSTGRES_USER will be used.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_PASSWORD environment variables is set.
-For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
+If you encounter a violation, ensure the POSTGRES_DB environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -224,40 +310,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Read Only Root Filesystem
+## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD
 
 ### ID
-weave.policies.containers-read-only-root-filesystem
+weave.policies.mongodb-enforce-root-password-env-var
 
 ### Description
-This Policy will cause a violation if the root file system is not mounted as specified. As a security practice, the root file system should be read-only or expose risk to your nodes if compromised. 
-
-This Policy requires containers must run with a read-only root filesystem (i.e. no writable layer).
+This Policy ensures MONGO_INITDB_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MONGO_INITDB_ROOT_PASSWORD: The MONGO_INITDB_ROOT_PASSWORD environment variable sets the MongoDB root user password.
 
 
 ### How to solve?
-Set `readOnlyRootFilesystem` in your `securityContext` to the value specified in the Policy. 
-```
-...
-  spec:
-    containers:
-      - securityContext:
-          readOnlyRootFilesystem: <read_only>
-```
-
-https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+If you encounter a violation, ensure the MONGO_INITDB_ROOT_PASSWORD environment variables is set.
+For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -266,25 +340,25 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['mitre-attack', 'nist800-190']
+['pci-dss', 'mitre-attack', 'hipaa']
 
 ### Parameters
-[{'name': 'read_only', 'type': 'boolean', 'required': True, 'value': True}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_LOGS
+## RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_EXPAND_DIR
 
 ### ID
-weave.policies.rabbitmq-enforce-logs-env-var
+weave.policies.rabbitmq-enforce-plugins-expand-dir-env-var
 
 ### Description
-This Policy ensures RABBITMQ_LOGS environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_LOGS: The path of the RabbitMQ server's Erlang log file. This variable cannot be overridden on Windows.
+This Policy ensures RABBITMQ_PLUGINS_EXPAND_DIR environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_PLUGINS_EXPAND_DIR: Working directory used to expand enabled plugins when starting the server. It is important that effective RabbitMQ user has sufficient permissions to read and create files and subdirectories in this directory.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_LOGS environment variables is set.
+If you encounter a violation, ensure the RABBITMQ_PLUGINS_EXPAND_DIR environment variables is set.
 For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
@@ -302,23 +376,24 @@ high
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_ENABLED
+## Postgres Enforce Environment Variable - POSTGRES_USER
 
 ### ID
-weave.policies.mongo-express-enforce-ssl-enabled-env-var
+weave.policies.postgres-enforce-user-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_SITE_SSL_ENABLED environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_SITE_SSL_ENABLED: The ME_CONFIG_SITE_SSL_ENABLED environment variable enables SSL.
+This Policy ensures POSTGRES_USER environment variable are in place when using the official container images from Docker Hub.
+POSTGRES_USER: The POSTGRES_USER environment variable is used in conjunction with POSTGRES_PASSWORD to set a user and its password. This variable will create the specified user with superuser power and a database with the same name. If it is not specified, then the default user of postgres will be used.
+Be aware that if this parameter is specified, PostgreSQL will still show The files belonging to this database system will be owned by user "postgres" during initialization. This refers to the Linux system user (from /etc/passwd in the image) that the postgres daemon runs as, and as such is unrelated to the POSTGRES_USER option. See the section titled "Arbitrary --user Notes" for more details.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_SITE_SSL_ENABLED environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
-
+If you encounter a violation, ensure the POSTGRES_USER environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+
 
 ### Category
-weave.categories.network-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -327,26 +402,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_SERVER
+## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME
 
 ### ID
-weave.policies.mongo-express-enforce-mongodb-server-env-var
+weave.policies.mongodb-enforce-root-username-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_MONGODB_SERVER environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_MONGODB_SERVER: The ME_CONFIG_MONGODB_SERVER environment variable sets the MongoDB container name. Use comma delimited list of host names for replica sets.
+This Policy ensures MONGO_INITDB_ROOT_USERNAME environment variable are in place when using the official container images from Docker Hub.
+MONGO_INITDB_ROOT_USERNAME: The MONGO_INITDB_ROOT_USERNAME environment variable sets the MongoDB root user name.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_MONGODB_SERVER environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the MONGO_INITDB_ROOT_USERNAME environment variables is set.
+For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
@@ -359,128 +434,95 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'mitre-attack', 'hipaa']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Services Restrict Protocols
+## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
 
 ### ID
-weave.policies.services-restrict-protocols
+weave.policies.influxdb-enforce-admin-token-env-var
 
 ### Description
-This Policy specifies what protocols should set for your Service. Any protocol not listed in this Policy will be in violation. 
+This Policy ensures DOCKER_INFLUXDB_INIT_ADMIN_TOKEN environment variable are in place when using the official container images from Docker Hub.
+DOCKER_INFLUXDB_INIT_ADMIN_TOKEN: The authentication token to associate with the system's initial super-user. If not set, a token will be auto-generated by the system.
 
 
 ### How to solve?
-Use a protocol that is specified in the Policy. 
-```
-spec:
-  ports:
-    - protocol: <protocols>
-```
+If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN environment variables is set.
+For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
 high
 
 ### Targets
-{'kinds': ['Service']}
-
-### Tags
-['pci-dss', 'soc2-type1']
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Parameters
-[{'name': 'protocols', 'type': 'string', 'required': True, 'value': 'HTTPS'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Owner Label
+## Containers Using Hostpath
 
 ### ID
-weave.policies.missing-owner-label
+weave.policies.containers-using-hostpath
 
 ### Description
-Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
-
-### owner
-A label key of `owner` will help identify who the owner of this entity is. 
-
-### app.kubernetes.io/name
-The name of the application	
-
-### app.kubernetes.io/instance
-A unique name identifying the instance of an application	  
-
-### app.kubernetes.io/version
-The current version of the application (e.g., a semantic version, revision hash, etc.)
-
-### app.kubernetes.io/part-of
-The name of a higher level application this one is part of	
-
-### app.kubernetes.io/managed-by
-The tool being used to manage the operation of an application	
+This Policy checks for containers that are trying to use HostPath. 
 
-### app.kubernetes.io/created-by
-The controller/user who created this resource	
+A `hostPath` volume mounts a file or directory from the host node's filesystem into your Pod. This is not something that most Pods will need, but it offers a powerful escape hatch for some applications.
 
 
 ### How to solve?
-Add these custom labels to `metadata`.
-* owner
-* app.kubernetes.io/name
-* app.kubernetes.io/instance
-* app.kubernetes.io/version
-* app.kubernetes.io/name
-* app.kubernetes.io/part-of
-* app.kubernetes.io/managed-by
-* app.kubernetes.io/created-by
-
+Using HostPath could allow mounting the entire host’s filesystem into your pod, giving you read/write access on the host’s filesystem. This leaves your cluster vulnerable to escape Kubernetes constraints and access components at the Node (OS) level. 
+```
+...
+  spec:
+    template:
+      spec:
+        volumes:
+          - hostPath:
 ```
-metadata:
-  labels:
-    <label>: value
-```  
-For additional information, please check
-* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.pod-security
 
 ### Severity
-low
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['mitre-attack', 'nist800-190', 'gdpr', 'default']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'hostpath_key', 'type': 'string', 'required': True, 'value': 'hostPath'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_PASSWORD
+## MariaDB Prohibit Environment Variable - MARIADB_ALLOW_EMPTY_PASSWORD
 
 ### ID
-weave.policies.mongo-express-enforce-auth-password-env-var
+weave.policies.mariadb-prohibit-empty-password-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_BASICAUTH_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_BASICAUTH_PASSWORD: The ME_CONFIG_BASICAUTH_PASSWORD environment variable sets the mongo-express web password.
+This Policy ensures MARIADB_ALLOW_EMPTY_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MARIADB_ALLOW_EMPTY_PASSWORD: MARIADB_ALLOW_EMPTY_PASSWORD set to true will allow the container to be started with a blank password for the root user
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_BASICAUTH_PASSWORD environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the MARIADB_ALLOW_EMPTY_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
@@ -493,30 +535,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SCHEMA_DIR
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_USERNAME
 
 ### ID
-weave.policies.rabbitmq-enforce-schema-dir-env-var
+weave.policies.mongo-express-enforce-auth-username-env-var
 
 ### Description
-This Policy ensures RABBITMQ_SCHEMA_DIR environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SCHEMA_DIR: The directory where RabbitMQ keeps its configuration schema used by the new style configuration file.
+This Policy ensures ME_CONFIG_BASICAUTH_USERNAME environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_BASICAUTH_USERNAME: The ME_CONFIG_BASICAUTH_USERNAME environment variable sets the mongo-express web username.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SCHEMA_DIR environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the ME_CONFIG_BASICAUTH_USERNAME environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -524,63 +566,60 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'mitre-attack', 'hipaa']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Minimum Replica Count
+## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_PASSWORD
 
 ### ID
-weave.policies.containers-minimum-replica-count
+weave.policies.influxdb-enforce-password-env-var
 
 ### Description
-Use this Policy to to check the replica count of your workloads. The value set in the Policy is greater than or equal to the amount desired, so if the replica count is lower than what is specified, the Policy will be in violation. 
+This Policy ensures DOCKER_INFLUXDB_INIT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+DOCKER_INFLUXDB_INIT_PASSWORD: The password to set for the system's initial super-user (Required).
 
 
 ### How to solve?
-The replica count should be a value equal or greater than what is set in the Policy.
-```
-spec:
-  replicas: <replica_count>
-```
-https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment
+If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_PASSWORD environment variables is set.
+For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
 
 
 ### Category
-weave.categories.reliability
+weave.categories.organizational-standards
 
 ### Severity
-medium
+high
 
 ### Targets
-{'kinds': ['Deployment', 'StatefulSet', 'ReplicaSet', 'ReplicationController', 'HorizontalPodAutoscaler']}
-
-### Tags
-['soc2-type1']
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Parameters
-[{'name': 'replica_count', 'type': 'integer', 'required': True, 'value': 2}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_VHOST
+## RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_BASE
 
 ### ID
-weave.policies.rabbitmq-enforce-default-vhost-env-var
+weave.policies.rabbitmq-enforce-mnesia-base-env-var
 
 ### Description
-This Policy ensures RABBITMQ_DEFAULT_VHOST environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_DEFAULT_VHOST: RABBITMQ_DEFAULT_VHOST sets a Virtual host to create from scratch.
+This Policy ensures RABBITMQ_MNESIA_BASE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_MNESIA_BASE: This base directory contains sub-directories for the RabbitMQ server's node database, message store and cluster state files, one for each node, unless RABBITMQ_MNESIA_DIR is set explicitly. It is important that effective RabbitMQ user has sufficient permissions to read, write and create files and subdirectories in this directory at any time. This variable is typically not overridden. Usually RABBITMQ_MNESIA_DIR is overridden instead.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_DEFAULT_VHOST environment variables is set.
+If you encounter a violation, ensure the RABBITMQ_MNESIA_BASE environment variables is set.
 For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -593,28 +632,24 @@ high
 
 ---
 
-## Containers Mounting Docker Socket
+## Container Running As Root
 
 ### ID
-weave.policies.containers-mounting-docker-socket
+weave.policies.container-running-as-root
 
 ### Description
-This Policy checks the mounting of the `docker.sock` socket of the node into the container. The docker socket filename can be altered based on your configuration. The full path is unnecessary as the Policy accounts for any path.  
+Running as root gives the container full access to all resources in the VM it is running on. Containers should not run with such access rights unless required by design. This Policy enforces that the `securityContext.runAsNonRoot` attribute is set to `true`. 
 
 
 ### How to solve?
-Ensure workloads aren't mounting the `docker.sock` (or other configured socket name) in order to avoid a violation. 
+You should set `securityContext.runAsNonRoot` to `true`. Not setting it will default to giving the container root user rights on the VM that it is running on. 
 ```
 ...
   spec:
-    template:
-      spec:
-        volumes:
-          - name: docker-sock
-            hostPath:
-              path: "<path>/<this value>"
-              type: File
+    securityContext:
+      runAsNonRoot: true
 ```
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
@@ -627,133 +662,132 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['nist800-190', 'gdpr', 'default']
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
 
 ### Parameters
-[{'name': 'docker_sock', 'type': 'string', 'required': True, 'value': 'docker.sock'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Postgres Enforce Environment Variable - POSTGRES_PASSWORD
+## Missing Kubernetes App Version Label
 
 ### ID
-weave.policies.postgres-enforce-password-env-var
+weave.policies.missing-kubernetes-app-version-label
 
 ### Description
-This Policy ensures POSTGRES_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-POSTGRES_PASSWORD:   The POSTGRES_PASSWORD environment variable is required for you to use the PostgreSQL image. It must not be empty or undefined. This environment variable sets the superuser password for PostgreSQL. The default superuser is defined by the POSTGRES_USER environment variable.
+Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
+
+### owner
+A label key of `owner` will help identify who the owner of this entity is. 
+
+### app.kubernetes.io/name
+The name of the application	
+
+### app.kubernetes.io/instance
+A unique name identifying the instance of an application	  
+
+### app.kubernetes.io/version
+The current version of the application (e.g., a semantic version, revision hash, etc.)
+
+### app.kubernetes.io/part-of
+The name of a higher level application this one is part of	
+
+### app.kubernetes.io/managed-by
+The tool being used to manage the operation of an application	
+
+### app.kubernetes.io/created-by
+The controller/user who created this resource	
 
 
 ### How to solve?
-If you encounter a violation, ensure the POSTGRES_PASSWORD environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+Add these custom labels to `metadata`.
+* owner
+* app.kubernetes.io/name
+* app.kubernetes.io/instance
+* app.kubernetes.io/version
+* app.kubernetes.io/part-of
+* app.kubernetes.io/component
+* app.kubernetes.io/managed-by
+* app.kubernetes.io/created-by
+
+```
+metadata:
+  labels:
+    <label>: value
+```  
+For additional information, please check
+* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
-high
+low
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+[]
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_EXPAND_DIR
+## Block Workloads Created Without Specifying Namespace
 
 ### ID
-weave.policies.rabbitmq-enforce-plugins-expand-dir-env-var
+weave.policies.block-workloads-created-without-specifying-namespace
 
 ### Description
-This Policy ensures RABBITMQ_PLUGINS_EXPAND_DIR environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_PLUGINS_EXPAND_DIR: Working directory used to expand enabled plugins when starting the server. It is important that effective RabbitMQ user has sufficient permissions to read and create files and subdirectories in this directory.
+Using this Policy, you can prohibit workloads from being created in a default namespace due to the lack of a namespace label. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_PLUGINS_EXPAND_DIR environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
-
-
-### Category
-weave.categories.organizational-standards
-
-### Severity
-high
-
-### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
-
-### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
-
----
-
-## Disable ServiceAccount Token Automount In Specific Namespace
-
-### ID
-weave.policies.disable-service-account-token-automount-in-specific-namespace
-
-### Description
-This Policy allows you to enforce the enabling or disabling the automounting of service account tokens. 
-
-When a pod is created without a service account defined, the default service account within the same namespace will be assigned automatically. 
-
-This is a security concern because a kubernetes client can load a container's service account token. With that token a compromoised contaienr can then access the Kubernetes API to perform actions such as creating and deleting pods.
-
-In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account.
-
-
-### How to solve?
-Add the key:value pair `automountServiceAccountToken: false` to your Service Account declaration. 
+Specify a `namespace` label. 
 ```
-kind: ServiceAccount
-automountServiceAccountToken: false
+metadata:
+  namespace:
 ```
-
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#understanding-the-motivation-for-using-namespaces
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
-high
+low
 
 ### Targets
-{'kinds': ['ServiceAccount']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'hipaa', 'gdpr', 'default', 'soc2-type1']
+[]
 
 ### Parameters
-[{'name': 'automount', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'namespace', 'type': 'string', 'required': True, 'value': 'default'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_COOKIESECRET
 
 ### ID
-weave.policies.mariadb-enforce-mysql-initdb-skip-tzinfo-env-var
+weave.policies.mongo-express-enforce-cookie-secret-env-var
 
 ### Description
-This Policy ensures MYSQL_INITDB_SKIP_TZINFO environment variable are in place when using the official container images from Docker Hub.
-MYSQL_INITDB_SKIP_TZINFO:   The MYSQL_INITDB_SKIP_TZINFO environment variable allows the skipping of timezone checking when initializing the DB.
+This Policy ensures ME_CONFIG_SITE_COOKIESECRET environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_SITE_COOKIESECRET: The ME_CONFIG_SITE_COOKIESECRET environment variable is used by [cookie-parser middleware](https://www.npmjs.com/package/cookie-parser) to sign cookies.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_INITDB_SKIP_TZINFO environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the ME_CONFIG_SITE_COOKIESECRET environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -762,42 +796,34 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['pci-dss']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Sharing Host PID
+## Containers Running In Privileged Mode
 
 ### ID
-weave.policies.containers-sharing-host-pid
+weave.policies.containers-running-in-privileged-mode
 
 ### Description
-This Policy allows check if sharing host PID namespace with the container should be allowed or not. Resources that can be shared with the container include:
-
-### hostNetwork
-Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
-
-### hostPID
-Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
-
-### shareProcessNamespace
-When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
+This Policy reports if containers are running in privileged mode. A privileged container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host.
 
-### hostIPC
-Controls whether the pod containers can share the host IPC namespace.
+By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. This is useful for containers that want to use linux capabilities like manipulating the network stack and accessing devices.
 
 
 ### How to solve?
-Match the shared resource with either true or false, as set in your constraint. 
+Look at the following path to see what the settings are. 
 ```
 ...
   spec:
-    <shared_resource>: <resource_enabled>
+    containers:
+    - securityContext:
+        privileged: <privilege>
 ```
-https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
@@ -810,30 +836,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['cis-benchmark', 'nist800-190', 'gdpr', 'default']
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1', 'default']
 
 ### Parameters
-[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'privilege', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINUSERNAME
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_VERIFY
 
 ### ID
-weave.policies.mongo-express-enforce-admin-username-env-var
+weave.policies.rabbitmq-enforce-ssl-verify-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_MONGODB_ADMINUSERNAME environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_MONGODB_ADMINUSERNAME: The ME_CONFIG_MONGODB_ADMINUSERNAME environment variable sets the MongoDB admin username.
+This Policy ensures RABBITMQ_SSL_VERIFY environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SSL_VERIFY: The RABBITMQ_SSL_VERIFY enables peer verification. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_MONGODB_ADMINUSERNAME environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the RABBITMQ_SSL_VERIFY environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -841,102 +867,92 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Should Not Run On Kubernetes Control Plane Nodes
+## RabbitMQ Enforce Environment Variable - RABBITMQ_GENERATED_CONFIG_DIR
 
 ### ID
-weave.policies.containers-should-not-run-on-kubernetes-control-plane-nodes
+weave.policies.rabbitmq-enforce-generated-config-dir-env-var
 
 ### Description
-Tolerations specified in the Policies for this template should not have any workloads scheduled on them. A common use case is the Kubernetes master. 
+This Policy ensures RABBITMQ_GENERATED_CONFIG_DIR environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_GENERATED_CONFIG_DIR: The directory where RabbitMQ writes its generated configuration files.
 
 
 ### How to solve?
-Check your tolerations against the Policy. 
-```
-...
-  spec:
-    tolerations:
-    - key: <toleration_key>
-```
-
-https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+If you encounter a violation, ensure the RABBITMQ_GENERATED_CONFIG_DIR environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.capacity-management
+weave.categories.organizational-standards
 
 ### Severity
-medium
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['soc2-type1']
-
 ### Parameters
-[{'name': 'toleration_key', 'type': 'string', 'required': True, 'value': 'node-role.kubernetes.io/master'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Postgres Enforce Environment Variable - POSTGRES_USER
+## Services Prohibit Ports Range
 
 ### ID
-weave.policies.postgres-enforce-user-env-var
+weave.policies.services-prohibit-ports-range
 
 ### Description
-This Policy ensures POSTGRES_USER environment variable are in place when using the official container images from Docker Hub.
-POSTGRES_USER: The POSTGRES_USER environment variable is used in conjunction with POSTGRES_PASSWORD to set a user and its password. This variable will create the specified user with superuser power and a database with the same name. If it is not specified, then the default user of postgres will be used.
-Be aware that if this parameter is specified, PostgreSQL will still show The files belonging to this database system will be owned by user "postgres" during initialization. This refers to the Linux system user (from /etc/passwd in the image) that the postgres daemon runs as, and as such is unrelated to the POSTGRES_USER option. See the section titled "Arbitrary --user Notes" for more details.
+This Policy checks if ports allocated for your services are using a number that is less than the specified value. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the POSTGRES_USER environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+Use a port that is greater than or equal to what is specified in the Policy. 
+```
+spec:
+  ports:
+    - targetPort: <target_port>
+```
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['Service']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['pci-dss']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'target_port', 'type': 'integer', 'required': True, 'value': 1024}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MYSQL_PASSWORD
+## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_RETENTION
 
 ### ID
-weave.policies.mariadb-enforce-mysql-password-env-var
+weave.policies.influxdb-enforce-retention-env-var
 
 ### Description
-This Policy ensures MYSQL_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_PASSWORD: The MYSQL_PASSWORD environment variable specifies a password for MARIADB_USER user.
+This Policy ensures DOCKER_INFLUXDB_INIT_RETENTION environment variable are in place when using the official container images from Docker Hub.
+DOCKER_INFLUXDB_INIT_RETENTION: The duration the system's initial bucket should retain data. If not set, the initial bucket will retain data forever.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_RETENTION environment variables is set.
+For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -944,27 +960,24 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_PASS
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_REQUEST_SIZE
 
 ### ID
-weave.policies.rabbitmq-enforce-default-pass-env-var
+weave.policies.mongo-express-enforce-request-size-env-var
 
 ### Description
-This Policy ensures RABBITMQ_DEFAULT_PASS environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_DEFAULT_PASS: The RABBITMQ_DEFAULT_PASS environment variable sets the password for the default user.
+This Policy ensures ME_CONFIG_REQUEST_SIZE environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_REQUEST_SIZE: The ME_CONFIG_REQUEST_SIZE environment variable sets the maximum payload size. CRUD operations above this size will fail in [body-parser](https://www.npmjs.com/package/body-parser).
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_DEFAULT_PASS environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the ME_CONFIG_REQUEST_SIZE environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
@@ -977,26 +990,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'hipaa', 'gdpr']
+['pci-dss']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Postgres Enforce Environment Variable - POSTGRES_INITDB_WALDIR
+## MYSQL Enforce Environment Variable - MYSQL_DATABASE
 
 ### ID
-weave.policies.postgres-enforce-initdb-waldir-env-var
+weave.policies.mysql-enforce-database-env-var
 
 ### Description
-This Policy ensures POSTGRES_INITDB_WALDIR environment variable are in place when using the official container images from Docker Hub.
-POSTGRES_INITDB_WALDIR: The POSTGRES_INITDB_WALDIR environment variable is used to define another location for the Postgres transaction log. By default the transaction log is stored in a subdirectory of the main Postgres data folder (PGDATA). 
+This Policy ensures MYSQL_DATABASE environment variable are in place when using the official container images from Docker Hub.
+MYSQL_DATABASE: The MYSQL_DATABASE environment variable sets a default MySQL database instance up with the name of that DB being the value of  environment variable. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the POSTGRES_INITDB_WALDIR environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+If you encounter a violation, ensure the MYSQL_DATABASE environment variables is set.
+For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
@@ -1013,19 +1026,19 @@ high
 
 ---
 
-## Postgres Enforce Environment Variable - PGDATA
+## RabbitMQ Enforce Environment Variable - RABBITMQ_CONFIG_FILE
 
 ### ID
-weave.policies.postgres-enforce-pgdata-env-var
+weave.policies.rabbitmq-enforce-config-file-env-var
 
 ### Description
-This Policy ensures PGDATA environment variable are in place when using the official container images from Docker Hub.
-PGDATA: The PGDATA environment variable is used to define another location - like a subdirectory - for the database files. The default is /var/lib/postgresql/data. If the data volume you're using is a filesystem mountpoint (like with GCE persistent disks) or remote folder that cannot be chowned to the postgres user (like some NFS mounts), Postgres initdb recommends a subdirectory be created to contain the data.
+This Policy ensures RABBITMQ_CONFIG_FILE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_CONFIG_FILE: The path to the configuration file, without the .config extension. If the configuration file is present it is used by the server to configure RabbitMQ components. See Configuration guide for more information.
 
 
 ### How to solve?
-If you encounter a violation, ensure the PGDATA environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+If you encounter a violation, ensure the RABBITMQ_CONFIG_FILE environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
@@ -1042,28 +1055,32 @@ high
 
 ---
 
-## Containers Block Ssh Port
+## Containers Read Only Root Filesystem
 
 ### ID
-weave.policies.containers-block-ssh-port
+weave.policies.containers-read-only-root-filesystem
 
 ### Description
-This Policy checks if the container is exposing ssh port.
+This Policy will cause a violation if the root file system is not mounted as specified. As a security practice, the root file system should be read-only or expose risk to your nodes if compromised. 
+
+This Policy requires containers must run with a read-only root filesystem (i.e. no writable layer).
 
 
 ### How to solve?
-Make sure you are not exposing ssh port on containers.
+Set `readOnlyRootFilesystem` in your `securityContext` to the value specified in the Policy. 
 ```
 ...
   spec:
     containers:
-      ports:
-      - containerPort: <port>
+      - securityContext:
+          readOnlyRootFilesystem: <read_only>
 ```
 
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+
 
 ### Category
-weave.categories.network-security
+weave.categories.pod-security
 
 ### Severity
 high
@@ -1072,61 +1089,67 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['mitre-attack', 'nist800-190']
 
 ### Parameters
-[{'name': 'container_port', 'type': 'integer', 'required': True, 'value': 22}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'read_only', 'type': 'boolean', 'required': True, 'value': True}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Should Not Run In Namespace
+## Disable ServiceAccount Token Automount In Specific Namespace
 
 ### ID
-weave.policies.containers-should-not-run-in-namespace
+weave.policies.disable-service-account-token-automount-in-specific-namespace
 
 ### Description
-This Policy ensure workloads are not running in a specified namespace. 
+This Policy allows you to enforce the enabling or disabling the automounting of service account tokens. 
+
+When a pod is created without a service account defined, the default service account within the same namespace will be assigned automatically. 
+
+This is a security concern because a kubernetes client can load a container's service account token. With that token a compromoised contaienr can then access the Kubernetes API to perform actions such as creating and deleting pods.
+
+In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account.
 
 
 ### How to solve?
-Use a `namespace` that differs from the one specified in the Policy. 
+Add the key:value pair `automountServiceAccountToken: false` to your Service Account declaration. 
 ```
-metadata:
-  namespace: <custom_namespace>
+kind: ServiceAccount
+automountServiceAccountToken: false
 ```
 
-https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
-low
+high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['ServiceAccount']}
 
 ### Tags
-['cis-benchmark', 'soc2-type1']
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'hipaa', 'gdpr', 'default', 'soc2-type1']
 
 ### Parameters
-[{'name': 'custom_namespace', 'type': 'string', 'required': True, 'value': 'default'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'automount', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'namespace', 'type': 'string', 'required': True, 'value': 'default'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_USER
+## MYSQL Enforce Environment Variable - MYSQL_PASSWORD
 
 ### ID
-weave.policies.mysql-enforce-user-env-var
+weave.policies.mysql-enforce-password-env-var
 
 ### Description
-This Policy ensures MYSQL_USER environment variable are in place when using the official container images from Docker Hub.
-MYSQL_USER: The MYSQL_USER environment variable sets up a superuser with the same name. 
+This Policy ensures MYSQL_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_PASSWORD: The MYSQL_PASSWORD environment variable specifies a password for MYSQL_USER user. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_USER environment variables is set.
+If you encounter a violation, ensure the MYSQL_PASSWORD environment variables is set.
 For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
@@ -1147,48 +1170,19 @@ high
 
 ---
 
-## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
-
-### ID
-weave.policies.influxdb-enforce-admin-token-env-var
-
-### Description
-This Policy ensures DOCKER_INFLUXDB_INIT_ADMIN_TOKEN environment variable are in place when using the official container images from Docker Hub.
-DOCKER_INFLUXDB_INIT_ADMIN_TOKEN: The authentication token to associate with the system's initial super-user. If not set, a token will be auto-generated by the system.
-
-
-### How to solve?
-If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_ADMIN_TOKEN environment variables is set.
-For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
-
-
-### Category
-weave.categories.organizational-standards
-
-### Severity
-high
-
-### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
-
-### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
-
----
-
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_USERNAME
+## MariaDB Enforce Environment Variable - MARIADB_PASSWORD
 
 ### ID
-weave.policies.mongo-express-enforce-auth-username-env-var
+weave.policies.mariadb-enforce-password-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_BASICAUTH_USERNAME environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_BASICAUTH_USERNAME: The ME_CONFIG_BASICAUTH_USERNAME environment variable sets the mongo-express web username.
+This Policy ensures MARIADB_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MARIADB_PASSWORD: The MARIADB_PASSWORD environment variable specifies a password for MARIADB_USER user.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_BASICAUTH_USERNAME environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the MARIADB_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
@@ -1201,26 +1195,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_PID_FILE
+## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_BUCKET
 
 ### ID
-weave.policies.rabbitmq-enforce-pid-file-env-var
+weave.policies.influxdb-enforce-bucket-env-var
 
 ### Description
-This Policy ensures RABBITMQ_PID_FILE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_PID_FILE: File in which the process id is placed for use by rabbitmqctl wait.
+This Policy ensures DOCKER_INFLUXDB_INIT_BUCKET environment variable are in place when using the official container images from Docker Hub.
+DOCKER_INFLUXDB_INIT_BUCKET: The name to set for the system's initial bucket (Required).
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_PID_FILE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_BUCKET environment variables is set.
+For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
 
 
 ### Category
@@ -1237,19 +1231,19 @@ high
 
 ---
 
-## MariaDB Enforce Environment Variable - MARIADB_DATABASE
+## Postgres Enforce Environment Variable - POSTGRES_PASSWORD
 
 ### ID
-weave.policies.mariadb-enforce-database-env-var
+weave.policies.postgres-enforce-password-env-var
 
 ### Description
-This Policy ensures MARIADB_DATABASE environment variable are in place when using the official container images from Docker Hub.
-MARIADB_DATABASE:   The MARIADB_DATABASE environment variable sets a default MARIADB database instance up with the name of that DB being the value of  environment variable. 
+This Policy ensures POSTGRES_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+POSTGRES_PASSWORD:   The POSTGRES_PASSWORD environment variable is required for you to use the PostgreSQL image. It must not be empty or undefined. This environment variable sets the superuser password for PostgreSQL. The default superuser is defined by the POSTGRES_USER environment variable.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_DATABASE environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the POSTGRES_PASSWORD environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
 
 
 ### Category
@@ -1269,66 +1263,56 @@ high
 
 ---
 
-## Containers Missing Liveness Probe
+## Container Block Sysctls
 
 ### ID
-weave.policies.containers-missing-liveness-probe
+weave.policies.container-block-sysctl
 
 ### Description
-This Policy detects whether or not a livenessProbe has been set for containers. Containers probes are:
-
-### liveness 
-The kubelet uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs.
-
-### readiness
-The kubelet uses readiness probes to know when a container is ready to start accepting traffic. A Pod is considered ready when all of its containers are ready. One use of this signal is to control which Pods are used as backends for Services. When a Pod is not ready, it is removed from Service load balancers.
-
-### startup
-The kubelet uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by the kubelet before they are up and running.
+Setting sysctls can allow containers unauthorized escalated privileges to a Kubernetes node. 
 
 
 ### How to solve?
-Check your entities to see if a probe has been set. 
+You should not set  `securityContext.sysctls` 
 ```
 ...
   spec:
-    containers:
-    - livenessProbe:
-      ...
+    securityContext:
+      sysctls
 ```
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
-weave.categories.reliability
+weave.categories.pod-security
 
 ### Severity
-medium
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_RETENTION
+## RabbitMQ Enforce Environment Variable - RABBITMQ_LOGS
 
 ### ID
-weave.policies.influxdb-enforce-retention-env-var
+weave.policies.rabbitmq-enforce-logs-env-var
 
 ### Description
-This Policy ensures DOCKER_INFLUXDB_INIT_RETENTION environment variable are in place when using the official container images from Docker Hub.
-DOCKER_INFLUXDB_INIT_RETENTION: The duration the system's initial bucket should retain data. If not set, the initial bucket will retain data forever.
+This Policy ensures RABBITMQ_LOGS environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_LOGS: The path of the RabbitMQ server's Erlang log file. This variable cannot be overridden on Windows.
 
 
 ### How to solve?
-If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_RETENTION environment variables is set.
-For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
+If you encounter a violation, ensure the RABBITMQ_LOGS environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
@@ -1345,23 +1329,23 @@ high
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_DIR
+## MariaDB Enforce Environment Variable - MYSQL_USER
 
 ### ID
-weave.policies.rabbitmq-enforce-mnesia-dir-env-var
+weave.policies.mariadb-enforce-mysql-user-env-var
 
 ### Description
-This Policy ensures RABBITMQ_MNESIA_DIR environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_MNESIA_DIR: The directory where this RabbitMQ node's data is stored. This s a schema database, message stores, cluster member information and other persistent node state.
+This Policy ensures MYSQL_USER environment variable are in place when using the official container images from Docker Hub.
+MYSQL_USER: The MYSQL_USER environment variable sets up a superuser with the same name.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_MNESIA_DIR environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the MYSQL_USER environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -1369,27 +1353,30 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Prohibit Creating Namespace Starting With Prefix
+## Containers Enforce Restart Policy
 
 ### ID
-weave.policies.prohibit-creating-namespace-starting-with-prefix
+weave.policies.containers-enforce-restart-policy
 
 ### Description
-Using this Policy, you can prohibit certain namespaces from containing a specified combination of letters and/or numbers. 
+This Policy checks if a specific restartPolicy is configured in your workloads.
 
 
 ### How to solve?
-Specify a `namespace` that is something other than what is listed in the Policy. 
+Ensure the restartPolicy is set to some specific policy in your workloads. 
 ```
-metadata:
-  name: <namespace_name>
+...
+  spec:
+    restartPolicy: <policy>
 ```
-https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#working-with-namespaces
 
 
 ### Category
@@ -1399,33 +1386,33 @@ weave.categories.organizational-standards
 medium
 
 ### Targets
-{'kinds': ['Namespace']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
 []
 
 ### Parameters
-[{'name': 'namespace_name', 'type': 'string', 'required': True, 'value': 'kube-'}]
+[{'name': 'restart_policy', 'type': 'string', 'required': True, 'value': 'Always'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_REQUEST_SIZE
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT
 
 ### ID
-weave.policies.mongo-express-enforce-request-size-env-var
+weave.policies.rabbitmq-enforce-fail-if-no-peer-cert-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_REQUEST_SIZE environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_REQUEST_SIZE: The ME_CONFIG_REQUEST_SIZE environment variable sets the maximum payload size. CRUD operations above this size will fail in [body-parser](https://www.npmjs.com/package/body-parser).
+This Policy ensures RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT: RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT when set to true, TLS connection will be rejected if client fails to provide a certificate.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_REQUEST_SIZE environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -1433,40 +1420,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Running With Unapproved Linux Capabilities
+## MariaDB Enforce Environment Variable - MARIADB_ROOT_PASSWORD
 
 ### ID
-weave.policies.containers-running-with-unapproved-linux-capabilities
+weave.policies.mariadb-enforce-root-password-env-var
 
 ### Description
-Linux capabilities provide a finer-grained breakdown of the privileges traditionally associated with the superuser. Not specifying those capabilities gives the container access to all OS capabilities which may result in exploiting the VM at which the container is running. The issue is reported when a container has `SYS_ADMIN`, `NET_RAW`, `NET_ADMIN`, or `ALL` capabilities. For this Policy, you can also exclude a namespace, such as `kube-system`. 
-
-With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest.
+This Policy ensures MARIADB_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MARIADB_ROOT_PASSWORD: The MARIADB_ROOT_PASSWORD environment variable specifies a password for the MARIADB root account. 
 
 
 ### How to solve?
-You should set the specific Linux capabilities that your container needs. Or you could simply remove from `capabilities` the values of `SYS_ADMIN`, `NET_ADMIN`, and `ALL`.
-```
-...
-  spec:
-    containers:
-    - securityContext:
-        capabilities:
-          add: ["SYS_ADMIN, "ALL", "NET_ADMIN"]
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+If you encounter a violation, ensure the MARIADB_ROOT_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -1475,46 +1450,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1', 'default']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Sharing Host Network
+## MariaDB Enforce Environment Variable - MYSQL_ROOT_PASSWORD
 
 ### ID
-weave.policies.containers-sharing-host-network
+weave.policies.mariadb-enforce-mysql-root-password-env-var
 
 ### Description
-This Policy allows check if sharing host network namespace with the container should be allowed or not. Resources that can be shared with the container include:
-
-### hostNetwork
-Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
-
-### hostPID
-Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
-
-### shareProcessNamespace
-When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
-
-### hostIPC
-Controls whether the pod containers can share the host IPC namespace.
+This Policy ensures MYSQL_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_ROOT_PASSWORD: The MYSQL_ROOT_PASSWORD environment variable specifies a password for the MARIADB root account. 
 
 
 ### How to solve?
-Match the shared resource with either true or false, as set in your constraint. 
-```
-...
-  spec:
-    <shared_resource>: <resource_enabled>
-```
-https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+If you encounter a violation, ensure the MYSQL_ROOT_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -1523,73 +1482,125 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['cis-benchmark', 'nist800-190', 'gdpr', 'default']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
-[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Controller ServiceAccount Tokens Automount
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SESSIONSECRET
 
 ### ID
-weave.policies.controller-serviceaccount-tokens-automount
+weave.policies.mongo-express-enforce-session-secret-env-var
 
 ### Description
-This Policy allows for the option of enabling or disabling Service Accounts that are created for a Pod. The recommended practice is to set the `automount_token` to `false.  
+This Policy ensures ME_CONFIG_SITE_SESSIONSECRET environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_SITE_SESSIONSECRET: The ME_CONFIG_SITE_SESSIONSECRET environment variable is used to sign the session ID cookie by [express-session middleware](https://www.npmjs.com/package/express-session).
 
-When a pod is created without specifying a service account, it is automatically assigned the default service account in the same namespace. This is a security concern because a compromised container can access the API using automatically mounted service account credentials. The API permissions of the service account depend on the authorization plugin and policy in use, but could possibly create and delete pods. 
 
-We recommend setting the `automount_token` to `false`. 
+### How to solve?
+If you encounter a violation, ensure the ME_CONFIG_SITE_SESSIONSECRET environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
-In version 1.6+, you can opt out of automounting API credentials for a particular pod.
+
+### Category
+weave.categories.network-security
+
+### Severity
+high
+
+### Targets
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+
+### Tags
+['pci-dss']
+
+### Parameters
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+
+---
+
+## Containers Missing Startup Probe
+
+### ID
+weave.policies.containers-missing-startup-probe
+
+### Description
+This Policy detects whether or not a startupProbe has been set for containers. Containers probes are:
+
+### liveness 
+The kubelet uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs.
+
+### readiness
+The kubelet uses readiness probes to know when a container is ready to start accepting traffic. A Pod is considered ready when all of its containers are ready. One use of this signal is to control which Pods are used as backends for Services. When a Pod is not ready, it is removed from Service load balancers.
+
+### startup
+The kubelet uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by the kubelet before they are up and running.
 
 
 ### How to solve?
-Ensure the setting in the Policy matches the Service Account declaration in the controller. 
+Check your entities to see if a probe has been set. 
 ```
 ...
   spec:
-    automountServiceAccountToken: false
+    containers:
+    - startupProbe:
+      ...
 ```
-
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 
 
 ### Category
-weave.categories.access-control
+weave.categories.reliability
 
 ### Severity
-high
+medium
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'hipaa', 'gdpr', 'default', 'soc2-type1']
+[]
 
 ### Parameters
-[{'name': 'automount_token', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_DIR
+## Containers Sharing Host PID
 
 ### ID
-weave.policies.rabbitmq-enforce-plugins-dir-env-var
+weave.policies.containers-sharing-host-pid
 
 ### Description
-This Policy ensures RABBITMQ_PLUGINS_DIR environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_PLUGINS_DIR: The list of directories where plugin archive files are located and extracted from. This is PATH-like variable, where different paths are separated by an OS-specific separator (: for Unix, ; for Windows). Plugins can be installed to any of the directories listed here.
+This Policy allows check if sharing host PID namespace with the container should be allowed or not. Resources that can be shared with the container include:
+
+### hostNetwork
+Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
+
+### hostPID
+Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
+
+### shareProcessNamespace
+When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
+
+### hostIPC
+Controls whether the pod containers can share the host IPC namespace.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_PLUGINS_DIR environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+Match the shared resource with either true or false, as set in your constraint. 
+```
+...
+  spec:
+    <shared_resource>: <resource_enabled>
+```
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.pod-security
 
 ### Severity
 high
@@ -1597,28 +1608,31 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['cis-benchmark', 'nist800-190', 'gdpr', 'default']
+
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_PASSWORD
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_OPTIONS_EDITORTHEME
 
 ### ID
-weave.policies.influxdb-enforce-password-env-var
+weave.policies.mongo-express-enforce-editor-theme-env-var
 
 ### Description
-This Policy ensures DOCKER_INFLUXDB_INIT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-DOCKER_INFLUXDB_INIT_PASSWORD: The password to set for the system's initial super-user (Required).
+This Policy ensures ME_CONFIG_OPTIONS_EDITORTHEME environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_OPTIONS_EDITORTHEME: The ME_CONFIG_OPTIONS_EDITORTHEME environment variable sets the editor color theme, [more here](http://codemirror.net/demo/theme.html)
 
 
 ### How to solve?
-If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_PASSWORD environment variables is set.
-For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
+If you encounter a violation, ensure the ME_CONFIG_OPTIONS_EDITORTHEME environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -1626,24 +1640,27 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_USERNAME
+## RabbitMQ Enforce Environment Variable - RABBITMQ_ENABLED_PLUGINS_FILE
 
 ### ID
-weave.policies.influxdb-enforce-username-env-var
+weave.policies.rabbitmq-enforce-enabled-plugins-env-var
 
 ### Description
-This Policy ensures DOCKER_INFLUXDB_INIT_USERNAME environment variable are in place when using the official container images from Docker Hub.
-DOCKER_INFLUXDB_INIT_USERNAME: The username to set for the system's initial super-user (Required).
+This Policy ensures RABBITMQ_ENABLED_PLUGINS_FILE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_ENABLED_PLUGINS_FILE: This file records explicitly enabled plugins. When a plugin is enabled or disabled, this file will be recreated. It is important that effective RabbitMQ user has sufficient permissions to read, write and create this file at any time.
 
 
 ### How to solve?
-If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_USERNAME environment variables is set.
-For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
+If you encounter a violation, ensure the RABBITMQ_ENABLED_PLUGINS_FILE environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
@@ -1660,61 +1677,90 @@ high
 
 ---
 
-## Containers Block Ports Range
+## Missing Kubernetes App Component Label
 
 ### ID
-weave.policies.containers-block-ports-range
+weave.policies.missing-kubernetes-app-component-label
 
 ### Description
-This Policy checks for container ports that are set below the set value. TCP ports under 1024 are reserved so we recommend setting your Policy to 1024 or higher. 
+Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
+
+### owner
+A label key of `owner` will help identify who the owner of this entity is. 
+
+### app.kubernetes.io/name
+The name of the application	
+
+### app.kubernetes.io/instance
+A unique name identifying the instance of an application	  
+
+### app.kubernetes.io/version
+The current version of the application (e.g., a semantic version, revision hash, etc.)
+
+### app.kubernetes.io/part-of
+The name of a higher level application this one is part of	
+
+### app.kubernetes.io/managed-by
+The tool being used to manage the operation of an application	
+
+### app.kubernetes.io/created-by
+The controller/user who created this resource	
 
 
 ### How to solve?
-Choose ports over the value that is specified in the Policy. 
-```
-...
-  spec:
-    containers:
-      - ports:
-        - containerPort: <target_port>
+Add these custom labels to `metadata`.
+* owner
+* app.kubernetes.io/name
+* app.kubernetes.io/instance
+* app.kubernetes.io/version
+* app.kubernetes.io/name
+* app.kubernetes.io/part-of
+* app.kubernetes.io/managed-by
+* app.kubernetes.io/created-by
+
 ```
-https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
+metadata:
+  labels:
+    <label>: value
+```  
+For additional information, please check
+* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
-high
+low
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'nist800-190']
+[]
 
 ### Parameters
-[{'name': 'target_port', 'type': 'integer', 'required': True, 'value': 1024}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MYSQL_USER
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_KEYFILE
 
 ### ID
-weave.policies.mariadb-enforce-mysql-user-env-var
+weave.policies.rabbitmq-enforce-ssl-keyfile-env-var
 
 ### Description
-This Policy ensures MYSQL_USER environment variable are in place when using the official container images from Docker Hub.
-MYSQL_USER: The MYSQL_USER environment variable sets up a superuser with the same name.
+This Policy ensures RABBITMQ_SSL_KEYFILE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SSL_KEYFILE: The RABBITMQ_SSL_KEYFILE sets a path for the server private key file.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_USER environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the RABBITMQ_SSL_KEYFILE environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -1722,38 +1768,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Container Prohibit Image Tag
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CACERTFILE
 
 ### ID
-weave.policies.container-prohibit-image-tag
+weave.policies.rabbitmq-enforce-ssl-ca-cert-file-env-var
 
 ### Description
-Prohibit certain image tags by specifying them in the Policy. The Policy will also violate if the a tag is not set, or is set to `latest`. 
-
-Note: You should avoid using the :latest tag when deploying containers in production as it is harder to track which version of the image is running and more difficult to roll back properly.
+This Policy ensures RABBITMQ_SSL_CACERTFILE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SSL_CACERTFILE: RABBITMQ_SSL_CACERTFILE sets a path to the CA certificate file. 
 
 
 ### How to solve?
-Configure an image tag that is not in the Policy. 
-```
-...
-  spec:
-    containers:
-    - image: registry/image_name:<tag>
-```
-https://kubernetes.io/docs/concepts/configuration/overview/#container-images
+If you encounter a violation, ensure the RABBITMQ_SSL_CACERTFILE environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.software-supply-chain
+weave.categories.network-security
 
 ### Severity
 high
@@ -1761,31 +1797,40 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['cis-benchmark', 'mitre-attack', 'gdpr', 'soc2-type1', 'default']
-
 ### Parameters
-[{'name': 'image_tag', 'type': 'string', 'required': True, 'value': 'latest'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_CRT_PATH
+## Containers Running With Privilege Escalation
 
 ### ID
-weave.policies.mongo-express-enforce-ssl-crt-path-env-var
+weave.policies.containers-running-with-privilege-escalation
 
 ### Description
-This Policy ensures ME_CONFIG_SITE_SSL_CRT_PATH environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_SITE_SSL_CRT_PATH: The ME_CONFIG_SITE_SSL_CRT_PATH environment variable sets the SSL Certificate path. 
+Containers are running with PrivilegeEscalation configured. Setting this Policy to `true` allows child processes to gain more privileges than its parent process.  
+
+This Policy gates whether or not a user is allowed to set the security context of a container to `allowPrivilegeEscalation` to `true`. The default value for this is `false` so no child process of a container can gain more privileges than its parent.
+
+There are 2 parameters for this Policy:
+- exclude_namespace (string) : This sets a namespace you want to exclude from Policy compliance checking. 
+- allow_privilege_escalation (bool) : This checks for the value of `allowPrivilegeEscalation` in your spec.  
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_SITE_SSL_CRT_PATH environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+Check the following path to see what the PrivilegeEscalation value is set to.
+```
+...
+  spec:
+    containers:
+      securityContext:
+        allowPrivilegeEscalation: <value>
+```
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
-weave.categories.network-security
+weave.categories.pod-security
 
 ### Severity
 high
@@ -1794,25 +1839,25 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': True, 'value': ['kube-system']}, {'name': 'allow_privilege_escalation', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MARIADB_USER
+## MariaDB Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD
 
 ### ID
-weave.policies.mariadb-enforce-user-env-var
+weave.policies.mariadb-prohibit-mysql-empty-password-env-var
 
 ### Description
-This Policy ensures MARIADB_USER environment variable are in place when using the official container images from Docker Hub.
-MARIADB_USER: The MARIADB_USER environment variable sets up a superuser with the same name.
+This Policy ensures MYSQL_ALLOW_EMPTY_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_ALLOW_EMPTY_PASSWORD: MYSQL_ALLOW_EMPTY_PASSWORD set to true will allow the container to be started with a blank password for the root user
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_USER environment variables is set.
+If you encounter a violation, ensure the MYSQL_ALLOW_EMPTY_PASSWORD environment variables is set.
 For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
@@ -1833,23 +1878,23 @@ high
 
 ---
 
-## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME
+## Postgres Enforce Environment Variable - POSTGRES_INITDB_WALDIR
 
 ### ID
-weave.policies.mongodb-enforce-root-username-env-var
+weave.policies.postgres-enforce-initdb-waldir-env-var
 
 ### Description
-This Policy ensures MONGO_INITDB_ROOT_USERNAME environment variable are in place when using the official container images from Docker Hub.
-MONGO_INITDB_ROOT_USERNAME: The MONGO_INITDB_ROOT_USERNAME environment variable sets the MongoDB root user name.
+This Policy ensures POSTGRES_INITDB_WALDIR environment variable are in place when using the official container images from Docker Hub.
+POSTGRES_INITDB_WALDIR: The POSTGRES_INITDB_WALDIR environment variable is used to define another location for the Postgres transaction log. By default the transaction log is stored in a subdirectory of the main Postgres data folder (PGDATA). 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MONGO_INITDB_ROOT_USERNAME environment variables is set.
-For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the POSTGRES_INITDB_WALDIR environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -1857,31 +1902,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_ONETIME_PASSWORD
+## MYSQL Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO
 
 ### ID
-weave.policies.mysql-enforce-onetime-password-env-var
+weave.policies.mysql-enforce-skip-tzinfo-env-var
 
 ### Description
-This Policy ensures MYSQL_ONETIME_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_ONETIME_PASSWORD: The MYSQL_ONETIME_PASSWORD environment variable is set, the root user's password is set as expired and must be changed before MySQL can be used normally 
+This Policy ensures MYSQL_INITDB_SKIP_TZINFO environment variable are in place when using the official container images from Docker Hub.
+MYSQL_INITDB_SKIP_TZINFO: The MYSQL_INITDB_SKIP_TZINFO environment variable allows the skipping of timezone checking when initializing the DB.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_ONETIME_PASSWORD environment variables is set.
+If you encounter a violation, ensure the MYSQL_INITDB_SKIP_TZINFO environment variables is set.
 For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -1889,31 +1931,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CACERTFILE
+## Postgres Enforce Environment Variable - PGDATA
 
 ### ID
-weave.policies.rabbitmq-enforce-ssl-ca-cert-file-env-var
+weave.policies.postgres-enforce-pgdata-env-var
 
 ### Description
-This Policy ensures RABBITMQ_SSL_CACERTFILE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SSL_CACERTFILE: RABBITMQ_SSL_CACERTFILE sets a path to the CA certificate file. 
+This Policy ensures PGDATA environment variable are in place when using the official container images from Docker Hub.
+PGDATA: The PGDATA environment variable is used to define another location - like a subdirectory - for the database files. The default is /var/lib/postgresql/data. If the data volume you're using is a filesystem mountpoint (like with GCE persistent disks) or remote folder that cannot be chowned to the postgres user (like some NFS mounts), Postgres initdb recommends a subdirectory be created to contain the data.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SSL_CACERTFILE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the PGDATA environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -1926,31 +1965,23 @@ high
 
 ---
 
-## Containers Using Hostport
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINUSERNAME
 
 ### ID
-weave.policies.containers-using-hostport
+weave.policies.mongo-express-enforce-admin-username-env-var
 
 ### Description
-This Policy checks if `hostPort` is set. When `hostPort` is set, a Pod is bound to a hostPort and limits the number of places the Pod can be scheduled. That's because each <hostIP, hostPort, protocol> combination must be unique. If you don't specify the hostIP and protocol explicitly, Kubernetes will use 0.0.0.0 as the default hostIP and TCP as the default protocol.
-
-Don't specify a hostPort for a Pod unless it is absolutely necessary.  
+This Policy ensures ME_CONFIG_MONGODB_ADMINUSERNAME environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_MONGODB_ADMINUSERNAME: The ME_CONFIG_MONGODB_ADMINUSERNAME environment variable sets the MongoDB admin username.
 
 
 ### How to solve?
-Try avoid setting `hostPort` in your spec. 
-```
-...
-  spec:
-    containers:
-    - ports:
-      - hostPort: 8080
-```
-https://kubernetes.io/docs/concepts/configuration/overview/#services
+If you encounter a violation, ensure the ME_CONFIG_MONGODB_ADMINUSERNAME environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.network-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -1959,26 +1990,32 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'nist800-190']
+['pci-dss', 'mitre-attack', 'hipaa']
 
 ### Parameters
-[{'name': 'host_port', 'type': 'string', 'required': True, 'value': 'hostPort'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_BASEURL
+## Containers Block Ports Range
 
 ### ID
-weave.policies.mongo-express-enforce-base-url-env-var
+weave.policies.containers-block-ports-range
 
 ### Description
-This Policy ensures ME_CONFIG_SITE_BASEURL environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_SITE_BASEURL: The ME_CONFIG_SITE_BASEURL environment variable sets the baseUrl to ease mounting at a subdirectory. Remember to include a leading and trailing slash.
+This Policy checks for container ports that are set below the set value. TCP ports under 1024 are reserved so we recommend setting your Policy to 1024 or higher. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_SITE_BASEURL environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+Choose ports over the value that is specified in the Policy. 
+```
+...
+  spec:
+    containers:
+      - ports:
+        - containerPort: <target_port>
+```
+https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
 
 
 ### Category
@@ -1991,64 +2028,93 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'nist800-190']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'target_port', 'type': 'integer', 'required': True, 'value': 1024}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Persistent Volume Reclaim Policy Should Be Set To Retain
+## Missing Owner Label
 
 ### ID
-weave.policies.persistent-volume-reclaim-policy-should-be-set-to-retain
+weave.policies.missing-owner-label
 
 ### Description
-This Policy checks to see whether or not the persistent volume reclaim policy is set.
+Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
 
-PersistentVolumes can have various reclaim policies, including "Retain", "Recycle", and "Delete". For dynamically provisioned PersistentVolumes, the default reclaim policy is "Delete". This means that a dynamically provisioned volume is automatically deleted when a user deletes the corresponding PersistentVolumeClaim. This automatic behavior might be inappropriate if the volume contains precious data. In that case, it is more appropriate to use the "Retain" policy. With the "Retain" policy, if a user deletes a PersistentVolumeClaim, the corresponding PersistentVolume is not be deleted. Instead, it is moved to the Released phase, where all of its data can be manually recovered.
+### owner
+A label key of `owner` will help identify who the owner of this entity is. 
+
+### app.kubernetes.io/name
+The name of the application	
+
+### app.kubernetes.io/instance
+A unique name identifying the instance of an application	  
+
+### app.kubernetes.io/version
+The current version of the application (e.g., a semantic version, revision hash, etc.)
+
+### app.kubernetes.io/part-of
+The name of a higher level application this one is part of	
+
+### app.kubernetes.io/managed-by
+The tool being used to manage the operation of an application	
+
+### app.kubernetes.io/created-by
+The controller/user who created this resource	
 
 
 ### How to solve?
-Check your reclaim policy configuration within your PersistentVolume configuration. 
-```
-spec:
-  persistentVolumeReclaimPolicy: <pv_policy>
-```
+Add these custom labels to `metadata`.
+* owner
+* app.kubernetes.io/name
+* app.kubernetes.io/instance
+* app.kubernetes.io/version
+* app.kubernetes.io/name
+* app.kubernetes.io/part-of
+* app.kubernetes.io/managed-by
+* app.kubernetes.io/created-by
 
-https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/#why-change-reclaim-policy-of-a-persistentvolume
+```
+metadata:
+  labels:
+    <label>: value
+```  
+For additional information, please check
+* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
-weave.categories.data-protection
+weave.categories.organizational-standards
 
 ### Severity
-medium
+low
 
 ### Targets
-{'kinds': ['PersistentVolume']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'soc2-type1']
+[]
 
 ### Parameters
-[{'name': 'pv_policy', 'type': 'string', 'required': True, 'value': 'Retain'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD
+## MYSQL Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD
 
 ### ID
-weave.policies.mongodb-enforce-root-password-env-var
+weave.policies.mysql-prohibit-empty-password-env-var
 
 ### Description
-This Policy ensures MONGO_INITDB_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MONGO_INITDB_ROOT_PASSWORD: The MONGO_INITDB_ROOT_PASSWORD environment variable sets the MongoDB root user password.
+This Policy ensures MYSQL_ALLOW_EMPTY_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_ALLOW_EMPTY_PASSWORD: MYSQL_ALLOW_EMPTY_PASSWORD set to true will allow the container to be started with a blank password for the root user
 
 
 ### How to solve?
-If you encounter a violation, ensure the MONGO_INITDB_ROOT_PASSWORD environment variables is set.
-For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the MYSQL_ALLOW_EMPTY_PASSWORD environment variables is set.
+For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
@@ -2061,30 +2127,39 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss', 'hipaa']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_COOKIESECRET
+## Containers Mounting Docker Socket
 
 ### ID
-weave.policies.mongo-express-enforce-cookie-secret-env-var
+weave.policies.containers-mounting-docker-socket
 
 ### Description
-This Policy ensures ME_CONFIG_SITE_COOKIESECRET environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_SITE_COOKIESECRET: The ME_CONFIG_SITE_COOKIESECRET environment variable is used by [cookie-parser middleware](https://www.npmjs.com/package/cookie-parser) to sign cookies.
+This Policy checks the mounting of the `docker.sock` socket of the node into the container. The docker socket filename can be altered based on your configuration. The full path is unnecessary as the Policy accounts for any path.  
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_SITE_COOKIESECRET environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+Ensure workloads aren't mounting the `docker.sock` (or other configured socket name) in order to avoid a violation. 
+```
+...
+  spec:
+    template:
+      spec:
+        volumes:
+          - name: docker-sock
+            hostPath:
+              path: "<path>/<this value>"
+              type: File
+```
 
 
 ### Category
-weave.categories.network-security
+weave.categories.pod-security
 
 ### Severity
 high
@@ -2093,78 +2168,68 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['nist800-190', 'gdpr', 'default']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'docker_sock', 'type': 'string', 'required': True, 'value': 'docker.sock'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Sharing Process Namespace
+## Persistent Volume Reclaim Policy Should Be Set To Retain
 
 ### ID
-weave.policies.containers-sharing-process-namespace
+weave.policies.persistent-volume-reclaim-policy-should-be-set-to-retain
 
 ### Description
-This Policy allows check if sharing process namespace with other containers in the pod should be allowed or not. Resources that can be shared with the container include:
-
-### hostNetwork
-Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
-
-### hostPID
-Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
-
-### shareProcessNamespace
-When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
+This Policy checks to see whether or not the persistent volume reclaim policy is set.
 
-### hostIPC
-Controls whether the pod containers can share the host IPC namespace.
+PersistentVolumes can have various reclaim policies, including "Retain", "Recycle", and "Delete". For dynamically provisioned PersistentVolumes, the default reclaim policy is "Delete". This means that a dynamically provisioned volume is automatically deleted when a user deletes the corresponding PersistentVolumeClaim. This automatic behavior might be inappropriate if the volume contains precious data. In that case, it is more appropriate to use the "Retain" policy. With the "Retain" policy, if a user deletes a PersistentVolumeClaim, the corresponding PersistentVolume is not be deleted. Instead, it is moved to the Released phase, where all of its data can be manually recovered.
 
 
 ### How to solve?
-Match the shared resource with either true or false, as set in your constraint. 
+Check your reclaim policy configuration within your PersistentVolume configuration. 
 ```
-...
-  spec:
-    <shared_resource>: <resource_enabled>
+spec:
+  persistentVolumeReclaimPolicy: <pv_policy>
 ```
-https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+
+https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/#why-change-reclaim-policy-of-a-persistentvolume
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.data-protection
 
 ### Severity
-high
+medium
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['PersistentVolume']}
 
 ### Tags
-['nist800-190', 'gdpr', 'default']
+['pci-dss', 'soc2-type1']
 
 ### Parameters
-[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'pv_policy', 'type': 'string', 'required': True, 'value': 'Retain'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Postgres Enforce Environment Variable - POSTGRES_DB
+## MongoDB Enforce Environment Variable - MONGO_INITDB_DATABASE
 
 ### ID
-weave.policies.postgres-enforce-db-env-var
+weave.policies.mongodb-enforce-database-env-var
 
 ### Description
-This Policy ensures POSTGRES_DB environment variable are in place when using the official container images from Docker Hub.
-POSTGRES_DB: The POSTGRES_DB environment variable defines a different name for the default database that is created when the image is first started. If it is not specified, then the value of POSTGRES_USER will be used.
+This Policy ensures MONGO_INITDB_DATABASE environment variable are in place when using the official container images from Docker Hub.
+MONGO_INITDB_DATABASE: The MONGO_INITDB_DATABASE environment variable allows you to specify the name of a database to be used for creation scripts.
 
 
 ### How to solve?
-If you encounter a violation, ensure the POSTGRES_DB environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+If you encounter a violation, ensure the MONGO_INITDB_DATABASE environment variables is set.
+For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -2177,96 +2242,115 @@ high
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_DATABASE
+## Containers Missing Readiness Probe
 
 ### ID
-weave.policies.mysql-enforce-database-env-var
+weave.policies.containers-missing-readiness-probe
 
 ### Description
-This Policy ensures MYSQL_DATABASE environment variable are in place when using the official container images from Docker Hub.
-MYSQL_DATABASE: The MYSQL_DATABASE environment variable sets a default MySQL database instance up with the name of that DB being the value of  environment variable. 
+This Policy detects whether or not a readinessProbe has been set for containers. Containers probes are:
+
+### liveness 
+The kubelet uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs.
+
+### readiness
+The kubelet uses readiness probes to know when a container is ready to start accepting traffic. A Pod is considered ready when all of its containers are ready. One use of this signal is to control which Pods are used as backends for Services. When a Pod is not ready, it is removed from Service load balancers.
+
+### startup
+The kubelet uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by the kubelet before they are up and running.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_DATABASE environment variables is set.
-For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
+Check your entities to see if a probe has been set. 
+```
+...
+  spec:
+    containers:
+    - readinessProbe:
+      ...
+```
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.reliability
 
 ### Severity
-high
+medium
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+[]
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Running With Privilege Escalation
+## Services Prohibit Type
 
 ### ID
-weave.policies.containers-running-with-privilege-escalation
+weave.policies.services-prohibit-type
 
 ### Description
-Containers are running with PrivilegeEscalation configured. Setting this Policy to `true` allows child processes to gain more privileges than its parent process.  
-
-This Policy gates whether or not a user is allowed to set the security context of a container to `allowPrivilegeEscalation` to `true`. The default value for this is `false` so no child process of a container can gain more privileges than its parent.
-
-There are 2 parameters for this Policy:
-- exclude_namespace (string) : This sets a namespace you want to exclude from Policy compliance checking. 
-- allow_privilege_escalation (bool) : This checks for the value of `allowPrivilegeEscalation` in your spec.  
+This Policy checks your Kubernetes Service kind to see what Service type is set. If a specified service type is found, this Policy will be in violation. Security practices suggest using types `ServiceType` of `ClusterIP` or `LoadBalancer` and not `NodePort`. 
 
 
 ### How to solve?
-Check the following path to see what the PrivilegeEscalation value is set to.
+Ensure the type matches what is specified in the Policy. 
 ```
-...
-  spec:
-    containers:
-      securityContext:
-        allowPrivilegeEscalation: <value>
+spec:
+  type: <type>
 ```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.network-security
 
 ### Severity
 high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['Service']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default', 'soc2-type1']
+['pci-dss']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': True, 'value': ['kube-system']}, {'name': 'allow_privilege_escalation', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'type', 'type': 'string', 'required': True, 'value': 'NodePort'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_CONFIG_FILE
+## Container Block Sysctls CVE-2022-0811
 
 ### ID
-weave.policies.rabbitmq-enforce-config-file-env-var
+weave.policies.container-block-sysctl.cve-2022-0811
 
 ### Description
-This Policy ensures RABBITMQ_CONFIG_FILE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_CONFIG_FILE: The path to the configuration file, without the .config extension. If the configuration file is present it is used by the server to configure RabbitMQ components. See Configuration guide for more information.
+Setting sysctls can allow containers unauthorized escalated privileges to a Kubernetes node. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_CONFIG_FILE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+You should not set `securityContext.sysctls.value` to include `+` or `=` characters. 
+```
+...
+  spec:
+    securityContext:
+      sysctls: 
+        - name: name
+          value "1+2=3"
+```
+```
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.pod-security
 
 ### Severity
 high
@@ -2274,60 +2358,67 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Prohibit Environment Variable - MYSQL_ALLOW_EMPTY_PASSWORD
+## Containers Should Not Run In Namespace
 
 ### ID
-weave.policies.mariadb-prohibit-mysql-empty-password-env-var
+weave.policies.containers-should-not-run-in-namespace
 
 ### Description
-This Policy ensures MYSQL_ALLOW_EMPTY_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_ALLOW_EMPTY_PASSWORD: MYSQL_ALLOW_EMPTY_PASSWORD set to true will allow the container to be started with a blank password for the root user
+This Policy ensure workloads are not running in a specified namespace. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_ALLOW_EMPTY_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+Use a `namespace` that differs from the one specified in the Policy. 
+```
+metadata:
+  namespace: <custom_namespace>
+```
+
+https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
-high
+low
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['cis-benchmark', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'custom_namespace', 'type': 'string', 'required': True, 'value': 'default'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_VERIFY
+## RabbitMQ Enforce Environment Variable - RABBITMQ_VM_MEMORY_HIGH_WATERMARK
 
 ### ID
-weave.policies.rabbitmq-enforce-ssl-verify-env-var
+weave.policies.rabbitmq-enforce-vm-memory-env-var
 
 ### Description
-This Policy ensures RABBITMQ_SSL_VERIFY environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SSL_VERIFY: The RABBITMQ_SSL_VERIFY enables peer verification. 
+This Policy ensures RABBITMQ_VM_MEMORY_HIGH_WATERMARK environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_VM_MEMORY_HIGH_WATERMARK: The RABBITMQ_VM_MEMORY_HIGH_WATERMARK environment variable sets the memory threshold at which the flow control is triggered. Can be absolute or relative to the amount of RAM available to the OS.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SSL_VERIFY environment variables is set.
+If you encounter a violation, ensure the RABBITMQ_VM_MEMORY_HIGH_WATERMARK environment variables is set.
 For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -2340,135 +2431,102 @@ high
 
 ---
 
-## Containers Not Using Runtime Default Seccomp Profile
+## Containers Missing Liveness Probe
 
 ### ID
-weave.policies.containers-not-using-runtime-default-seccomp-profile
+weave.policies.containers-missing-liveness-probe
 
 ### Description
-This Policy checks for runtime/default seccomp annotation. 
+This Policy detects whether or not a livenessProbe has been set for containers. Containers probes are:
 
-Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a Node to your Pods and containers.
+### liveness 
+The kubelet uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs.
+
+### readiness
+The kubelet uses readiness probes to know when a container is ready to start accepting traffic. A Pod is considered ready when all of its containers are ready. One use of this signal is to control which Pods are used as backends for Services. When a Pod is not ready, it is removed from Service load balancers.
+
+### startup
+The kubelet uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by the kubelet before they are up and running.
 
 
 ### How to solve?
-Depending on the version of Kubernetes, you either need to set an annotation or a seccomp type in your `securityContext`. 
-```
-metadata:
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: <seccomp_annotation>
-```
-AND
+Check your entities to see if a probe has been set. 
 ```
 ...
   spec:
-    seccompProfile:
-      type: <seccomp_type>
+    containers:
+    - livenessProbe:
+      ...
 ```
-https://kubernetes.io/docs/tutorials/clusters/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.reliability
 
 ### Severity
-high
+medium
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['cis-benchmark', 'nist800-190', 'soc2-type1']
+[]
 
 ### Parameters
-[{'name': 'seccomp_annotation', 'type': 'string', 'required': True, 'value': 'runtime/default'}, {'name': 'seccomp_type', 'type': 'string', 'required': True, 'value': 'RuntimeDefault'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Kubernetes App Label
+## MariaDB Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO
 
 ### ID
-weave.policies.missing-kubernetes-app-label
+weave.policies.mariadb-enforce-mysql-initdb-skip-tzinfo-env-var
 
 ### Description
-Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
-
-### owner
-A label key of `owner` will help identify who the owner of this entity is. 
-
-### app.kubernetes.io/name
-The name of the application	
-
-### app.kubernetes.io/instance
-A unique name identifying the instance of an application	  
-
-### app.kubernetes.io/version
-The current version of the application (e.g., a semantic version, revision hash, etc.)
-
-### app.kubernetes.io/part-of
-The name of a higher level application this one is part of	
-
-### app.kubernetes.io/managed-by
-The tool being used to manage the operation of an application	
-
-### app.kubernetes.io/created-by
-The controller/user who created this resource
+This Policy ensures MYSQL_INITDB_SKIP_TZINFO environment variable are in place when using the official container images from Docker Hub.
+MYSQL_INITDB_SKIP_TZINFO:   The MYSQL_INITDB_SKIP_TZINFO environment variable allows the skipping of timezone checking when initializing the DB.
 
 
 ### How to solve?
-Add these custom labels to `metadata`.
-* owner
-* app.kubernetes.io/name
-* app.kubernetes.io/instance
-* app.kubernetes.io/version
-* app.kubernetes.io/name
-* app.kubernetes.io/part-of
-* app.kubernetes.io/managed-by
-* app.kubernetes.io/created-by
-
-```
-metadata:
-  labels:
-    <label>: value
-```  
-For additional information, please check
-* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
+If you encounter a violation, ensure the MYSQL_INITDB_SKIP_TZINFO environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
-low
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINPASSWORD
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_ENABLED
 
 ### ID
-weave.policies.mongo-express-enforce-admin-password-env-var
+weave.policies.mongo-express-enforce-ssl-enabled-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_MONGODB_ADMINPASSWORD environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_MONGODB_ADMINPASSWORD: The ME_CONFIG_MONGODB_ADMINPASSWORD environment variable sets the MongoDB admin password.
+This Policy ensures ME_CONFIG_SITE_SSL_ENABLED environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_SITE_SSL_ENABLED: The ME_CONFIG_SITE_SSL_ENABLED environment variable enables SSL.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_MONGODB_ADMINPASSWORD environment variables is set.
+If you encounter a violation, ensure the ME_CONFIG_SITE_SSL_ENABLED environment variables is set.
 For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -2477,26 +2535,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MYSQL_DATABASE
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_BASICAUTH_PASSWORD
 
 ### ID
-weave.policies.mariadb-enforce-mysql-database-env-var
+weave.policies.mongo-express-enforce-auth-password-env-var
 
 ### Description
-This Policy ensures MYSQL_DATABASE environment variable are in place when using the official container images from Docker Hub.
-MYSQL_DATABASE:   The MYSQL_DATABASE environment variable sets a default MARIADB database instance up with the name of that DB being the value of  environment variable. 
+This Policy ensures ME_CONFIG_BASICAUTH_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_BASICAUTH_PASSWORD: The ME_CONFIG_BASICAUTH_PASSWORD environment variable sets the mongo-express web password.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_DATABASE environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the ME_CONFIG_BASICAUTH_PASSWORD environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
@@ -2509,39 +2567,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['pci-dss', 'mitre-attack', 'hipaa']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Container Block Sysctls CVE-2022-0811
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
 
 ### ID
-weave.policies.container-block-sysctl.cve-2022-0811
+weave.policies.rabbitmq-enforce-additional-erl-args-env-var
 
 ### Description
-Setting sysctls can allow containers unauthorized escalated privileges to a Kubernetes node. 
+This Policy ensures RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: The RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment variable sets additional parameters for the erl command used when invoking the RabbitMQ Server. The value of this variable is appended to the default list of arguments (RABBITMQ_SERVER_ERL_ARGS).
 
 
 ### How to solve?
-You should not set `securityContext.sysctls.value` to include `+` or `=` characters. 
-```
-...
-  spec:
-    securityContext:
-      sysctls: 
-        - name: name
-          value "1+2=3"
-```
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/
+If you encounter a violation, ensure the RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -2549,18 +2598,15 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
-
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Kubernetes App Version Label
+## Missing Kubernetes App Managed By Label
 
 ### ID
-weave.policies.missing-kubernetes-app-version-label
+weave.policies.missing-kubernetes-app-managed-by-label
 
 ### Description
 Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
@@ -2593,8 +2639,8 @@ Add these custom labels to `metadata`.
 * app.kubernetes.io/name
 * app.kubernetes.io/instance
 * app.kubernetes.io/version
+* app.kubernetes.io/name
 * app.kubernetes.io/part-of
-* app.kubernetes.io/component
 * app.kubernetes.io/managed-by
 * app.kubernetes.io/created-by
 
@@ -2624,58 +2670,55 @@ low
 
 ---
 
-## Services Prohibit Ports Range
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ADMINPASSWORD
 
 ### ID
-weave.policies.services-prohibit-ports-range
+weave.policies.mongo-express-enforce-admin-password-env-var
 
 ### Description
-This Policy checks if ports allocated for your services are using a number that is less than the specified value. 
+This Policy ensures ME_CONFIG_MONGODB_ADMINPASSWORD environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_MONGODB_ADMINPASSWORD: The ME_CONFIG_MONGODB_ADMINPASSWORD environment variable sets the MongoDB admin password.
 
 
 ### How to solve?
-Use a port that is greater than or equal to what is specified in the Policy. 
-```
-spec:
-  ports:
-    - targetPort: <target_port>
-```
+If you encounter a violation, ensure the ME_CONFIG_MONGODB_ADMINPASSWORD environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.network-security
+weave.categories.access-control
 
 ### Severity
 high
 
 ### Targets
-{'kinds': ['Service']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'mitre-attack', 'hipaa']
 
 ### Parameters
-[{'name': 'target_port', 'type': 'integer', 'required': True, 'value': 1024}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_PORT
 
 ### ID
-weave.policies.mysql-enforce-random-root-password-env-var
+weave.policies.mongo-express-enforce-mongodb-port-env-var
 
 ### Description
-This Policy ensures MYSQL_RANDOM_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_RANDOM_ROOT_PASSWORD: The MYSQL_RANDOM_ROOT_PASSWORD environment variable creates random password for the server's root user when the Docker container is started.
+This Policy ensures ME_CONFIG_MONGODB_PORT environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_MONGODB_PORT: The ME_CONFIG_MONGODB_PORT environment variable sets the mongodb port
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_RANDOM_ROOT_PASSWORD environment variables is set.
-For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
+If you encounter a violation, ensure the ME_CONFIG_MONGODB_PORT environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -2684,30 +2727,43 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['pci-dss']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Prohibit Environment Variable - MARIADB_ALLOW_EMPTY_PASSWORD
+## Containers Not Using Runtime Default Seccomp Profile
 
 ### ID
-weave.policies.mariadb-prohibit-empty-password-env-var
+weave.policies.containers-not-using-runtime-default-seccomp-profile
 
 ### Description
-This Policy ensures MARIADB_ALLOW_EMPTY_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MARIADB_ALLOW_EMPTY_PASSWORD: MARIADB_ALLOW_EMPTY_PASSWORD set to true will allow the container to be started with a blank password for the root user
+This Policy checks for runtime/default seccomp annotation. 
+
+Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a Node to your Pods and containers.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_ALLOW_EMPTY_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+Depending on the version of Kubernetes, you either need to set an annotation or a seccomp type in your `securityContext`. 
+```
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: <seccomp_annotation>
+```
+AND
+```
+...
+  spec:
+    seccompProfile:
+      type: <seccomp_type>
+```
+https://kubernetes.io/docs/tutorials/clusters/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile
 
 
 ### Category
-weave.categories.access-control
+weave.categories.pod-security
 
 ### Severity
 high
@@ -2716,26 +2772,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['cis-benchmark', 'nist800-190', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'seccomp_annotation', 'type': 'string', 'required': True, 'value': 'runtime/default'}, {'name': 'seccomp_type', 'type': 'string', 'required': True, 'value': 'RuntimeDefault'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ORG
+## Postgres Enforce Environment Variable - POSTGRES_INITDB_ARGS
 
 ### ID
-weave.policies.influxdb-enforce-org-env-var
+weave.policies.postgres-enforce-initdb-args-env-var
 
 ### Description
-This Policy ensures DOCKER_INFLUXDB_INIT_ORG environment variable are in place when using the official container images from Docker Hub.
-DOCKER_INFLUXDB_INIT_ORG: The name to set for the system's initial organization (Required).
+This Policy ensures POSTGRES_INITDB_ARGS environment variable are in place when using the official container images from Docker Hub.
+POSTGRES_INITDB_ARGS:   The POSTGRES_INITDB_ARGS environment variable is used to send arguments to postgres initdb. The value is a space separated string of arguments as postgres initdb would expect them. This is useful for adding functionality like data page checksums: `-e POSTGRES_INITDB_ARGS="--data-checksums"`.
 
 
 ### How to solve?
-If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_ORG environment variables is set.
-For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
+If you encounter a violation, ensure the POSTGRES_INITDB_ARGS environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
 
 
 ### Category
@@ -2752,52 +2808,76 @@ high
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CERTFILE
+## Rbac Protect Cluster Admin Clusterrolebindings
 
 ### ID
-weave.policies.rabbitmq-enforce-ssl-cert-file-env-var
+weave.policies.rbac-protect-cluster-admin-clusterrolebindings
 
 ### Description
-This Policy ensures RABBITMQ_SSL_CERTFILE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SSL_CERTFILE: RABBITMQ_SSL_CERTFILE sets a path to the server certificate file. 
+This Policy allows you to select which groups you can set for Cluster-admin. The default policy checks for the 
+
+```
+subjects:
+- kind: Group
+  name: system:masters
+```
+
+`cluster-admin` allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself. Be selective when adding additional subjects. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SSL_CERTFILE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+Remove any kinds and names that are not consistent with the constraint. 
+```
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin
+...
+subjects:
+- kind: Group
+  name: system:masters
+```  
+https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 
 
 ### Category
-weave.categories.network-security
+weave.categories.access-control
 
 ### Severity
 high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['ClusterRoleBinding']}
+
+### Tags
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'gdpr', 'hipaa', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'subjects_name', 'type': 'string', 'required': True, 'value': 'system:masters'}, {'name': 'subjects_kind', 'type': 'string', 'required': True, 'value': 'Group'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_ENABLED_PLUGINS_FILE
+## Container Running As User
 
 ### ID
-weave.policies.rabbitmq-enforce-enabled-plugins-env-var
+weave.policies.container-running-as-user
 
 ### Description
-This Policy ensures RABBITMQ_ENABLED_PLUGINS_FILE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_ENABLED_PLUGINS_FILE: This file records explicitly enabled plugins. When a plugin is enabled or disabled, this file will be recreated. It is important that effective RabbitMQ user has sufficient permissions to read, write and create this file at any time.
+Containers has a feature in which you specify the ID of the user which all processes in the container will run with. This Policy enforces that the `securityContext.runAsUser` attribute is set to a uid greater than root uid. Running as root user gives the container full access to all resources in the VM it is running on. Containers should not run with such access rights unless required by design. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_ENABLED_PLUGINS_FILE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+You should set `securityContext.runAsUser` uid to something greater than root uid. Not setting it will default to giving the container root user rights on the VM that it is running on. 
+```
+...
+  spec:
+    securityContext:
+      runAsUser: <uid>
+```
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.pod-security
 
 ### Severity
 high
@@ -2805,24 +2885,27 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'uid', 'type': 'integer', 'required': True, 'value': 0}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_OPTIONS_EDITORTHEME
+## RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_PASS
 
 ### ID
-weave.policies.mongo-express-enforce-editor-theme-env-var
+weave.policies.rabbitmq-enforce-default-pass-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_OPTIONS_EDITORTHEME environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_OPTIONS_EDITORTHEME: The ME_CONFIG_OPTIONS_EDITORTHEME environment variable sets the editor color theme, [more here](http://codemirror.net/demo/theme.html)
+This Policy ensures RABBITMQ_DEFAULT_PASS environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_DEFAULT_PASS: The RABBITMQ_DEFAULT_PASS environment variable sets the password for the default user.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_OPTIONS_EDITORTHEME environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the RABBITMQ_DEFAULT_PASS environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
@@ -2835,26 +2918,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME_FILE
+## MariaDB Enforce Environment Variable - MARIADB_INITDB_SKIP_TZINFO
 
 ### ID
-weave.policies.mongodb-enforce-root-username-file-env-var
+weave.policies.mariadb-enforce-initdb-skip-tzinfo-env-var
 
 ### Description
-This Policy ensures MONGO_INITDB_ROOT_USERNAME_FILE environment variable are in place when using the official container images from Docker Hub.
-MONGO_INITDB_ROOT_USERNAME_FILE: The MONGO_INITDB_ROOT_USERNAME_FILE environment variable is an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container.
+This Policy ensures MARIADB_INITDB_SKIP_TZINFO environment variable are in place when using the official container images from Docker Hub.
+MARIADB_INITDB_SKIP_TZINFO:   The MARIADB_INITDB_SKIP_TZINFO environment variable allows the skipping of timezone checking when initializing the DB.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MONGO_INITDB_ROOT_USERNAME_FILE environment variables is set.
-For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the MARIADB_INITDB_SKIP_TZINFO environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
@@ -2867,69 +2950,67 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Block All Egress Traffic
+## Containers Running With Unapproved Linux Capabilities
 
 ### ID
-weave.policies.block-all-egress-traffic
+weave.policies.containers-running-with-unapproved-linux-capabilities
 
 ### Description
-### Block all traffic
-If you are using a CNI that allows for Network Policies, you can use this Policy to block all Egress traffic between namespaces. 
+Linux capabilities provide a finer-grained breakdown of the privileges traditionally associated with the superuser. Not specifying those capabilities gives the container access to all OS capabilities which may result in exploiting the VM at which the container is running. The issue is reported when a container has `SYS_ADMIN`, `NET_RAW`, `NET_ADMIN`, or `ALL` capabilities. For this Policy, you can also exclude a namespace, such as `kube-system`. 
 
-By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. 
+With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest.
 
 
 ### How to solve?
-Validate your use case and check network policies for traffic blocking. 
-
-https://kubernetes.io/docs/concepts/services-networking/network-policies/
+You should set the specific Linux capabilities that your container needs. Or you could simply remove from `capabilities` the values of `SYS_ADMIN`, `NET_ADMIN`, and `ALL`.
+```
+...
+  spec:
+    containers:
+    - securityContext:
+        capabilities:
+          add: ["SYS_ADMIN, "ALL", "NET_ADMIN"]
+```
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
-weave.categories.network-security
+weave.categories.pod-security
 
 ### Severity
-medium
+high
 
 ### Targets
-{'kinds': ['NetworkPolicy']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1']
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1', 'default']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}]
 
 ---
 
-## Prometheus Clusterrolebinding Has Incorrect Bindings
+## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_USERNAME_FILE
 
 ### ID
-weave.policies.prometheus-clusterrolebinding-has-incorrect-bindings
+weave.policies.mongodb-enforce-root-username-file-env-var
 
 ### Description
-This Policy checks to see if the Prometheus Cluster Role Binding is bound to a `ClusterRole`, and is tied to a `ServiceAccount` name containing text of your choosing. The default policy is set for search for the Service Account name containing the word `prometheus`. 
+This Policy ensures MONGO_INITDB_ROOT_USERNAME_FILE environment variable are in place when using the official container images from Docker Hub.
+MONGO_INITDB_ROOT_USERNAME_FILE: The MONGO_INITDB_ROOT_USERNAME_FILE environment variable is an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container.
 
 
 ### How to solve?
-Ensure the subject name you specify in the Policy matches what you are deploying. 
-```
-kind: ClusterRoleBinding
-metadata:
-  name: prometheus
-...
-subjects:
-- kind: ServiceAccount
-  name: prometheus
-```
-https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+If you encounter a violation, ensure the MONGO_INITDB_ROOT_USERNAME_FILE environment variables is set.
+For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
@@ -2939,33 +3020,38 @@ weave.categories.access-control
 high
 
 ### Targets
-{'kinds': ['ClusterRoleBinding']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'hipaa', 'soc2-type1']
+['pci-dss', 'mitre-attack', 'hipaa']
 
 ### Parameters
-[{'name': 'prometheus_subject_name', 'type': 'string', 'required': True, 'value': 'prometheus'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_BASE
+## Containers Missing Security Context
 
 ### ID
-weave.policies.rabbitmq-enforce-mnesia-base-env-var
+weave.policies.containers-missing-security-context
 
 ### Description
-This Policy ensures RABBITMQ_MNESIA_BASE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_MNESIA_BASE: This base directory contains sub-directories for the RabbitMQ server's node database, message store and cluster state files, one for each node, unless RABBITMQ_MNESIA_DIR is set explicitly. It is important that effective RabbitMQ user has sufficient permissions to read, write and create files and subdirectories in this directory at any time. This variable is typically not overridden. Usually RABBITMQ_MNESIA_DIR is overridden instead.
+This Policy checks if the container is missing securityContext while there is no securityContext defined on the Pod level as well. The security settings that are specified on the Pod level apply to all containers in the Pod.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_MNESIA_BASE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+Make sure you secure your containers by specifying a `securityContext` whether on each container or on the Pod level. The security settings that you specify on the Pod level apply to all containers in the Pod.
+```
+...
+  spec:
+    securityContext:
+      <securityContext attributes>
+```
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.pod-security
 
 ### Severity
 high
@@ -2973,105 +3059,110 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Container Image Pull Policy
+## Controller ServiceAccount Tokens Automount
 
 ### ID
-weave.policies.container-image-pull-policy
+weave.policies.controller-serviceaccount-tokens-automount
 
 ### Description
-This Policy is to ensure you are setting a value for your `imagePullPolicy`. 
-
-The `imagePullPolicy` and the tag of the image affect when the kubelet attempts to pull the specified image.
-
-`imagePullPolicy`: IfNotPresent: the image is pulled only if it is not already present locally.
-
-`imagePullPolicy`: Always: every time the kubelet launches a container, the kubelet queries the container image registry to resolve the name to an image digest. If the kubelet has a container image with that exact digest cached locally, the kubelet uses its cached image; otherwise, the kubelet downloads (pulls) the image with the resolved digest, and uses that image to launch the container.
+This Policy allows for the option of enabling or disabling Service Accounts that are created for a Pod. The recommended practice is to set the `automount_token` to `false.  
 
-`imagePullPolicy` is omitted and either the image tag is :latest or it is omitted: `imagePullPolicy` is automatically set to Always. Note that this will not be updated to IfNotPresent if the tag changes value.
+When a pod is created without specifying a service account, it is automatically assigned the default service account in the same namespace. This is a security concern because a compromised container can access the API using automatically mounted service account credentials. The API permissions of the service account depend on the authorization plugin and policy in use, but could possibly create and delete pods. 
 
-`imagePullPolicy` is omitted and the image tag is present but not :latest: `imagePullPolicy` is automatically set to IfNotPresent. Note that this will not be updated to Always if the tag is later removed or changed to :latest.
+We recommend setting the `automount_token` to `false`. 
 
-`imagePullPolicy`: Never: the image is assumed to exist locally. No attempt is made to pull the image.
+In version 1.6+, you can opt out of automounting API credentials for a particular pod.
 
 
 ### How to solve?
-Ensure you have an imagePullPolicy set that matches your policy. 
+Ensure the setting in the Policy matches the Service Account declaration in the controller. 
 ```
 ...
   spec:
-    containers:
-    - imagePullPolicy: <policy>
+    automountServiceAccountToken: false
 ```
-https://kubernetes.io/docs/concepts/configuration/overview/#container-images
+
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
 
 
 ### Category
-weave.categories.software-supply-chain
+weave.categories.access-control
 
 ### Severity
-medium
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'cis-benchmark', 'mitre-attack', 'hipaa', 'gdpr', 'default', 'soc2-type1']
+
 ### Parameters
-[{'name': 'policy', 'type': 'string', 'required': True, 'value': 'Always'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'automount_token', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Enforce Restart Policy
+## Postgres Enforce Environment Variable - POSTGRES_HOST_AUTH_METHOD
 
 ### ID
-weave.policies.containers-enforce-restart-policy
+weave.policies.postgres-enforce-auth-method-env-var
 
 ### Description
-This Policy checks if a specific restartPolicy is configured in your workloads.
+This Policy ensures POSTGRES_HOST_AUTH_METHOD environment variable are in place when using the official container images from Docker Hub.
+POSTGRES_HOST_AUTH_METHOD: The POSTGRES_HOST_AUTH_METHOD environment variable is used to control the auth-method for host connections for all databases, all users, and all addresses. If unspecified then md5 password authentication is used. 
 
 
 ### How to solve?
-Ensure the restartPolicy is set to some specific policy in your workloads. 
-```
-...
-  spec:
-    restartPolicy: <policy>
-```
+If you encounter a violation, ensure the POSTGRES_HOST_AUTH_METHOD environment variables is set.
+For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
-medium
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
-[{'name': 'restart_policy', 'type': 'string', 'required': True, 'value': 'Always'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_ROOT_PASSWORD
+## Prometheus Clusterrolebinding Has Incorrect Bindings
 
 ### ID
-weave.policies.mysql-enforce-root-password-env-var
+weave.policies.prometheus-clusterrolebinding-has-incorrect-bindings
 
 ### Description
-This Policy ensures MYSQL_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_ROOT_PASSWORD: The MYSQL_ROOT_PASSWORD environment variable specifies a password for the MySQL root account. 
+This Policy checks to see if the Prometheus Cluster Role Binding is bound to a `ClusterRole`, and is tied to a `ServiceAccount` name containing text of your choosing. The default policy is set for search for the Service Account name containing the word `prometheus`. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_ROOT_PASSWORD environment variables is set.
-For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
+Ensure the subject name you specify in the Policy matches what you are deploying. 
+```
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+...
+subjects:
+- kind: ServiceAccount
+  name: prometheus
+```
+https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 
 
 ### Category
@@ -3081,62 +3172,100 @@ weave.categories.access-control
 high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['ClusterRoleBinding']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['pci-dss', 'hipaa', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'prometheus_subject_name', 'type': 'string', 'required': True, 'value': 'prometheus'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MYSQL Enforce Environment Variable - MYSQL_INITDB_SKIP_TZINFO
+## Missing Kubernetes App Label
 
 ### ID
-weave.policies.mysql-enforce-skip-tzinfo-env-var
+weave.policies.missing-kubernetes-app-label
 
 ### Description
-This Policy ensures MYSQL_INITDB_SKIP_TZINFO environment variable are in place when using the official container images from Docker Hub.
-MYSQL_INITDB_SKIP_TZINFO: The MYSQL_INITDB_SKIP_TZINFO environment variable allows the skipping of timezone checking when initializing the DB.
+Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
+
+### owner
+A label key of `owner` will help identify who the owner of this entity is. 
+
+### app.kubernetes.io/name
+The name of the application	
+
+### app.kubernetes.io/instance
+A unique name identifying the instance of an application	  
+
+### app.kubernetes.io/version
+The current version of the application (e.g., a semantic version, revision hash, etc.)
+
+### app.kubernetes.io/part-of
+The name of a higher level application this one is part of	
+
+### app.kubernetes.io/managed-by
+The tool being used to manage the operation of an application	
+
+### app.kubernetes.io/created-by
+The controller/user who created this resource
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_INITDB_SKIP_TZINFO environment variables is set.
-For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
+Add these custom labels to `metadata`.
+* owner
+* app.kubernetes.io/name
+* app.kubernetes.io/instance
+* app.kubernetes.io/version
+* app.kubernetes.io/name
+* app.kubernetes.io/part-of
+* app.kubernetes.io/managed-by
+* app.kubernetes.io/created-by
+
+```
+metadata:
+  labels:
+    <label>: value
+```  
+For additional information, please check
+* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
 weave.categories.organizational-standards
 
 ### Severity
-high
+low
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+[]
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MARIADB_INITDB_SKIP_TZINFO
+## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_USERNAME
 
 ### ID
-weave.policies.mariadb-enforce-initdb-skip-tzinfo-env-var
+weave.policies.influxdb-enforce-username-env-var
 
 ### Description
-This Policy ensures MARIADB_INITDB_SKIP_TZINFO environment variable are in place when using the official container images from Docker Hub.
-MARIADB_INITDB_SKIP_TZINFO:   The MARIADB_INITDB_SKIP_TZINFO environment variable allows the skipping of timezone checking when initializing the DB.
+This Policy ensures DOCKER_INFLUXDB_INIT_USERNAME environment variable are in place when using the official container images from Docker Hub.
+DOCKER_INFLUXDB_INIT_USERNAME: The username to set for the system's initial super-user (Required).
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_INITDB_SKIP_TZINFO environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_USERNAME environment variables is set.
+For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -3144,36 +3273,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Missing Security Context
+## MariaDB Enforce Environment Variable - MYSQL_PASSWORD
 
 ### ID
-weave.policies.containers-missing-security-context
+weave.policies.mariadb-enforce-mysql-password-env-var
 
 ### Description
-This Policy checks if the container is missing securityContext while there is no securityContext defined on the Pod level as well. The security settings that are specified on the Pod level apply to all containers in the Pod.
+This Policy ensures MYSQL_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_PASSWORD: The MYSQL_PASSWORD environment variable specifies a password for MARIADB_USER user.
 
 
 ### How to solve?
-Make sure you secure your containers by specifying a `securityContext` whether on each container or on the Pod level. The security settings that you specify on the Pod level apply to all containers in the Pod.
-```
-...
-  spec:
-    securityContext:
-      <securityContext attributes>
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+If you encounter a violation, ensure the MYSQL_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -3182,129 +3303,114 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MARIADB_RANDOM_ROOT_PASSWORD
+## Containers Should Not Run On Kubernetes Control Plane Nodes
 
 ### ID
-weave.policies.mariadb-enforce-random-root-password-env-var
+weave.policies.containers-should-not-run-on-kubernetes-control-plane-nodes
 
 ### Description
-This Policy ensures MARIADB_RANDOM_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MARIADB_RANDOM_ROOT_PASSWORD:   The MARIADB_RANDOM_ROOT_PASSWORD environment variable creates random password for the server's root user when the Docker container is started.
+Tolerations specified in the Policies for this template should not have any workloads scheduled on them. A common use case is the Kubernetes master. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_RANDOM_ROOT_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+Check your tolerations against the Policy. 
+```
+...
+  spec:
+    tolerations:
+    - key: <toleration_key>
+```
+
+https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
 
 
 ### Category
-weave.categories.access-control
+weave.categories.capacity-management
 
 ### Severity
-high
+medium
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+['soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'toleration_key', 'type': 'string', 'required': True, 'value': 'node-role.kubernetes.io/master'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Kubernetes App Part Of Label
+## Container Image Pull Policy
 
 ### ID
-weave.policies.missing-kubernetes-app-part-of-label
+weave.policies.container-image-pull-policy
 
 ### Description
-Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
-
-### owner
-A label key of `owner` will help identify who the owner of this entity is. 
+This Policy is to ensure you are setting a value for your `imagePullPolicy`. 
 
-### app.kubernetes.io/name
-The name of the application	
+The `imagePullPolicy` and the tag of the image affect when the kubelet attempts to pull the specified image.
 
-### app.kubernetes.io/instance
-A unique name identifying the instance of an application	  
+`imagePullPolicy`: IfNotPresent: the image is pulled only if it is not already present locally.
 
-### app.kubernetes.io/version
-The current version of the application (e.g., a semantic version, revision hash, etc.)
+`imagePullPolicy`: Always: every time the kubelet launches a container, the kubelet queries the container image registry to resolve the name to an image digest. If the kubelet has a container image with that exact digest cached locally, the kubelet uses its cached image; otherwise, the kubelet downloads (pulls) the image with the resolved digest, and uses that image to launch the container.
 
-### app.kubernetes.io/part-of
-The name of a higher level application this one is part of	
+`imagePullPolicy` is omitted and either the image tag is :latest or it is omitted: `imagePullPolicy` is automatically set to Always. Note that this will not be updated to IfNotPresent if the tag changes value.
 
-### app.kubernetes.io/managed-by
-The tool being used to manage the operation of an application	
+`imagePullPolicy` is omitted and the image tag is present but not :latest: `imagePullPolicy` is automatically set to IfNotPresent. Note that this will not be updated to Always if the tag is later removed or changed to :latest.
 
-### app.kubernetes.io/created-by
-The controller/user who created this resource	
+`imagePullPolicy`: Never: the image is assumed to exist locally. No attempt is made to pull the image.
 
 
 ### How to solve?
-Add these custom labels to `metadata`.
-* owner
-* app.kubernetes.io/name
-* app.kubernetes.io/instance
-* app.kubernetes.io/version
-* app.kubernetes.io/name
-* app.kubernetes.io/part-of
-* app.kubernetes.io/managed-by
-* app.kubernetes.io/created-by
-
+Ensure you have an imagePullPolicy set that matches your policy. 
 ```
-metadata:
-  labels:
-    <label>: value
-```  
-For additional information, please check
-* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
+...
+  spec:
+    containers:
+    - imagePullPolicy: <policy>
+```
+https://kubernetes.io/docs/concepts/configuration/overview/#container-images
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.software-supply-chain
 
 ### Severity
-low
+medium
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-[]
-
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'policy', 'type': 'string', 'required': True, 'value': 'Always'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MARIADB_ROOT_PASSWORD
+## RabbitMQ Enforce Environment Variable - RABBITMQ_MNESIA_DIR
 
 ### ID
-weave.policies.mariadb-enforce-root-password-env-var
+weave.policies.rabbitmq-enforce-mnesia-dir-env-var
 
 ### Description
-This Policy ensures MARIADB_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MARIADB_ROOT_PASSWORD: The MARIADB_ROOT_PASSWORD environment variable specifies a password for the MARIADB root account. 
+This Policy ensures RABBITMQ_MNESIA_DIR environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_MNESIA_DIR: The directory where this RabbitMQ node's data is stored. This s a schema database, message stores, cluster member information and other persistent node state.
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_ROOT_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the RABBITMQ_MNESIA_DIR environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -3312,31 +3418,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_GENERATED_CONFIG_DIR
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_CERTFILE
 
 ### ID
-weave.policies.rabbitmq-enforce-generated-config-dir-env-var
+weave.policies.rabbitmq-enforce-ssl-cert-file-env-var
 
 ### Description
-This Policy ensures RABBITMQ_GENERATED_CONFIG_DIR environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_GENERATED_CONFIG_DIR: The directory where RabbitMQ writes its generated configuration files.
+This Policy ensures RABBITMQ_SSL_CERTFILE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SSL_CERTFILE: RABBITMQ_SSL_CERTFILE sets a path to the server certificate file. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_GENERATED_CONFIG_DIR environment variables is set.
+If you encounter a violation, ensure the RABBITMQ_SSL_CERTFILE environment variables is set.
 For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.network-security
 
 ### Severity
 high
@@ -3349,127 +3452,84 @@ high
 
 ---
 
-## Prohibit Naked Pods From Being Scheduled
+## RabbitMQ Enforce Environment Variable - RABBITMQ_PID_FILE
 
 ### ID
-weave.policies.prohibit-naked-pods-from-being-scheduled
+weave.policies.rabbitmq-enforce-pid-file-env-var
 
 ### Description
-This Policy checks for a `kind` and can prohibit it from being schedule to your cluster. A common example is running "naked" pods. 
+This Policy ensures RABBITMQ_PID_FILE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_PID_FILE: File in which the process id is placed for use by rabbitmqctl wait.
 
 
 ### How to solve?
-Ensure you are not using a kind that is specified within the Policy.
-```
-kind: <kind>
-```
-
-https://kubernetes.io/docs/concepts/configuration/overview/#naked-pods-vs-replicasets-deployments-and-jobs
+If you encounter a violation, ensure the RABBITMQ_PID_FILE environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
 weave.categories.organizational-standards
 
 ### Severity
-medium
+high
 
 ### Targets
-{'kinds': ['Pod']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['cis-benchmark']
+### Parameters
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Kubernetes App Instance Label
+## MariaDB Enforce Environment Variable - MARIADB_DATABASE
 
 ### ID
-weave.policies.missing-kubernetes-app-instance-label
+weave.policies.mariadb-enforce-database-env-var
 
 ### Description
-Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
-
-### owner
-A label key of `owner` will help identify who the owner of this entity is. 
-
-### app.kubernetes.io/name
-The name of the application	
-
-### app.kubernetes.io/instance
-A unique name identifying the instance of an application	  
-
-### app.kubernetes.io/version
-The current version of the application (e.g., a semantic version, revision hash, etc.)
-
-### app.kubernetes.io/part-of
-The name of a higher level application this one is part of	
-
-### app.kubernetes.io/managed-by
-The tool being used to manage the operation of an application	
-
-### app.kubernetes.io/created-by
-The controller/user who created this resource
+This Policy ensures MARIADB_DATABASE environment variable are in place when using the official container images from Docker Hub.
+MARIADB_DATABASE:   The MARIADB_DATABASE environment variable sets a default MARIADB database instance up with the name of that DB being the value of  environment variable. 
 
 
 ### How to solve?
-Add these custom labels to `metadata`.
-* owner
-* app.kubernetes.io/name
-* app.kubernetes.io/instance
-* app.kubernetes.io/version
-* app.kubernetes.io/name
-* app.kubernetes.io/part-of
-* app.kubernetes.io/managed-by
-* app.kubernetes.io/created-by
-
-```
-metadata:
-  labels:
-    <label>: value
-```  
-For additional information, please check
-* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
+If you encounter a violation, ensure the MARIADB_DATABASE environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
-low
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Container Running As User
+## MariaDB Enforce Environment Variable - MYSQL_DATABASE
 
 ### ID
-weave.policies.container-running-as-user
+weave.policies.mariadb-enforce-mysql-database-env-var
 
 ### Description
-Containers has a feature in which you specify the ID of the user which all processes in the container will run with. This Policy enforces that the `securityContext.runAsUser` attribute is set to a uid greater than root uid. Running as root user gives the container full access to all resources in the VM it is running on. Containers should not run with such access rights unless required by design. 
+This Policy ensures MYSQL_DATABASE environment variable are in place when using the official container images from Docker Hub.
+MYSQL_DATABASE:   The MYSQL_DATABASE environment variable sets a default MARIADB database instance up with the name of that DB being the value of  environment variable. 
 
 
 ### How to solve?
-You should set `securityContext.runAsUser` uid to something greater than root uid. Not setting it will default to giving the container root user rights on the VM that it is running on. 
-```
-...
-  spec:
-    securityContext:
-      runAsUser: <uid>
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+If you encounter a violation, ensure the MYSQL_DATABASE environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -3478,35 +3538,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
-[{'name': 'uid', 'type': 'integer', 'required': True, 'value': 0}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Container Block Sysctls
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_KEY_PATH
 
 ### ID
-weave.policies.container-block-sysctl
+weave.policies.mongo-express-enforce-ssl-key-path-env-var
 
 ### Description
-Setting sysctls can allow containers unauthorized escalated privileges to a Kubernetes node. 
+This Policy ensures ME_CONFIG_SITE_SSL_KEY_PATH environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_SITE_SSL_KEY_PATH: The ME_CONFIG_SITE_SSL_KEY_PATH environment variable sets the SSL Key file path. 
 
 
 ### How to solve?
-You should not set  `securityContext.sysctls` 
-```
-...
-  spec:
-    securityContext:
-      sysctls
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+If you encounter a violation, ensure the ME_CONFIG_SITE_SSL_KEY_PATH environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.network-security
 
 ### Severity
 high
@@ -3515,166 +3570,113 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'default']
+['pci-dss']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': ['kube-system']}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Missing Startup Probe
+## MariaDB Enforce Environment Variable - MARIADB_RANDOM_ROOT_PASSWORD
 
 ### ID
-weave.policies.containers-missing-startup-probe
+weave.policies.mariadb-enforce-random-root-password-env-var
 
 ### Description
-This Policy detects whether or not a startupProbe has been set for containers. Containers probes are:
-
-### liveness 
-The kubelet uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs.
-
-### readiness
-The kubelet uses readiness probes to know when a container is ready to start accepting traffic. A Pod is considered ready when all of its containers are ready. One use of this signal is to control which Pods are used as backends for Services. When a Pod is not ready, it is removed from Service load balancers.
-
-### startup
-The kubelet uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by the kubelet before they are up and running.
+This Policy ensures MARIADB_RANDOM_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MARIADB_RANDOM_ROOT_PASSWORD:   The MARIADB_RANDOM_ROOT_PASSWORD environment variable creates random password for the server's root user when the Docker container is started.
 
 
 ### How to solve?
-Check your entities to see if a probe has been set. 
-```
-...
-  spec:
-    containers:
-    - startupProbe:
-      ...
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+If you encounter a violation, ensure the MARIADB_RANDOM_ROOT_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.reliability
+weave.categories.access-control
 
 ### Severity
-medium
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Block All Ingress Traffic
+## RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_VHOST
 
 ### ID
-weave.policies.block-all-ingress-traffic
+weave.policies.rabbitmq-enforce-default-vhost-env-var
 
 ### Description
-### Block all traffic
-If you are using a CNI that allows for Network Policies, you can use this Policy to block all Ingress traffic between namespaces. 
-
-By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. 
+This Policy ensures RABBITMQ_DEFAULT_VHOST environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_DEFAULT_VHOST: RABBITMQ_DEFAULT_VHOST sets a Virtual host to create from scratch.
 
 
 ### How to solve?
-Validate your use case and check network policies for traffic blocking. 
-
-https://kubernetes.io/docs/concepts/services-networking/network-policies/
+If you encounter a violation, ensure the RABBITMQ_DEFAULT_VHOST environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
 weave.categories.network-security
 
 ### Severity
-medium
+high
 
 ### Targets
-{'kinds': ['NetworkPolicy']}
-
-### Tags
-['pci-dss', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1']
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Kubernetes App Created By Label
+## Services Restrict Protocols
 
 ### ID
-weave.policies.missing-kubernetes-app-created-by-label
+weave.policies.services-restrict-protocols
 
 ### Description
-Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
-
-### owner
-A label key of `owner` will help identify who the owner of this entity is. 
-
-### app.kubernetes.io/name
-The name of the application	
-
-### app.kubernetes.io/instance
-A unique name identifying the instance of an application	  
-
-### app.kubernetes.io/version
-The current version of the application (e.g., a semantic version, revision hash, etc.)
-
-### app.kubernetes.io/part-of
-The name of a higher level application this one is part of	
-
-### app.kubernetes.io/managed-by
-The tool being used to manage the operation of an application	
-
-### app.kubernetes.io/created-by
-The controller/user who created this resource	
+This Policy specifies what protocols should set for your Service. Any protocol not listed in this Policy will be in violation. 
 
 
 ### How to solve?
-Add these custom labels to `metadata`.
-* owner
-* app.kubernetes.io/name
-* app.kubernetes.io/instance
-* app.kubernetes.io/version
-* app.kubernetes.io/name
-* app.kubernetes.io/part-of
-* app.kubernetes.io/managed-by
-* app.kubernetes.io/created-by
-
+Use a protocol that is specified in the Policy. 
+```
+spec:
+  ports:
+    - protocol: <protocols>
 ```
-metadata:
-  labels:
-    <label>: value
-```  
-For additional information, please check
-* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.network-security
 
 ### Severity
-low
+high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['Service']}
 
 ### Tags
-[]
+['pci-dss', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'protocols', 'type': 'string', 'required': True, 'value': 'HTTPS'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD
+## MYSQL Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD
 
 ### ID
-weave.policies.mariadb-enforce-mysql-random-root-password-env-var
+weave.policies.mysql-enforce-random-root-password-env-var
 
 ### Description
 This Policy ensures MYSQL_RANDOM_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
@@ -3683,7 +3685,7 @@ MYSQL_RANDOM_ROOT_PASSWORD: The MYSQL_RANDOM_ROOT_PASSWORD environment variable
 
 ### How to solve?
 If you encounter a violation, ensure the MYSQL_RANDOM_ROOT_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
@@ -3703,45 +3705,47 @@ high
 
 ---
 
-## Block Workloads Created Without Specifying Namespace
+## Containers Block Ssh Port
 
 ### ID
-weave.policies.block-workloads-created-without-specifying-namespace
+weave.policies.containers-block-ssh-port
 
 ### Description
-Using this Policy, you can prohibit workloads from being created in a default namespace due to the lack of a namespace label. 
+This Policy checks if the container is exposing ssh port.
 
 
 ### How to solve?
-Specify a `namespace` label. 
+Make sure you are not exposing ssh port on containers.
 ```
-metadata:
-  namespace:
+...
+  spec:
+    containers:
+      ports:
+      - containerPort: <port>
 ```
-https://kubernetes.io/docs/tasks/administer-cluster/namespaces/#understanding-the-motivation-for-using-namespaces
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.network-security
 
 ### Severity
-low
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss']
 
 ### Parameters
-[{'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'container_port', 'type': 'integer', 'required': True, 'value': 22}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Missing Kubernetes App Managed By Label
+## Missing Kubernetes App Instance Label
 
 ### ID
-weave.policies.missing-kubernetes-app-managed-by-label
+weave.policies.missing-kubernetes-app-instance-label
 
 ### Description
 Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
@@ -3765,7 +3769,7 @@ The name of a higher level application this one is part of
 The tool being used to manage the operation of an application	
 
 ### app.kubernetes.io/created-by
-The controller/user who created this resource	
+The controller/user who created this resource
 
 
 ### How to solve?
@@ -3805,103 +3809,23 @@ low
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_KEY_PATH
-
-### ID
-weave.policies.mongo-express-enforce-ssl-key-path-env-var
-
-### Description
-This Policy ensures ME_CONFIG_SITE_SSL_KEY_PATH environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_SITE_SSL_KEY_PATH: The ME_CONFIG_SITE_SSL_KEY_PATH environment variable sets the SSL Key file path. 
-
-
-### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_SITE_SSL_KEY_PATH environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
-
-
-### Category
-weave.categories.network-security
-
-### Severity
-high
-
-### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
-
-### Tags
-['pci-dss']
-
-### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
-
----
-
-## Containers Sharing Host IPC
-
-### ID
-weave.policies.containers-sharing-host-ipc
-
-### Description
-This Policy allows check if sharing host IPC namespace with the container should be allowed or not. Resources that can be shared with the container include:
-
-### hostNetwork
-Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
-
-### hostPID
-Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
-
-### shareProcessNamespace
-When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
-
-### hostIPC
-Controls whether the pod containers can share the host IPC namespace.
-
-
-### How to solve?
-Match the shared resource with either true or false, as set in your constraint. 
-```
-...
-  spec:
-    <shared_resource>: <resource_enabled>
-```
-https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
-
-
-### Category
-weave.categories.pod-security
-
-### Severity
-high
-
-### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
-
-### Tags
-['nist800-190', 'gdpr', 'default']
-
-### Parameters
-[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
-
----
-
-## RabbitMQ Enforce Environment Variable - RABBITMQ_VM_MEMORY_HIGH_WATERMARK
+## RabbitMQ Enforce Environment Variable - RABBITMQ_DEFAULT_USER
 
 ### ID
-weave.policies.rabbitmq-enforce-vm-memory-env-var
+weave.policies.rabbitmq-enforce-default-user-env-var
 
 ### Description
-This Policy ensures RABBITMQ_VM_MEMORY_HIGH_WATERMARK environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_VM_MEMORY_HIGH_WATERMARK: The RABBITMQ_VM_MEMORY_HIGH_WATERMARK environment variable sets the memory threshold at which the flow control is triggered. Can be absolute or relative to the amount of RAM available to the OS.
+This Policy ensures RABBITMQ_DEFAULT_USER environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_DEFAULT_USER: The RABBITMQ_DEFAULT_USER environment variable sets the User name to create when RabbitMQ creates a new database from scratch.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_VM_MEMORY_HIGH_WATERMARK environment variables is set.
+If you encounter a violation, ensure the RABBITMQ_DEFAULT_USER environment variables is set.
 For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -3909,28 +3833,39 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'hipaa', 'gdpr']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ENABLE_ADMIN
+## Containers Using Hostport
 
 ### ID
-weave.policies.mongo-express-enforce-enable-admin-env-var
+weave.policies.containers-using-hostport
 
 ### Description
-This Policy ensures ME_CONFIG_MONGODB_ENABLE_ADMIN environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_MONGODB_ENABLE_ADMIN: The ME_CONFIG_MONGODB_ENABLE_ADMIN environment variable enables admin access to all databases. Send strings: `"true"` or `"false"`
+This Policy checks if `hostPort` is set. When `hostPort` is set, a Pod is bound to a hostPort and limits the number of places the Pod can be scheduled. That's because each <hostIP, hostPort, protocol> combination must be unique. If you don't specify the hostIP and protocol explicitly, Kubernetes will use 0.0.0.0 as the default hostIP and TCP as the default protocol.
+
+Don't specify a hostPort for a Pod unless it is absolutely necessary.  
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_MONGODB_ENABLE_ADMIN environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+Try avoid setting `hostPort` in your spec. 
+```
+...
+  spec:
+    containers:
+    - ports:
+      - hostPort: 8080
+```
+https://kubernetes.io/docs/concepts/configuration/overview/#services
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
 high
@@ -3939,30 +3874,30 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss', 'nist800-190']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'host_port', 'type': 'string', 'required': True, 'value': 'hostPort'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MARIADB_PASSWORD
+## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_ORG
 
 ### ID
-weave.policies.mariadb-enforce-password-env-var
+weave.policies.influxdb-enforce-org-env-var
 
 ### Description
-This Policy ensures MARIADB_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MARIADB_PASSWORD: The MARIADB_PASSWORD environment variable specifies a password for MARIADB_USER user.
+This Policy ensures DOCKER_INFLUXDB_INIT_ORG environment variable are in place when using the official container images from Docker Hub.
+DOCKER_INFLUXDB_INIT_ORG: The name to set for the system's initial organization (Required).
 
 
 ### How to solve?
-If you encounter a violation, ensure the MARIADB_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_ORG environment variables is set.
+For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -3970,31 +3905,28 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_PORT
+## RabbitMQ Enforce Environment Variable - RABBITMQ_LOG_BASE
 
 ### ID
-weave.policies.mongo-express-enforce-mongodb-port-env-var
+weave.policies.rabbitmq-enforce-log-base-env-var
 
 ### Description
-This Policy ensures ME_CONFIG_MONGODB_PORT environment variable are in place when using the official container images from Docker Hub.
-ME_CONFIG_MONGODB_PORT: The ME_CONFIG_MONGODB_PORT environment variable sets the mongodb port
+This Policy ensures RABBITMQ_LOG_BASE environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_LOG_BASE: This base directory contains the RabbitMQ server's log files, unless RABBITMQ_LOGS is set.
 
 
 ### How to solve?
-If you encounter a violation, ensure the ME_CONFIG_MONGODB_PORT environment variables is set.
-For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
+If you encounter a violation, ensure the RABBITMQ_LOG_BASE environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
-weave.categories.network-security
+weave.categories.organizational-standards
 
 ### Severity
 high
@@ -4002,55 +3934,58 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
-### Tags
-['pci-dss']
-
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_KEYFILE
+## Block All Ingress Traffic
 
 ### ID
-weave.policies.rabbitmq-enforce-ssl-keyfile-env-var
+weave.policies.block-all-ingress-traffic
 
 ### Description
-This Policy ensures RABBITMQ_SSL_KEYFILE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SSL_KEYFILE: The RABBITMQ_SSL_KEYFILE sets a path for the server private key file.
+### Block all traffic
+If you are using a CNI that allows for Network Policies, you can use this Policy to block all Ingress traffic between namespaces. 
+
+By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SSL_KEYFILE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+Validate your use case and check network policies for traffic blocking. 
+
+https://kubernetes.io/docs/concepts/services-networking/network-policies/
 
 
 ### Category
 weave.categories.network-security
 
 ### Severity
-high
+medium
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['NetworkPolicy']}
+
+### Tags
+['pci-dss', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT
+## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_DEPTH
 
 ### ID
-weave.policies.rabbitmq-enforce-fail-if-no-peer-cert-env-var
+weave.policies.rabbitmq-enforce-ssl-depth-env-var
 
 ### Description
-This Policy ensures RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT: RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT when set to true, TLS connection will be rejected if client fails to provide a certificate.
+This Policy ensures RABBITMQ_SSL_DEPTH environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_SSL_DEPTH: RABBITMQ_SSL_DEPTH is the maximum number of non-self-issued intermediate certificates that may follow the peer certificate in a valid certification path.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT environment variables is set.
+If you encounter a violation, ensure the RABBITMQ_SSL_DEPTH environment variables is set.
 For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
@@ -4068,23 +4003,23 @@ high
 
 ---
 
-## InfluxDB Enforce Environment Variable - DOCKER_INFLUXDB_INIT_BUCKET
+## MYSQL Enforce Environment Variable - MYSQL_ROOT_PASSWORD
 
 ### ID
-weave.policies.influxdb-enforce-bucket-env-var
+weave.policies.mysql-enforce-root-password-env-var
 
 ### Description
-This Policy ensures DOCKER_INFLUXDB_INIT_BUCKET environment variable are in place when using the official container images from Docker Hub.
-DOCKER_INFLUXDB_INIT_BUCKET: The name to set for the system's initial bucket (Required).
+This Policy ensures MYSQL_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_ROOT_PASSWORD: The MYSQL_ROOT_PASSWORD environment variable specifies a password for the MySQL root account. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the DOCKER_INFLUXDB_INIT_BUCKET environment variables is set.
-For futher information about the InfluxDB Docker container, check here: https://hub.docker.com/_/influxdb
+If you encounter a violation, ensure the MYSQL_ROOT_PASSWORD environment variables is set.
+For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -4092,28 +4027,31 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SSL_DEPTH
+## MariaDB Enforce Environment Variable - MARIADB_USER
 
 ### ID
-weave.policies.rabbitmq-enforce-ssl-depth-env-var
+weave.policies.mariadb-enforce-user-env-var
 
 ### Description
-This Policy ensures RABBITMQ_SSL_DEPTH environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SSL_DEPTH: RABBITMQ_SSL_DEPTH is the maximum number of non-self-issued intermediate certificates that may follow the peer certificate in a valid certification path.
+This Policy ensures MARIADB_USER environment variable are in place when using the official container images from Docker Hub.
+MARIADB_USER: The MARIADB_USER environment variable sets up a superuser with the same name.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SSL_DEPTH environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the MARIADB_USER environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
-weave.categories.network-security
+weave.categories.access-control
 
 ### Severity
 high
@@ -4121,56 +4059,62 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MongoDB Enforce Environment Variable - MONGO_INITDB_ROOT_PASSWORD_FILE
+## Block All Egress Traffic
 
 ### ID
-weave.policies.mongodb-enforce-root-password-file-env-var
+weave.policies.block-all-egress-traffic
 
 ### Description
-This Policy ensures MONGO_INITDB_ROOT_PASSWORD_FILE environment variable are in place when using the official container images from Docker Hub.
-MONGO_INITDB_ROOT_PASSWORD_FILE: The MONGO_INITDB_ROOT_PASSWORD_FILE environment variable is an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container.
+### Block all traffic
+If you are using a CNI that allows for Network Policies, you can use this Policy to block all Egress traffic between namespaces. 
+
+By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MONGO_INITDB_ROOT_PASSWORD_FILE environment variables is set.
-For futher information about the MongoDB Docker container, check here: https://hub.docker.com/_/mariadb
+Validate your use case and check network policies for traffic blocking. 
+
+https://kubernetes.io/docs/concepts/services-networking/network-policies/
 
 
 ### Category
-weave.categories.access-control
+weave.categories.network-security
 
 ### Severity
-high
+medium
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['NetworkPolicy']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa']
+['pci-dss', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Postgres Enforce Environment Variable - POSTGRES_INITDB_ARGS
+## RabbitMQ Enforce Environment Variable - RABBITMQ_PLUGINS_DIR
 
 ### ID
-weave.policies.postgres-enforce-initdb-args-env-var
+weave.policies.rabbitmq-enforce-plugins-dir-env-var
 
 ### Description
-This Policy ensures POSTGRES_INITDB_ARGS environment variable are in place when using the official container images from Docker Hub.
-POSTGRES_INITDB_ARGS:   The POSTGRES_INITDB_ARGS environment variable is used to send arguments to postgres initdb. The value is a space separated string of arguments as postgres initdb would expect them. This is useful for adding functionality like data page checksums: `-e POSTGRES_INITDB_ARGS="--data-checksums"`.
+This Policy ensures RABBITMQ_PLUGINS_DIR environment variable are in place when using the official container images from Docker Hub.
+RABBITMQ_PLUGINS_DIR: The list of directories where plugin archive files are located and extracted from. This is PATH-like variable, where different paths are separated by an OS-specific separator (: for Unix, ; for Windows). Plugins can be installed to any of the directories listed here.
 
 
 ### How to solve?
-If you encounter a violation, ensure the POSTGRES_INITDB_ARGS environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+If you encounter a violation, ensure the RABBITMQ_PLUGINS_DIR environment variables is set.
+For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
 
 
 ### Category
@@ -4187,10 +4131,10 @@ high
 
 ---
 
-## Missing Kubernetes App Component Label
+## Missing Kubernetes App Created By Label
 
 ### ID
-weave.policies.missing-kubernetes-app-component-label
+weave.policies.missing-kubernetes-app-created-by-label
 
 ### Description
 Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: 
@@ -4230,159 +4174,233 @@ Add these custom labels to `metadata`.
 
 ```
 metadata:
-  labels:
-    <label>: value
-```  
-For additional information, please check
-* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
+  labels:
+    <label>: value
+```  
+For additional information, please check
+* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels 
+
+
+### Category
+weave.categories.organizational-standards
+
+### Severity
+low
+
+### Targets
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+
+### Tags
+[]
+
+### Parameters
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+
+---
+
+## Containers Sharing Host Network
+
+### ID
+weave.policies.containers-sharing-host-network
+
+### Description
+This Policy allows check if sharing host network namespace with the container should be allowed or not. Resources that can be shared with the container include:
+
+### hostNetwork
+Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
+
+### hostPID
+Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
+
+### shareProcessNamespace
+When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
+
+### hostIPC
+Controls whether the pod containers can share the host IPC namespace.
+
+
+### How to solve?
+Match the shared resource with either true or false, as set in your constraint. 
+```
+...
+  spec:
+    <shared_resource>: <resource_enabled>
+```
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+
+
+### Category
+weave.categories.pod-security
+
+### Severity
+high
+
+### Targets
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+
+### Tags
+['cis-benchmark', 'nist800-190', 'gdpr', 'default']
+
+### Parameters
+[{'name': 'resource_enabled', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+
+---
+
+## Prometheus Rbac Prohibit Verbs
+
+### ID
+weave.policies.prometheus-rbac-prohibit-verbs
+
+### Description
+This Policy blocks certain verbs from being set for Prometheus RBAC. This Policy applies to RBAC names containing the word `prometheus`. 
+
+
+### How to solve?
+Check the `rules.verbs` for the verb(s) list and check the policy to see what value is set. 
+```
+metadata:
+  name: prometheus
+...
+rules:
+  - verbs:
+      - <prometheus_verb>
+```
+
+https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
-low
+high
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['ClusterRole']}
 
 ### Tags
-[]
+['pci-dss', 'hipaa', 'soc2-type1']
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'prometheus_verb', 'type': 'string', 'required': True, 'value': 'put'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Services Prohibit Type
+## MYSQL Enforce Environment Variable - MYSQL_USER
 
 ### ID
-weave.policies.services-prohibit-type
+weave.policies.mysql-enforce-user-env-var
 
 ### Description
-This Policy checks your Kubernetes Service kind to see what Service type is set. If a specified service type is found, this Policy will be in violation. Security practices suggest using types `ServiceType` of `ClusterIP` or `LoadBalancer` and not `NodePort`. 
+This Policy ensures MYSQL_USER environment variable are in place when using the official container images from Docker Hub.
+MYSQL_USER: The MYSQL_USER environment variable sets up a superuser with the same name. 
 
 
 ### How to solve?
-Ensure the type matches what is specified in the Policy. 
-```
-spec:
-  type: <type>
-```
-
-https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+If you encounter a violation, ensure the MYSQL_USER environment variables is set.
+For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
-weave.categories.network-security
+weave.categories.access-control
 
 ### Severity
 high
 
 ### Targets
-{'kinds': ['Service']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss']
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
-[{'name': 'type', 'type': 'string', 'required': True, 'value': 'NodePort'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Rbac Protect Cluster Admin Clusterrolebindings
+## Containers Minimum Replica Count
 
 ### ID
-weave.policies.rbac-protect-cluster-admin-clusterrolebindings
+weave.policies.containers-minimum-replica-count
 
 ### Description
-This Policy allows you to select which groups you can set for Cluster-admin. The default policy checks for the 
-
-```
-subjects:
-- kind: Group
-  name: system:masters
-```
-
-`cluster-admin` allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself. Be selective when adding additional subjects. 
+Use this Policy to to check the replica count of your workloads. The value set in the Policy is greater than or equal to the amount desired, so if the replica count is lower than what is specified, the Policy will be in violation. 
 
 
 ### How to solve?
-Remove any kinds and names that are not consistent with the constraint. 
+The replica count should be a value equal or greater than what is set in the Policy.
 ```
-kind: ClusterRoleBinding
-metadata:
-  name: cluster-admin
-...
-subjects:
-- kind: Group
-  name: system:masters
-```  
-https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+spec:
+  replicas: <replica_count>
+```
+https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment
 
 
 ### Category
-weave.categories.access-control
+weave.categories.reliability
 
 ### Severity
-high
+medium
 
 ### Targets
-{'kinds': ['ClusterRoleBinding']}
+{'kinds': ['Deployment', 'StatefulSet', 'ReplicaSet', 'ReplicationController', 'HorizontalPodAutoscaler']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'gdpr', 'hipaa', 'soc2-type1']
+['soc2-type1']
 
 ### Parameters
-[{'name': 'subjects_name', 'type': 'string', 'required': True, 'value': 'system:masters'}, {'name': 'subjects_kind', 'type': 'string', 'required': True, 'value': 'Group'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'replica_count', 'type': 'integer', 'required': True, 'value': 2}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## MariaDB Enforce Environment Variable - MYSQL_ROOT_PASSWORD
+## Prohibit Creating Namespace Starting With Prefix
 
 ### ID
-weave.policies.mariadb-enforce-mysql-root-password-env-var
+weave.policies.prohibit-creating-namespace-starting-with-prefix
 
 ### Description
-This Policy ensures MYSQL_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
-MYSQL_ROOT_PASSWORD: The MYSQL_ROOT_PASSWORD environment variable specifies a password for the MARIADB root account. 
+Using this Policy, you can prohibit certain namespaces from containing a specified combination of letters and/or numbers. 
 
 
 ### How to solve?
-If you encounter a violation, ensure the MYSQL_ROOT_PASSWORD environment variables is set.
-For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
+Specify a `namespace` that is something other than what is listed in the Policy. 
+```
+metadata:
+  name: <namespace_name>
+```
+https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#working-with-namespaces
 
 
 ### Category
-weave.categories.access-control
+weave.categories.organizational-standards
 
 ### Severity
-high
+medium
 
 ### Targets
-{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
+{'kinds': ['Namespace']}
 
 ### Tags
-['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
+[]
 
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'namespace_name', 'type': 'string', 'required': True, 'value': 'kube-'}]
 
 ---
 
-## Postgres Enforce Environment Variable - POSTGRES_HOST_AUTH_METHOD
+## MariaDB Enforce Environment Variable - MYSQL_RANDOM_ROOT_PASSWORD
 
 ### ID
-weave.policies.postgres-enforce-auth-method-env-var
+weave.policies.mariadb-enforce-mysql-random-root-password-env-var
 
 ### Description
-This Policy ensures POSTGRES_HOST_AUTH_METHOD environment variable are in place when using the official container images from Docker Hub.
-POSTGRES_HOST_AUTH_METHOD: The POSTGRES_HOST_AUTH_METHOD environment variable is used to control the auth-method for host connections for all databases, all users, and all addresses. If unspecified then md5 password authentication is used. 
+This Policy ensures MYSQL_RANDOM_ROOT_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_RANDOM_ROOT_PASSWORD: The MYSQL_RANDOM_ROOT_PASSWORD environment variable creates random password for the server's root user when the Docker container is started.
 
 
 ### How to solve?
-If you encounter a violation, ensure the POSTGRES_HOST_AUTH_METHOD environment variables is set.
-For futher information about the Postgres Docker container, check here: https://hub.docker.com/_/postgres
+If you encounter a violation, ensure the MYSQL_RANDOM_ROOT_PASSWORD environment variables is set.
+For futher information about the MariaDB Docker container, check here: https://hub.docker.com/_/mariadb
 
 
 ### Category
@@ -4402,23 +4420,30 @@ high
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_LOG_BASE
+## Container Prohibit Image Tag
 
 ### ID
-weave.policies.rabbitmq-enforce-log-base-env-var
+weave.policies.container-prohibit-image-tag
 
 ### Description
-This Policy ensures RABBITMQ_LOG_BASE environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_LOG_BASE: This base directory contains the RabbitMQ server's log files, unless RABBITMQ_LOGS is set.
+Prohibit certain image tags by specifying them in the Policy. The Policy will also violate if the a tag is not set, or is set to `latest`. 
+
+Note: You should avoid using the :latest tag when deploying containers in production as it is harder to track which version of the image is running and more difficult to roll back properly.
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_LOG_BASE environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+Configure an image tag that is not in the Policy. 
+```
+...
+  spec:
+    containers:
+    - image: registry/image_name:<tag>
+```
+https://kubernetes.io/docs/concepts/configuration/overview/#container-images
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.software-supply-chain
 
 ### Severity
 high
@@ -4426,83 +4451,63 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['cis-benchmark', 'mitre-attack', 'gdpr', 'soc2-type1', 'default']
+
 ### Parameters
-[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'image_tag', 'type': 'string', 'required': True, 'value': 'latest'}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Missing Readiness Probe
+## MYSQL Enforce Environment Variable - MYSQL_ONETIME_PASSWORD
 
 ### ID
-weave.policies.containers-missing-readiness-probe
+weave.policies.mysql-enforce-onetime-password-env-var
 
 ### Description
-This Policy detects whether or not a readinessProbe has been set for containers. Containers probes are:
-
-### liveness 
-The kubelet uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs.
-
-### readiness
-The kubelet uses readiness probes to know when a container is ready to start accepting traffic. A Pod is considered ready when all of its containers are ready. One use of this signal is to control which Pods are used as backends for Services. When a Pod is not ready, it is removed from Service load balancers.
-
-### startup
-The kubelet uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by the kubelet before they are up and running.
+This Policy ensures MYSQL_ONETIME_PASSWORD environment variable are in place when using the official container images from Docker Hub.
+MYSQL_ONETIME_PASSWORD: The MYSQL_ONETIME_PASSWORD environment variable is set, the root user's password is set as expired and must be changed before MySQL can be used normally 
 
 
 ### How to solve?
-Check your entities to see if a probe has been set. 
-```
-...
-  spec:
-    containers:
-    - readinessProbe:
-      ...
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+If you encounter a violation, ensure the MYSQL_ONETIME_PASSWORD environment variables is set.
+For futher information about the MYSQL Docker container, check here: https://hub.docker.com/_/mysql
 
 
 ### Category
-weave.categories.reliability
+weave.categories.access-control
 
 ### Severity
-medium
+high
 
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-[]
+['pci-dss', 'mitre-attack', 'hipaa', 'gdpr']
 
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Containers Running In Privileged Mode
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_SITE_SSL_CRT_PATH
 
 ### ID
-weave.policies.containers-running-in-privileged-mode
+weave.policies.mongo-express-enforce-ssl-crt-path-env-var
 
 ### Description
-This Policy reports if containers are running in privileged mode. A privileged container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host.
-
-By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. This is useful for containers that want to use linux capabilities like manipulating the network stack and accessing devices.
+This Policy ensures ME_CONFIG_SITE_SSL_CRT_PATH environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_SITE_SSL_CRT_PATH: The ME_CONFIG_SITE_SSL_CRT_PATH environment variable sets the SSL Certificate path. 
 
 
 ### How to solve?
-Look at the following path to see what the settings are. 
-```
-...
-  spec:
-    containers:
-    - securityContext:
-        privileged: <privilege>
-```
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+If you encounter a violation, ensure the ME_CONFIG_SITE_SSL_CRT_PATH environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.pod-security
+weave.categories.network-security
 
 ### Severity
 high
@@ -4511,34 +4516,26 @@ high
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'cis-benchmark', 'mitre-attack', 'nist800-190', 'gdpr', 'soc2-type1', 'default']
+['pci-dss']
 
 ### Parameters
-[{'name': 'privilege', 'type': 'boolean', 'required': True, 'value': False}, {'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## Prometheus Rbac Prohibit Verbs
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_SERVER
 
 ### ID
-weave.policies.prometheus-rbac-prohibit-verbs
+weave.policies.mongo-express-enforce-mongodb-server-env-var
 
 ### Description
-This Policy blocks certain verbs from being set for Prometheus RBAC. This Policy applies to RBAC names containing the word `prometheus`. 
+This Policy ensures ME_CONFIG_MONGODB_SERVER environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_MONGODB_SERVER: The ME_CONFIG_MONGODB_SERVER environment variable sets the MongoDB container name. Use comma delimited list of host names for replica sets.
 
 
 ### How to solve?
-Check the `rules.verbs` for the verb(s) list and check the policy to see what value is set. 
-```
-metadata:
-  name: prometheus
-...
-rules:
-  - verbs:
-      - <prometheus_verb>
-```
-
-https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+If you encounter a violation, ensure the ME_CONFIG_MONGODB_SERVER environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
@@ -4548,33 +4545,33 @@ weave.categories.access-control
 high
 
 ### Targets
-{'kinds': ['ClusterRole']}
+{'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
 ### Tags
-['pci-dss', 'hipaa', 'soc2-type1']
+['pci-dss']
 
 ### Parameters
-[{'name': 'prometheus_verb', 'type': 'string', 'required': True, 'value': 'put'}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
+[{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]
 
 ---
 
-## RabbitMQ Enforce Environment Variable - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
+## Mongo-Express Enforce Environment Variable - ME_CONFIG_MONGODB_ENABLE_ADMIN
 
 ### ID
-weave.policies.rabbitmq-enforce-additional-erl-args-env-var
+weave.policies.mongo-express-enforce-enable-admin-env-var
 
 ### Description
-This Policy ensures RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment variable are in place when using the official container images from Docker Hub.
-RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: The RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment variable sets additional parameters for the erl command used when invoking the RabbitMQ Server. The value of this variable is appended to the default list of arguments (RABBITMQ_SERVER_ERL_ARGS).
+This Policy ensures ME_CONFIG_MONGODB_ENABLE_ADMIN environment variable are in place when using the official container images from Docker Hub.
+ME_CONFIG_MONGODB_ENABLE_ADMIN: The ME_CONFIG_MONGODB_ENABLE_ADMIN environment variable enables admin access to all databases. Send strings: `"true"` or `"false"`
 
 
 ### How to solve?
-If you encounter a violation, ensure the RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS environment variables is set.
-For futher information about the RabbitMQ Docker container, check here: https://hub.docker.com/_/rabbitmq
+If you encounter a violation, ensure the ME_CONFIG_MONGODB_ENABLE_ADMIN environment variables is set.
+For futher information about the Mongo-Express Docker container, check here: https://hub.docker.com/_/mongo-express
 
 
 ### Category
-weave.categories.organizational-standards
+weave.categories.access-control
 
 ### Severity
 high
@@ -4582,6 +4579,9 @@ high
 ### Targets
 {'kinds': ['Deployment', 'Job', 'ReplicationController', 'ReplicaSet', 'DaemonSet', 'StatefulSet', 'CronJob']}
 
+### Tags
+['pci-dss', 'mitre-attack', 'hipaa']
+
 ### Parameters
 [{'name': 'exclude_namespaces', 'type': 'array', 'required': False, 'value': None}, {'name': 'exclude_label_key', 'type': 'string', 'required': False, 'value': None}, {'name': 'exclude_label_value', 'type': 'string', 'required': False, 'value': None}]