diff --git a/docs/iop.md b/docs/iop.md
index a69581b1f..b55a9175e 100644
--- a/docs/iop.md
+++ b/docs/iop.md
@@ -136,4 +136,14 @@ Gateway certificates are configured per certificate source:
 
 ### Container Images
 
-All IOP images default to `quay.io/iop/<service>:foreman-3.16`. Each role exposes `iop_<role>_container_image` and `iop_<role>_container_tag` variables to override.
+All IOP images default to `quay.io/iop/<service>:foreman-3.18`. Each role exposes `iop_<role>_container_image` and `iop_<role>_container_tag` variables to override.
+
+### Engine Rule Packages
+
+The engine loads Python rule packages listed in `iop_engine_packages`. A separate `iop_engine_extra_packages` list (default: `[]`) is available for downstream deployments to add packages that are not present in the community images:
+
+```yaml
+iop_engine_extra_packages:
+  - "prodsec.rules"
+  - "telemetry.rules.plugins"
+```
diff --git a/src/roles/iop_engine/defaults/main.yaml b/src/roles/iop_engine/defaults/main.yaml
index 895acb00b..f2d210e3e 100644
--- a/src/roles/iop_engine/defaults/main.yaml
+++ b/src/roles/iop_engine/defaults/main.yaml
@@ -7,3 +7,5 @@ iop_engine_packages:
   - "insights.specs.default"
   - "insights.specs.insights_archive"
   - "insights_kafka_service.rules"
+
+iop_engine_extra_packages: []
diff --git a/src/roles/iop_engine/templates/engine/config.yml.j2 b/src/roles/iop_engine/templates/engine/config.yml.j2
index a62b79022..1d1e21db0 100644
--- a/src/roles/iop_engine/templates/engine/config.yml.j2
+++ b/src/roles/iop_engine/templates/engine/config.yml.j2
@@ -1,7 +1,7 @@
 plugins:
   default_component_enabled: true
   packages:
-{% for package in iop_engine_packages %}
+{% for package in iop_engine_packages + iop_engine_extra_packages %}
       - {{ package }}
 {% endfor %}
 configs: []
diff --git a/src/roles/iop_kafka/templates/kafka/kraft.j2 b/src/roles/iop_kafka/templates/kafka/kraft.j2
index 96b9041be..c7d12d2a2 100644
--- a/src/roles/iop_kafka/templates/kafka/kraft.j2
+++ b/src/roles/iop_kafka/templates/kafka/kraft.j2
@@ -37,7 +37,7 @@ controller.quorum.voters=1@iop-core-kafka:9093
 #     listeners = listener_name://host_name:port
 #   EXAMPLE:
 #     listeners = PLAINTEXT://your.host.name:9092
-listeners=PLAINTEXT://iop-core-kafka:9092,CONTROLLER://iop-core-kafka:9093
+listeners=PLAINTEXT://:9092,CONTROLLER://:9093
 
 # Name of listener used for communication between brokers.
 inter.broker.listener.name=PLAINTEXT