Description

This PR adds a missing OOTB policy to detect deployments that lack egress network policies. While StackRox added network policy detection capabilities and shipped the "Deployments should have at least one ingress Network Policy" policy (ID: 38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3) several versions ago, the corresponding egress policy was never created despite the underlying field support existing in the codebase.

The new policy "Deployments should have at least one egress Network Policy" (ID: dae95df3-ce8e-435c-8e16-c5197943db6e) mirrors the structure and behavior of its ingress counterpart. It alerts when deployments are missing egress network policies, helping enforce zero-trust networking principles by identifying workloads with unrestricted outbound network access that could potentially exfiltrate data or communicate with untrusted endpoints.

Related JIRA: https://redhat.atlassian.net/browse/ROX-33673

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

CHANGELOG entry added. User documentation update may be needed to document the new policy alongside the existing ingress policy documentation.

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature
  flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

Updated test data in sensor/tests/resource/networkpolicy/data/policies.json to include the new egress policy. The underlying "Has Egress Network Policy" field already has existing test coverage in pkg/booleanpolicy/network_criteria_test.go. Policy loading is validated by existing tests in pkg/defaults/policies/policies_test.go which verify MITRE exception list consistency and policy structure.

How I validated my change

• Verified the new policy JSON follows the exact structure of the existing ingress policy
• Confirmed the "Has Egress Network Policy" field exists in pkg/booleanpolicy/augmentedobjs/custom_types.go and pkg/booleanpolicy/fieldnames/list.go
• Ran existing policy tests to ensure the new policy loads correctly and doesn't conflict with existing policies
• Validated MITRE exception list entry prevents test failures for policies without MITRE ATT&CK mappings
• CI will validate policy loading, JSON schema correctness, and integration with network policy detection