"}}'
-```
-For details, see the [Image Assurance installation reference](../reference/installation/ia-api.mdx#image-assurance.operator.tigera.io/v1.ImageAssuranceSpec).
-
-:::
-
-Other notes:
-
-- The columns, **Clusters** and **Running Instances**, show the number of running instances in clusters that are connected to $[prodname].
-- The **Unknown** scan result filter reflects images that are not fully scanned. Because they can add noise to the table, they are disabled by default. To enable Unknown results for strategic troubleshooting, click the **Result** drop-down menu and select **Unknown**.
-- In the All Scanned Images and Running Images tabs, the **Registry path** field may be blank if $[prodname] cannot access this metadata. For example, images from Docker Hub do not specify the registry in the image metadata.
-- Any exceptions configured for image scanning will be applicable to Runtime View as well.
-
-## Image assessment: Pass, Warn, and Fail
-
-The Image Assurance image assessment is based on the [Common Vulnerability Scoring System v3 (CVSS Scores)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The following table shows how Image Assurance scores map to CVSS scores.
-
-| CVSS v3 scores | Image Assurance mapping | Default settings |
-| ------------------------------------------- | ----------------------- | -------------------- |
-| 0.0 – (None)
0.1 – 3.9 (Low) | Pass = 3.9 | Low |
-| 4.0 – 6.9 (Medium) | Warn = 7 | Medium severity – 7 |
-| 7.0 – 8.9 (High)
9.0 – 10.0 (Critical) | Fail = 8.0 | Critical or high – 8 |
-
-CVEs without a CVSS v3 score (too old to have one, or are too new to be assigned one), display a blank score in the UI, and **N/A** in the CLI.
-
-### Changing the default CVSS threshold values
-
-The following default threshold values will work for the majority of $[prodname] deployments. However, you may need to change the defaults because of security requirements.
-
-
-
-To change the CVSS threshold values, note the following:
-
-- Changes to threshold values take effect immediately and alter the scan results for images already in the system
-- If you are using admission controller policies, changing a value may allow pods in your Kubernetes cluster that were previously being blocked, to now be deployed or vice versa.
-
-## Exploit Data
-
-The scanning process also attaches EPSS and known exploit data onto each image and vulnerability viewable through the UI.
-
-An EPSS score of 0.1 - or 10% - means a vulnerability has a 10% probability that it will be exploited in the wild within the next 30 days.
-Users should use this information alongside CVSS scores to prioritize remediating vulnerabilities. For example, you may not have the time to remediate
-all critical vulnerabilities, but you can use the EPSS score to help prioritize. By additionally filtering with an EPSS score of > 90% you can target
-the critical vulnerabilities that are most likely to be exploited.
-
-Note that an EPSS score of > 10% can be considered a high number.
-Information about [The EPSS Model](https://www.first.org/epss/model) can be found on the EPSS website created by [FIRST](https://www.first.org/).
-
-Known exploits are based off of the [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), a list of
-vulnerabilities that have been exploited in the wild and maintained by CISA.
-
-## Export results
-
-From each tab, you can export data or a JSON file with image URLs. Exporting data is based on the images in the list and the current filter selections. CSV table options include:
-
-- **Export one row per image** - export one row for each image with all associated CVEs condensed into a single column.
-- **Export one row for each image and CVE ID** - export a unique image plus CVE combination for each row. For example, if an image has 10 CVEs, 10 rows are created (1 for each CVE).
-
-:::note
-
-Images without associated CVEs are not included in the exported data (regardless if they are included by filters).
-
-:::
-
-## Next steps
-
-- [Set up alerts on vulnerabilities](set-up-alerts.mdx)
\ No newline at end of file
diff --git a/calico-cloud/network-policy/application-layer-policies/alp.mdx b/calico-cloud/network-policy/application-layer-policies/alp.mdx
index 246a831698..6955c3d05c 100644
--- a/calico-cloud/network-policy/application-layer-policies/alp.mdx
+++ b/calico-cloud/network-policy/application-layer-policies/alp.mdx
@@ -25,7 +25,6 @@ Application layer policies let you configure access controls based on L7 attribu
* Application layer policies apply to the entire cluster.
They can not be namespaced.
* Logs for application layer polices are not included with other L7 logs in Service Graph.
- To view logs for application layer policies, you must [view them in Kibana](../../observability/elastic/l7/configure.mdx#kibana).
* Application layer policy is supported only on Kubernetes 1.29 and later.
:::important
diff --git a/calico-cloud/network-policy/networksets.mdx b/calico-cloud/network-policy/networksets.mdx
index 130f89ee8a..d6378a9dbd 100644
--- a/calico-cloud/network-policy/networksets.mdx
+++ b/calico-cloud/network-policy/networksets.mdx
@@ -34,7 +34,7 @@ Here are just a few examples of how network sets can be used:
- **Troubleshooting**
- Network sets appear as additional metadata in flow logs and Kibana, Flow Visualizer, and Service Graph.
+ Network sets appear as additional metadata in flow logs, Flow Visualizer, and Service Graph.
- **Efficiency and scaling**
@@ -119,7 +119,7 @@ If we double-click `hipstershop` to drill down, we now see the `google` network
-Service Graph provides a view into how services are interconnected in a consumable view, along with easy access to flow logs. However, you can also see traffic associated with network sets in volumetric display with Flow Visualizer, and query flow log data associated with network sets in Kibana.
+Service Graph provides a view into how services are interconnected in a consumable view, along with easy access to flow logs. You can also see traffic associated with network sets in volumetric display with Flow Visualizer.
## Tutorial
@@ -223,7 +223,7 @@ spec:
- Create a network set label and name schema
- It is helpful to think: what names would be meaningful and easy to understand when you look in Service Graph? Flow Viz? Kibana? What labels will be easy to understand when used in network policies – especially if you are separating users who manage network sets from those who consume them in network policies.
+ It is helpful to think: what names would be meaningful and easy to understand when you look in Service Graph or Flow Visualizer? What labels will be easy to understand when used in network policies – especially if you are separating users who manage network sets from those who consume them in network policies.
- Do not put large sets of CIDRs and domains directly in policy
diff --git a/calico-cloud/observability/alerts.mdx b/calico-cloud/observability/alerts.mdx
index 836ffac187..bb5363863c 100644
--- a/calico-cloud/observability/alerts.mdx
+++ b/calico-cloud/observability/alerts.mdx
@@ -39,7 +39,7 @@ To turn down aggregation on flow logs, go to [FelixConfiguration](../reference/r
### Manage alerts in the web console
-You can view alert events in the web console in several places: the **Alerts** page, **Service Graph**, and the **Kibana** dashboard.
+You can view alert events in the web console in several places: the **Alerts** page and **Service Graph**.
Click **Activity**, **Alerts** to follow along.
diff --git a/calico-cloud/observability/elastic/audit-overview.mdx b/calico-cloud/observability/elastic/audit-overview.mdx
index b437b63c72..b18bee9c28 100644
--- a/calico-cloud/observability/elastic/audit-overview.mdx
+++ b/calico-cloud/observability/elastic/audit-overview.mdx
@@ -30,11 +30,7 @@ $[prodname] audit logs are displayed in the Timeline dashboard in the web consol
-Audit logs are also visible in the Kibana dashboard (indexed by, `tigera_secure_ee_audit_ee`), and are useful for looking at policy differences.
-
-
-
-Finally, audit logs provide the core data for compliance reports.
+Audit logs provide the core data for compliance reports.
diff --git a/calico-cloud/observability/elastic/flow/processpath.mdx b/calico-cloud/observability/elastic/flow/processpath.mdx
index 0e648b0d34..8d0f9291d0 100644
--- a/calico-cloud/observability/elastic/flow/processpath.mdx
+++ b/calico-cloud/observability/elastic/flow/processpath.mdx
@@ -44,10 +44,6 @@ using the command:
Enabling/Disabling collectProcessPath causes a rolling update of the `$[noderunning] DaemonSet`.
-### View process path and arguments in flow logs using Kibana
-
-Navigate to the Kibana Flow logs dashboard to view process path and arguments associated with a flow log entry.
-
-The executable path will appear in the `process_name` field and `process_args` will have the executable arguments. Executable path
+The executable path appears in the `process_name` field and `process_args` will have the executable arguments. Executable path
and arguments cannot be collected under certain circumstances, in that `process_name` will have the task name and `process_args`
-will be empty. Information about these fields are described in the [Flow log datatype document](datatypes.mdx)
+will be empty. Information about these fields is described in the [Flow log datatype document](datatypes.mdx).
diff --git a/calico-cloud/observability/elastic/flow/tcpstats.mdx b/calico-cloud/observability/elastic/flow/tcpstats.mdx
index 1060875632..330754463b 100644
--- a/calico-cloud/observability/elastic/flow/tcpstats.mdx
+++ b/calico-cloud/observability/elastic/flow/tcpstats.mdx
@@ -34,10 +34,6 @@ using the command:
kubectl patch felixconfiguration default -p '{"spec":{"flowLogsCollectTcpStats":true}}'
```
-### View tcp stats in flow logs using Kibana.
-
-Navigate to the Kibana Flow logs dashboard to view tcp stats associated with a flow log entry.
-
The additional fields collected are `tcp_mean_send_congestion_window`, `tcp_min_send_congestion_window`, `tcp_mean_smooth_rtt`, `tcp_max_smooth_rtt`,
`tcp_mean_min_rtt`, `tcp_max_min_rtt`, `tcp_mean_mss`, `tcp_min_mss`, `tcp_total_retransmissions`, `tcp_lost_packets`, `tcp_unrecovered_to`.
-Information about these fields are described in the [Flow log datatype document](datatypes.mdx)
+Information about these fields is described in the [Flow log datatype document](datatypes.mdx).
diff --git a/calico-cloud/observability/elastic/index.mdx b/calico-cloud/observability/elastic/index.mdx
index c29eb2e2d8..23350448f2 100644
--- a/calico-cloud/observability/elastic/index.mdx
+++ b/calico-cloud/observability/elastic/index.mdx
@@ -1,5 +1,5 @@
---
-description: Configure managed Elasticsearch logs for Calico Cloud so the web console and Kibana can surface flow, DNS, audit, and L7 data from connected clusters.
+description: Configure managed Elasticsearch logs for Calico Cloud to surface flow, DNS, audit, and L7 data from connected clusters in the web console.
hide_table_of_contents: true
---
diff --git a/calico-cloud/observability/elastic/l7/configure.mdx b/calico-cloud/observability/elastic/l7/configure.mdx
index 419776be27..39a5620c40 100644
--- a/calico-cloud/observability/elastic/l7/configure.mdx
+++ b/calico-cloud/observability/elastic/l7/configure.mdx
@@ -165,12 +165,3 @@ To view L7 logs in Service Graph:
-### Kibana
-
-To view L7 logs by index pattern in Kibana:
-
-1. In the web console left navbar, click **Kibana**.
-
-1. In the new Kibana browser, click the hamburger icon in the top left corner, and select **Analytics**, **Discover**.
-
-1. Select the index pattern, `tigera_secure_ee_l7`.
diff --git a/calico-cloud/observability/elastic/overview.mdx b/calico-cloud/observability/elastic/overview.mdx
index be619f8199..3d7812b309 100644
--- a/calico-cloud/observability/elastic/overview.mdx
+++ b/calico-cloud/observability/elastic/overview.mdx
@@ -1,5 +1,5 @@
---
-description: Calico Cloud uses managed Elasticsearch and Kibana for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to external SIEMs.
+description: Calico Cloud uses managed Elasticsearch for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to external SIEMs.
---
# Overview
@@ -10,11 +10,11 @@ Use $[prodname] log data for visibility and troubleshooting Kubernetes clusters.
## Value
-Workloads and policies are highly dynamic. To troubleshoot Kubernetes clusters, you need logs with workload identity and context. $[prodname] deploys an Elasticsearch cluster and Kibana instance during installation with these features:
+Workloads and policies are highly dynamic. To troubleshoot Kubernetes clusters, you need logs with workload identity and context. $[prodname] deploys an Elasticsearch cluster during installation with these features:
- Logs with workload context
- Centralized log collection for multiple clusters for $[prodname] multi-cluster-management
-- View Elasticsearch logs in the $[prodname] web console (Kibana dashboard and Flow Visualizer), and the [Elasticsearch API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search.html)
+- View Elasticsearch logs in the $[prodname] web console (Flow Visualizer), and the [Elasticsearch API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search.html)
- Standard Kubernetes RBAC for granular access control to logs
- Collect/archive logs or subset of logs
- Log aggregation for high-volume logs
@@ -47,7 +47,7 @@ Because of their high-volume, flow and dns logs support aggregation.
$[prodname] automatically installs fluentd on all nodes and collects flow, audit, and DNS logs. You can configure additional destinations like Amazon S3, Syslog, Splunk.
-$[prodname] enables user authentication in Elasticsearch, and secures access to Elasticsearch and Kibana instances using network policy.
+$[prodname] enables user authentication in Elasticsearch, and secures access to Elasticsearch using network policy.
### RBAC and log access
diff --git a/calico-cloud/observability/index.mdx b/calico-cloud/observability/index.mdx
index f3b8ce1230..45f021c1f1 100644
--- a/calico-cloud/observability/index.mdx
+++ b/calico-cloud/observability/index.mdx
@@ -13,7 +13,6 @@ See what's going on in your cluster with network observability tools and detaile
-
diff --git a/calico-cloud/observability/kibana.mdx b/calico-cloud/observability/kibana.mdx
deleted file mode 100644
index 956686c439..0000000000
--- a/calico-cloud/observability/kibana.mdx
+++ /dev/null
@@ -1,125 +0,0 @@
----
-description: Use Kibana with Calico Cloud Elasticsearch to explore flow, L7, audit, BGP, DNS, and intrusion detection event logs from connected clusters.
----
-
-# Kibana dashboards and logs
-
-:::warning[deprecation and removal notice]
-
-Kibana dashboards are deprecated and will be removed in an upcoming release.
-During the deprecation period, you will have read-only access to Kibana dashboards.
-You can still [create custom dashboards](create-custom-dashboard.mdx) using Calico Cloud's built-in dashboards.
-
-:::
-
-## Kibana
-
-Kibana is the frontend for $[prodname] Elasticsearch, which is the logging infrastructure that centrally stores logs from all managed clusters. Kibana provides an interface to explore Elasticsearch logs and gain insights into workload communication traffic volume, performance, and other key aspects of cluster operations. Log data is also summarized in custom dashboards.
-
-The following logs are generated by $[prodname]. All logs are enabled by default except **l7 logs**, which must be explicitly enabled.
-
-| Log type | **Description** | Index in Kibana |
-| -------- | ---------------------------------------------------------------------------------------------------- | ------------------------- |
-| flow | Layer 3/4 network flows for workloads: source and destination namespaces, pods, labels, and policies | tigera_secure_ee_flows\* |
-| l7 | Layer 7 network flows for workloads | tigera_secure_ee_l7\* |
-| audit | Audit logs for $[prodname] resources | tigera_secure_ee_audit\* |
-| bgp | $[prodname] networking BGP peering and route propagation. | tigera_secure_ee_bgp.\* |
-| dns | DNS lookups and responses from $[prodname] domain-based policy. | tigera_secure_ee_dns\* |
-| events | $[prodname] intrusion detection events: suspicious IPs, suspicious domains, and global alerts | tigera_secure_ee_events\* |
-
-## Start Kibana and access dashboards
-
-In the web console, from the left navbar select, **Kibana**. A new browser tab opens into Kibana.
-
-In Kibana, click the hamburger icon in the top left corner, and select **Analytics**, **Dashboard**.
-
-
-
-A list of curated dashboards is displayed. Note that some log types do not have a default dashboard (`bgp` and `events`).
-
-### DNS dashboard
-
-
-
-The DNS dashboard summarizes DNS data and logs into metrics, providing high-level information on the types of DNS lookups made, responses, and overall DNS performance. By default, DNS activity logs are captured only for requests/responses from Kubernetes built-in DNS services (CoreDNS). DNS activity to an external DNS server can be captured by configuring the parameter, `dnsTrustedServers` in [Felix](../reference/resources/felixconfig.mdx). DNS activity to Node local server is not supported.
-
-The dashboard provides the following metrics/data, which can be edited as required.
-
-| Metric/data | Description |
-| ------------------------------- | ------------------------------------------------------------------- |
-| DNS total requests | Cumulative DNS requests over the reporting period. Default: 24hrs. |
-| DNS requests | Type of DNS request. |
-| DNS responses | DNS response codes which may indicate issues with specific lookups. |
-| DNS Top 10 external domains | Count of top domains in lookups. |
-| DNS internal query | Lookups within the Kubernetes cluster. |
-| DNS external query | Lookups to non-cluster domains. |
-| DNS Latency | Measured latency which can indicate DNS issues. |
-| DNS internal queries by service | Top types of requests within the cluster per service. |
-| DNS external queries by service | Top types of requests external to the cluster per service. |
-| DNS response code by service | Top DNS response codes per client. |
-| DNS query count by server | Volume of DNS traffic per DNS server. |
-| DNS transfer by service | Volume of DNS traffic per service. |
-| DNS logs | Raw DNS logs. |
-
-### L7 HTTP dashboard
-
-
-
-The L7 HTTP dashboard provides application performance metrics for in-scope Kubernetes services. The data can assist service owners and platform personnel in assessing the health of cluster workloads without the need for a full service mesh. [L7 logs](elastic/l7/configure.mdx) are not enabled by default, and must be configured.
-
-The default metrics are:
-
-- L7 HTTP requests
-- L7 all services
-- L7 HTTP duration
-- L7 HTTP methods
-- L7 HTTP response codes
-- L7 HTTP request duration
-- L7 HTTP requests over time
-- L7 HTTP method by service
-- L7 HTTP response by service
-- L7 HTTP bytes transferred
-- L7 Top URLs
-- L7-search (raw HTTP logs)
-
-### Tigera Secure EE audit logs dashboard
-
-
-
-The Tigera Secure EE audit logs dashboard provides historical events of changes made to your deployment. These events can be used to understand updates to resources, privileged access and actions, and can also help demonstrate compliance for different regulatory concerns.
-
-Audit logs listed in the section, `audit-search` can be expanded by clicking on the triangular expand icon, which presents the log in Table format by default. Clicking on JSON in the Expanded document displays the same log in JSON format. The logs can be filtered in the Audit Filtering Controls.
-
-### Tigera Secure EE flow logs dashboard
-
-
-
-The Tigera Secure EE flow Logs dashboard lets you analyze flow logs using the filter options in the Flow Filtering window. The flow logs matching the applied filter are displayed below in the flow logs window. To review a specific flow log in detail, click the triangular expand icon to the left of the flow.
-
-The full flow log is now displayed in Tabular format by default. To view the log in JSON format click the JSON header.
-
-
-
-### Tigera Secure EE Tor-VPN logs
-
-
-
-Tor and VPN-based traffic indicate the use of anonymization techniques in an attempt to mask the origins and destination of network traffic. $[prodname] has built-in capabilities to assist with detecting such traffic and requires minimal [configuration](../threat/tor-vpn-feed-and-dashboard.mdx) to activate.
-
-Once enabled, the Tigera Secure EE Tor-VPN logs dashboard can provide a view into any traffic to/from Tor and VPN gateways. The information quickly provides InfoSec teams and operators a focused view on anonymization-based traffic patterns. The reported flows can be filtered in the Tor-VPN controls window and the flow logs for in-scope traffic can be reviewed in the Tor-VPN-search window.
-
-## Create custom filters and queries
-
-Each dashboard has advanced filtering options if pre-built dashboards are insufficient. For example:
-
-- To build a query from all fields available in the logs, click **Add Filter**
-
-- To create a manual query, click **Search** (next to the disk icon on the left). The following example shows a query `process_name :*curl*` for the `process_name field` matching glob pattern, _curl_. Only logs where `field process_name` contains the string `curl` are filtered.
-
-
-
-## View logs by indices
-
-To view logs by indices, click the hamburger menu, select **Analytics**, and click **Discover**.
-
-
diff --git a/calico-cloud/observability/kube-audit.mdx b/calico-cloud/observability/kube-audit.mdx
index 0c46e65921..87ee4998fb 100644
--- a/calico-cloud/observability/kube-audit.mdx
+++ b/calico-cloud/observability/kube-audit.mdx
@@ -27,7 +27,7 @@ You must enable the following Kubernetes resources for each cluster:
### Audit logs in the web console
-Like $[prodname] audit logs, Kubernetes audit logs are displayed in the web console in the Timeline dashboard, Kibana dashboard (indexed by, `tigera_secure_ee_audit_kube`), and provide the core data for compliance reports.
+Like $[prodname] audit logs, Kubernetes audit logs are displayed in the web console in the Timeline dashboard, and provide the core data for compliance reports.
## Before you begin
diff --git a/calico-cloud/operations/cluster-management.mdx b/calico-cloud/operations/cluster-management.mdx
index 97548f1558..f85dc243b7 100644
--- a/calico-cloud/operations/cluster-management.mdx
+++ b/calico-cloud/operations/cluster-management.mdx
@@ -44,7 +44,7 @@ Use this menu to move between your clusters. You can connect as many managed clu
### Managed cluster views
When you select a different cluster from the cluster menu, the entire web console view changes to reflect the selected cluster.
-For example, each managed cluster has unique indexes for Elasticsearch clusters, a separate instance of Kibana, and the dashboard reflects only the selected managed cluster.
+For example, each managed cluster has unique indexes for Elasticsearch clusters, and the dashboard reflects only the selected managed cluster.
### Manage policies in multiple clusters
diff --git a/calico-cloud/reference/index.mdx b/calico-cloud/reference/index.mdx
index 973c1bc0ce..96baeba785 100644
--- a/calico-cloud/reference/index.mdx
+++ b/calico-cloud/reference/index.mdx
@@ -13,7 +13,6 @@ APIs, CLI, architecture and design, and FAQ.
-
@@ -27,7 +26,6 @@ APIs, CLI, architecture and design, and FAQ.
-
@@ -53,7 +51,6 @@ APIs, CLI, architecture and design, and FAQ.
-
diff --git a/calico-cloud/reference/installation/_ia-api.mdx b/calico-cloud/reference/installation/_ia-api.mdx
deleted file mode 100644
index 636d940eb4..0000000000
--- a/calico-cloud/reference/installation/_ia-api.mdx
+++ /dev/null
@@ -1,719 +0,0 @@
-
-Packages:
-
-
-image-assurance.operator.tigera.io/v1
-
-
-API Schema definitions for configuring the installation of Image Assurance
-
-
ClusterScannerStatusType(string alias)
-
-
-(Appears on:
-ImageAssuranceSpec)
-
-
-CrawdadDaemonSet
-
-
-(Appears on:
-ImageAssuranceSpec)
-
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-metadata
-
-github.com/tigera/operator/api/v1.Metadata
-
-
- |
-
-
-(Optional)
-
-Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet.
-
-
- |
-
-
-
-
-spec
-
-
-CrawdadDaemonSetSpec
-
-
-
- |
-
-
-(Optional)
-
-Spec is the specification of the crawdad DaemonSet.
-
-
-
-
-
- |
-
-
-
-CrawdadDaemonSetContainer
-
-
-(Appears on:
-CrawdadDaemonSetPodSpec)
-
-
-
-CrawdadDaemonSetContainer is a crawdad DaemonSet container.
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-name
-
-string
-
-
- |
-
-
-
-Name is an enum which identifies the crawdad DaemonSet container by name.
-
-
- |
-
-
-
-
-resources
-
-
-Kubernetes core/v1.ResourceRequirements
-
-
-
- |
-
-
-(Optional)
-
-Resources allows customization of limits and requests for compute resources such as cpu and memory.
-If specified, this overrides the named crawdad DaemonSet container’s resources.
-If omitted, the crawdad DaemonSet will use its default value for this container’s resources.
-If used in conjunction with the deprecated ComponentResources, then this value takes precedence.
-
-
- |
-
-
-
-CrawdadDaemonSetPodSpec
-
-
-(Appears on:
-CrawdadDaemonSetPodTemplateSpec)
-
-
-
-CrawdadDaemonSetPodSpec is the crawdad DaemonSet’s PodSpec.
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-containers
-
-
-[]CrawdadDaemonSetContainer
-
-
-
- |
-
-
-(Optional)
-
-Containers is a list of crawdad containers.
-If specified, this overrides the specified crawdad DaemonSet cluster-scanner containers.
-If omitted, the crawdad DaemonSet will use its default values for its containers.
-
-
- |
-
-
-
-
-affinity
-
-
-Kubernetes core/v1.Affinity
-
-
-
- |
-
-
-(Optional)
-
-Affinity is a group of affinity scheduling rules for the crawdad pods.
-If specified, this overrides any affinity that may be set on the crawdad DaemonSet.
-If omitted, the crawdad DaemonSet will use its default value for affinity.
-WARNING: Please note that this field will override the default crawdad DaemonSet affinity.
-
-
- |
-
-
-
-
-nodeSelector
-
-map[string]string
-
-
- |
-
-
-
-NodeSelector is the crawdad pod’s scheduling constraints.
-If specified, each of the key/value pairs are added to the crawdad DaemonSet nodeSelector provided
-the key does not already exist in the object’s nodeSelector.
-If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the crawdad DaemonSet
-and each of this field’s key/value pairs are added to the crawdad DaemonSet nodeSelector provided
-the key does not already exist in the object’s nodeSelector.
-If omitted, the crawdad DaemonSet will use its default value for nodeSelector.
-WARNING: Please note that this field will modify the default crawdad DaemonSet nodeSelector.
-
-
- |
-
-
-
-
-tolerations
-
-
-[]Kubernetes core/v1.Toleration
-
-
-
- |
-
-
-(Optional)
-
-Tolerations is the crawdad pod’s tolerations.
-If specified, this overrides any tolerations that may be set on the crawdad DaemonSet.
-If omitted, the crawdad DaemonSet will use its default value for tolerations.
-WARNING: Please note that this field will override the default crawdad DaemonSet tolerations.
-
-
- |
-
-
-
-CrawdadDaemonSetPodTemplateSpec
-
-
-(Appears on:
-CrawdadDaemonSetSpec)
-
-
-
-CrawdadDaemonSetPodTemplateSpec is the crawdad DaemonSet’s PodTemplateSpec
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-metadata
-
-github.com/tigera/operator/api/v1.Metadata
-
-
- |
-
-
-(Optional)
-
-Metadata is a subset of a Kubernetes object’s metadata that is added to
-the pod’s metadata.
-
-
- |
-
-
-
-
-spec
-
-
-CrawdadDaemonSetPodSpec
-
-
-
- |
-
-
-(Optional)
-
-Spec is the crawdad DaemonSet’s PodSpec.
-
-
-
-
-
- |
-
-
-
-CrawdadDaemonSetSpec
-
-
-(Appears on:
-CrawdadDaemonSet)
-
-
-
-CrawdadDaemonSetSpec defines configuration for the crawdad DaemonSet.
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-minReadySeconds
-
-int32
-
-
- |
-
-
-(Optional)
-
-MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should
-be ready without any of its container crashing, for it to be considered available.
-If specified, this overrides any minReadySeconds value that may be set on the crawdad DaemonSet.
-If omitted, the crawdad DaemonSet will use its default value for minReadySeconds.
-
-
- |
-
-
-
-
-template
-
-
-CrawdadDaemonSetPodTemplateSpec
-
-
-
- |
-
-
-(Optional)
-
-Template describes the crawdad DaemonSet pod that will be created.
-
-
- |
-
-
-
-ExcludedNamespace(string alias)
-
-
-(Appears on:
-Exclusions)
-
-
-
-ExcludedNamespace is a namespace name to be excluded from image scanning.
-
-Exclusions
-
-
-(Appears on:
-ImageAssuranceSpec)
-
-
-
-Exclusions specifies the criteria for what to exclude from image scanning.
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-namespaces
-
-
-[]ExcludedNamespace
-
-
-
- |
-
-
-(Optional)
-
-Namespaces is an array of namespace names to be excluded from image scanning.
-
-
- |
-
-
-
-ImageAssurance
-
-ImageAssurance is the Schema for the imageassurances API
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
-
- |
-
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
-
- |
-
-
-
-
-spec
-
-
-ImageAssuranceSpec
-
-
-
- |
-
-
-
-
-
-
-
-criSocketPath
-
-string
-
-
- |
-
-
-
-CRISocketPath is the path to the CRI socket on the nodes. Defaults to /run/containerd/containerd.sock.
-
-
- |
-
-
-
-
-containerdVolumeMountPath
-
-string
-
-
- |
-
-
-(Optional)
-
-ContainerdVolumeMountPath is the path to the root of containerd file system. Defaults to /var/lib/containerd/.
-
-
- |
-
-
-
-
-clusterScanner
-
-
-ClusterScannerStatusType
-
-
-
- |
-
-
-(Optional)
-
-This setting enables or disables the cluster scanner.
-Allowed values are Enabled or Disabled. Defaults to Disabled.
-
-
- |
-
-
-
-
-crawdadDaemonset
-
-
-CrawdadDaemonSet
-
-
-
- |
-
-
-(Optional)
-
-CrawdadDaemonSet is the specification of the Crawdad Daemonset.
-
-
- |
-
-
-
-
-exclusions
-
-
-Exclusions
-
-
-
- |
-
-
-(Optional)
-
-Exclusions define the exclusion criteria for image scanning.
-Note: Exclusions are applied to future scans and do not affect past scan results.
-
-
- |
-
-
- |
-
-
-
-
-status
-
-
-ImageAssuranceStatus
-
-
-
- |
-
-
-
- |
-
-
-
-ImageAssuranceSpec
-
-
-(Appears on:
-ImageAssurance)
-
-
-
-ImageAssuranceSpec configures Image Assurance monitoring and tooling in a kubernetes cluster.
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-
-criSocketPath
-
-string
-
-
- |
-
-
-
-CRISocketPath is the path to the CRI socket on the nodes. Defaults to /run/containerd/containerd.sock.
-
-
- |
-
-
-
-
-containerdVolumeMountPath
-
-string
-
-
- |
-
-
-(Optional)
-
-ContainerdVolumeMountPath is the path to the root of containerd file system. Defaults to /var/lib/containerd/.
-
-
- |
-
-
-
-
-clusterScanner
-
-
-ClusterScannerStatusType
-
-
-
- |
-
-
-(Optional)
-
-This setting enables or disables the cluster scanner.
-Allowed values are Enabled or Disabled. Defaults to Disabled.
-
-
- |
-
-
-
-
-crawdadDaemonset
-
-
-CrawdadDaemonSet
-
-
-
- |
-
-
-(Optional)
-
-CrawdadDaemonSet is the specification of the Crawdad Daemonset.
-
-
- |
-
-
-
-
-exclusions
-
-
-Exclusions
-
-
-
- |
-
-
-(Optional)
-
-Exclusions define the exclusion criteria for image scanning.
-Note: Exclusions are applied to future scans and do not affect past scan results.
-
-
- |
-
-
-
-ImageAssuranceStatus
-
-
-(Appears on:
-ImageAssurance)
-
-
-
-ImageAssuranceStatus defines the observed state of ImageAssurance
-
-
diff --git a/calico-cloud/reference/installation/ia-api.mdx b/calico-cloud/reference/installation/ia-api.mdx
deleted file mode 100644
index 77947656c0..0000000000
--- a/calico-cloud/reference/installation/ia-api.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-description: Image Assurance installation API reference for Calico Cloud listing operator-managed custom resources that configure the Image Assurance subsystem.
----
-
-# Image Assurance Installation reference
-
-import IAAPI from '@site/calico-cloud/reference/installation/_ia-api.mdx';
-
-## Image Assurance installation reference
-
-The Kubernetes resources below configure $[prodname] Image Assurance installation when using the operator. Each resource is responsible for installing and configuring a different subsystem of $[prodname] Image Assurance during installation. Most options can be modified on a running cluster using `kubectl`.
-
-
\ No newline at end of file
diff --git a/calico-cloud/reference/resources/containeradmissionpolicy.mdx b/calico-cloud/reference/resources/containeradmissionpolicy.mdx
deleted file mode 100644
index e540583c4e..0000000000
--- a/calico-cloud/reference/resources/containeradmissionpolicy.mdx
+++ /dev/null
@@ -1,194 +0,0 @@
----
-description: Reference for the ContainerAdmissionPolicy resource in Calico Cloud that admits or rejects pod creation based on container image scan results.
----
-
-# Container admission policy
-
-A container admission policy (`ContainerAdmissionPolicy`) represents an ordered set of rules which are applied to a
-collection of containers that match a [label selector](#selector).
-
-`ContainerAdmissionPolicy` is a cluster resource. `ContainerAdmissionPolicy` can be restricted to a set of namespaces
-using a [namespace selector](#selector).
-
-## Sample YAML
-
-This sample policy allows admission requests for pod creating resources whose image is in the registry / repository
-`gcr.io/company/production-repository/*` with a scan status of either `Pass` or `Warn`, and rejects all other admission
-requests.
-
-```yaml
-apiVersion: containersecurity.tigera.io/v1beta1
-kind: ContainerAdmissionPolicy
-metadata:
- name: reject-failed-and-non-gcr
-spec:
- selector: all()
- namespaceSelector: all()
- order: 10
- rules:
- - action: "Reject"
- imagePath:
- operator: IsNoneOf
- values:
- - "^gcr.io/company/production-repository/.*"
- - action: Allow
- imageScanStatus:
- operator: IsOneOf
- values:
- - Pass
- - Warn
- - action: Reject
-```
-
-## Container admission policy definition
-
-### Metadata
-
-| Field | Description | Accepted Values | Schema | Default |
-|-----------|--------------------------------------------------------------------|-----------------------------------------------------|--------|-----------|
-| name | The name of the network policy. Required. | Alphanumeric string with optional `.`, `_`, or `-`. | string | |
-
-### Spec
-
-| Field | Description | Accepted Values | Schema | Default |
-|-------------------|-----------------------------------------------------------------------------------------------------|-----------------|-----------------------|---------|
-| order | Controls the order of precedence. $[prodname] applies the policy with the lowest value first. | | float | |
-| selector | Selects the resources to which this policy applies. | | [selector](#selector) | all() |
-| namespaceSelector | Selects the namespace to which this policy applies. | | [selector](#selector) | all() |
-| rules | Ordered list of rules applied by this policy. | | List of [Rule](#rule) | |
-
-### Rule
-
-A single rule matches a set of pod creating resources and applies some action to them. Multiple rules are executed in order.
-
-| Field | Description | Accepted Values | Schema | Default |
-|-------------------|---------------------------------------------------------------------|------------------------------------------|--------------------------------------------|------------|
-| action | Action to perform when matching this rule. | `Allow`, `Reject` | string | |
-| imagePath | Image path matching criteria. | | [String Values Match](#stringvaluematch) | |
-| imageScanStatus | Vulnerability scan status criteria. | | [String Values Match](#stringvaluematch) | |
-| imageLastScan | Criteria for the last time the containers image was scanned. | | [Time Match](#timematch) | |
-
-### Selector
-
-A label selector is an expression which either matches or does not match a resource based on its labels.
-
-$[prodname] label selectors support a number of operators, which can be combined into larger expressions
-using the boolean operators and parentheses.
-
-| Expression | Meaning |
-|---------------------------|-----------------------------|
-| **Logical operators** |
-| `( )` | Matches if and only if `` matches. (Parentheses are used for grouping expressions.)
-| `! ` | Matches if and only if `` does not match. **Tip:** `!` is a special character at the start of a YAML string, if you need to use `!` at the start of a YAML string, enclose the string in quotes.
-| ` && ` | "And": matches if and only if both ``, and, `` matches
-| \ || \ | "Or": matches if and only if either ``, or, `` matches.
-| **Match operators** |
-| `all()` | Match all in-scope resources. To match _no_ resources, combine this operator with `!` to form `!all()`.
-| `global()` | Match all non-namespaced resources. Useful in a `namespaceSelector` to select global resources such as global network sets.
-| `k == 'v'` | Matches resources with the label 'k' and value 'v'.
-| `k != 'v'` | Matches resources without label 'k' or with label 'k' and value _not_ equal to `v`
-| `has(k)` | Matches resources with label 'k', independent of value. To match pods that do not have label `k`, combine this operator with `!` to form `!has(k)`
-| `k in { 'v1', 'v2' }` | Matches resources with label 'k' and value in the given set
-| `k not in { 'v1', 'v2' }` | Matches resources without label 'k' or with label 'k' and value _not_ in the given set
-| `k contains 's'` | Matches resources with label 'k' and value containing the substring 's'
-| `k starts with 's'` | Matches resources with label 'k' and value starting with the substring 's'
-| `k ends with 's'` | Matches resources with label 'k' and value ending with the substring 's'
-
-Operators have the following precedence:
-
-* **Highest**: all the match operators
-* Parentheses `( ... )`
-* Negation with `!`
-* Conjunction with `&&`
-* **Lowest**: Disjunction with `||`
-
-For example, the expression
-
-```
-! has(my-label) || my-label starts with 'prod' && role in {'frontend','business'}
-```
-
-Would be "bracketed" like this:
-
-```
-((!(has(my-label)) || ((my-label starts with 'prod') && (role in {'frontend','business'}))
-```
-
-It would match:
-* Any resource that did not have label "my-label".
-* Any resource that both:
-* Has a value for `my-label` that starts with "prod", and,
-* Has a role label with value either "frontend", or "business".
-
-Understanding scopes and the `all()` and `global()` operators: selectors have a scope of resources
-that they are matched against, which depends on the context in which they are used. For example:
-
-* The `nodeSelector` in an `IPPool` selects over `Node` resources.
-
-* The top-level selector in a `NetworkPolicy` selects over the workloads _in the same namespace_ as the
-`NetworkPolicy`.
-
-* The top-level selector in a `GlobalNetworkPolicy` doesn't have the same restriction, it selects over all endpoints
-including namespaced `WorkloadEndpoint`s and non-namespaced `HostEndpoint`s.
-
-* The `namespaceSelector` in a `NetworkPolicy` (or `GlobalNetworkPolicy`) _rule_ selects over the labels on namespaces
-rather than workloads.
-
-* The `namespaceSelector` determines the scope of the accompanying `selector` in the entity rule. If no `namespaceSelector`
-is present then the rule's `selector` matches the default scope for that type of policy. (This is the same namespace
-for `NetworkPolicy` and all endpoints/network sets for `GlobalNetworkPolicy`)
-
-* The `global()` operator can be used (only) in a `namespaceSelector` to change the scope of the main `selector` to
-include non-namespaced resources such as [GlobalNetworkSet](globalnetworkset.mdx).
-This allows namespaced `NetworkPolicy` resources to refer to global non-namespaced resources, which would otherwise
-be impossible.
-
-### StringValueMatch
-A string values match does a match or negative match on a target against a set of values.
-
-| Field | Description | Accepted Values | Schema | Default |
-|-----------|---------------------------------------------------|-----------------------|-------------------|------------|
-| operator | Match operator to use against the list of values | `IsOneOf`, `IsNoneOf` | string | |
-| values | List of values to match against. | | list of strings | |
-
-### TimeMatch
-A time match does a match or negative match against a time or duration.
-
-Duration is the length of time into the past from the current time to match against. As an example,
-
-```yaml
- operator: "gt"
- duration:
- days: 3
-```
-
-is false for 4 days prior to the current date time, and true for 2 days prior to current date time.
-
-Time is the absolute time to match a given time against. As an example,
-
-```yaml
- operator: "gt"
- time: "2022-01-02T0:00:00Z"
-```
-
-is false for "2022-01-01T0:00:00Z", and true for "2022-01-03T0:00:00Z".
-
-| Field | Description | Accepted Values | Schema | Default |
-|-----------|-------------------------------------------------------|-----------------------|---------------------------------------------------|------------|
-| operator | Match operator to use against the duration or time. | `gt`, `lt` | string | |
-| duration | The duration that this operator matches within. | | [Duration](#duration) | |
-| time | List of values to match against. | | String of the format "2006-01-02T15:04:05Z07:00" | |
-
-### Duration
-
-| Field | Description | Accepted Values | Schema | Default |
-|-----------|-----------------------------------------------|-------------------|-----------|------------|
-| days | Number of days past from the current time. | | integer | |
-| months | Number of months past from the current time. | | integer | |
-| years | Number of years past from the current time. | | integer | |
-
-## Supported operations
-
-| Datastore type | Create/Delete | Update | Get/List | Notes
-|--------------------------|---------------|--------|----------|------
-| Kubernetes API datastore | Yes | Yes | Yes |
diff --git a/calico-cloud/reference/resources/runtimesecurity.mdx b/calico-cloud/reference/resources/runtimesecurity.mdx
deleted file mode 100644
index e4d4138559..0000000000
--- a/calico-cloud/reference/resources/runtimesecurity.mdx
+++ /dev/null
@@ -1,72 +0,0 @@
----
-description: Reference for the RuntimeSecurity resource in Calico Cloud that configures Container Threat Detection in a connected cluster.
----
-
-# RuntimeSecurity
-
-The **RuntimeSecurity** custom resource (CR) is used to enable and configure Container Threat Detection in a Calico Cloud managed cluster.
-
-### Resource Definition
-
-```yaml
-apiVersion: operator.tigera.io/v1
-kind: RuntimeSecurity
-metadata:
- name: default
-spec:
- detectorConfig:
- - id: execution-container_deployment_command
- disabled: true
- - id: discovery-enumeration_of_linux_capabilities
- disabled: true
- runtimeExceptionList:
- - matching: regex
- processInvocation: "/bin/ls*"
- pod: "not-evil-pod"
- namespace: "default"
- - matching: exact
- pod: "nginx"
- namespace: default
- - matching: regex
- namespace: "company-operations"
-```
-
-## Runtime Security Definition
-
-### Metadata
-
-| Field | Description | Accepted Values | Schema |
-| ------ | --------------------------------------------- | ---------------- | ------ |
-| name | The name of the runtime security resource. | default | string |
-| labels | A set of labels to apply to this resource. | | map |
-
-
-### Spec
-
-| Field | Description | Accepted Values | Schema | Default |
-| ------------------------ | -------------------------------------------------------------------------------------------- | ---------------- | ----------------------------------------------------- | ------- |
-| detectorConfig | Configuration that allows particular threat detectors to be disabled | | [DetectorConfig](#detectorconfig) | |
-| runtimeExceptionList | List of entries of processes that are allowed to run that won't generate an event | | [runtimeExceptionList](#runtimeexceptionlist) | Enabled |
-
-### DetectorConfig
-
-The `DetectorConfig` by default is not present but can be used to disable particular threat detectors in the Calico Cloud Managed cluster.
-One entry per detector
-
-| Field | Description | Accepted Values | Schema |
-| -------- | ----------------------------------------------------------------- | --------------- | ------- |
-| id | The ID of the detector this entry applies too | | string |
-| disabled | Boolean represents weather the detector should be disabled or not | True, False | boolean |
-
-
-### RuntimeExceptionList
-
-This `RuntimeExceptionList` holds a list of entries that contain a list of supported fields by which a user can negate the
-generation of runtime reports.
-
-| Field | Description | Accepted Values | Schema |
-| -------- | ---------------------------------------------------------------------------------------------------------------------- | --------------- | ------- |
-| matching | Whether the entries are exact matches to fields or considered a regular expression | Exact, Regex | string |
-| processInvocation | The exact name or regex of the process to which a user wants to negate the generation of runtime logs | | string |
-| pod | The exact name or regex of the pod(s) to which a user wants to negate the generation of runtime logs | | string |
-| namespace | The exact name or regex of the namespace(s) for which a user wants to negate the generation of runtime logs | | string |
diff --git a/calico-cloud/release-notes/index.mdx b/calico-cloud/release-notes/index.mdx
index e91044df60..c3b276dceb 100644
--- a/calico-cloud/release-notes/index.mdx
+++ b/calico-cloud/release-notes/index.mdx
@@ -98,14 +98,14 @@ We've provided better access to the detectors we use as part of our Container Th
You can now view the complete list of detectors and turn them on or off as you see fit.
Detectors can also be configured as part of a new RuntimeSecurity custom resource.
-For more information, see [Update detector settings](../threat/container-threat-detection.mdx#update-detectors-settings).
+For more information, see Update detector settings.
#### Create Security Event exceptions for known processes
We added a way to create Security Event exceptions for processes in your cluster that you know to be safe.
This can be a helpful way to eliminate noise and false positives in your alerts.
-For more information, see [Exclude a process from Security Events alerts](../threat/container-threat-detection.mdx#exclude-process).
+For more information, see Exclude a process from Security Events alerts.
#### Added EPSS data to Image Assurance results
@@ -184,7 +184,7 @@ For information about upgrading, see [Upgrade Calico Cloud](../get-started/upgra
We added a way to efficiently add large numbers of vulnerability exceptions to your Image Assurance scan results.
Instead of creating exceptions one by one, you can add them all at once by uploading a CSV file with the vulnerability definitions.
-For more information, see [Exclude vulnerabilities from scan results](../image-assurance/exclude-vulnerabilities-from-scan-results.mdx).
+For more information, see Exclude vulnerabilities from scan results.
### Bug fixes
@@ -202,7 +202,7 @@ We added a way to create and assign Jira issues directly from your Image Assuran
You can filter and prioritize vulnerabilities, and then assign the remediation work to members of your team.
Calico Cloud populates the information you need, including a CSV file with detailed information about the vulnerabilities in your packages.
-For more information, see [Creating Jira issues for scan results](../image-assurance/creating-jira-issues-for-scan-results.mdx)
+For more information, see Creating Jira issues for scan results.
#### Security events dashboard
@@ -272,7 +272,7 @@ For more information, see [Connect a cluster to Calico Cloud](../get-started/ins
We added the ability to exclude namespaces from image scanning and runtime view.
By excluding certain namespaces, you can reduce noise in your scan results and focus attention on higher priority workloads.
-For more information, see [Configure exclusions for image scanning](../image-assurance/scanners/cluster-scanner.mdx#configure-exclusions-for-image-scanning).
+For more information, see Configure exclusions for image scanning.
## April 2, 2024 (version 19.1.0)
@@ -417,7 +417,7 @@ This failed installation message can be disregarded.
The Image Assurance feature adds the ability to scan images in container registries at any time, on any infrastructure, including Kubernetes. This is ideal protection for images that don’t go through a pipeline (for example, third-party images), but are published to a registry. If CVEs are missed in your build pipeline, you can catch them before they are deployed.
-For more information, see [Scan images in container registries](../image-assurance/scanners/registry-scanner.mdx).
+For more information, see Scan images in container registries.
#### Security event management
@@ -723,7 +723,7 @@ Release of Container Threat Detection
With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in the web console.
-To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see Container Threat Detection.
## September 26, 2022
@@ -763,7 +763,7 @@ We've made it easier for platform operators to share Image Assurance scan result
* Export one row per image or one row per image and CVE.
* Export CSV or JSON files.
-To get started, see [Image Assurance](../image-assurance).
+To get started, see Image Assurance.
### Malware detection is GA
@@ -774,7 +774,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
If there's a match to known malware from our threat intelligence library, you receive an alert.
You can view your alerts on the _Alerts_ page on the web console.
-To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see Malware Detection.
## July 27, 2022
@@ -858,4 +858,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
$[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
-To get started, see [Image Assurance](../image-assurance).
+To get started, see Image Assurance.
diff --git a/calico-cloud/threat/container-threat-detection.mdx b/calico-cloud/threat/container-threat-detection.mdx
deleted file mode 100644
index ce1a17eba0..0000000000
--- a/calico-cloud/threat/container-threat-detection.mdx
+++ /dev/null
@@ -1,153 +0,0 @@
----
-description: Detect malware hashes and suspicious container activity such as privilege escalation and command-and-control in Calico Cloud connected clusters with the managed eBPF threat detection engine.
-redirect_from:
- - /threat/malware-detection
----
-
-# Container threat detection
-
-:::warning[deprecation and removal notice]
-
-Compliance reports are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
-
-:::
-
-## Big picture
-
-Get alerts when security threats, such as malware and other suspicious processes, are detected in your cluster.
-
-## Value
-
-$[prodname] provides a threat detection engine that analyzes observed file and process activity to detect known malicious and suspicious activity.
-
-As part of these threat detection capabilities, $[prodname] maintains a database of malware file
-hashes. This database consists of SHA256, SHA1, and MD5 hashes of executable file contents that are
-known to be malicious. Whenever a program is launched in a $[prodname] cluster, malware
-detection generates an alert in the **Security Events Dashboard** if the program's hash matches one that is known
-to be malicious.
-
-Our threat detection engine also monitors activity within the containers running in your clusters to detect suspicious behavior and generate corresponding alerts. The threat detection engine monitors the following types of suspicious activity within containers:
-
-- Access to sensitive system files and directories
-- Command and control
-- Defense evasion
-- Discovery
-- Execution
-- Impact
-- Persistence
-- Privilege escalation
-
-## Before you begin...
-
-### Required
-
-$[prodname] Container threat detection uses eBPF to monitor container activity, and it runs on Linux-based
-nodes in a Kubernetes cluster.
-
-Nodes require amd64 (x86_64) architecture CPUs and one of the following distributions:
-
-- Ubuntu Bionic with kernel version 4.15.0 or 5.4.0
-- Ubuntu Focal with kernel version 5.4.0, 5.8.0 or 5.11.0
-- CentOS 7 or 8
-- Fedora 29, 30, 31, 32, 33 or 34
-- Amazon Linux 2
-- Debian Stretch or later
-- Any other distribution with a Linux kernel 5.0 or later that provides BPF Type Format (BTF) for that kernel at the standard place (/sys/kernel/btf/vmlinux)
-
-:::note
-
-If your nodes are running a variant kernel, or a similarly-modern kernel but with another platform,
-please open a [Support ticket](https://support.tigera.io/)
-so we can bundle the BTF data to precisely match the version of the kernel running on your cluster nodes.
-
-:::
-
-## How to
-
-- [Enable Container threat detection in the managed cluster](#enable-container-threat-detection)
-- [Monitor the Security Events page for malicious programs](#monitor-alerts-page-for-malicious-programs)
-- [Exclude a process from Security Events alerts](#exclude-a-process-from-Security-Events-alerts)
-- [Update detectors settings](#update-detectors-settings)
- - [Configure detectors via RuntimeSecurity Custom Resource](#configure-detectors-via-runtimesecurity-custom-resource)
-
-### Enable Container Threat Detection
-
-Container threat detection is disabled by default.
-
-To enable Container threat detection on your managed cluster, go to the **Threat Defense** section in the $[prodname] UI, and select **Enable Container Threat Detection**.
-This will result in Container threat detection running on all nodes in the managed cluster to detect malware and suspicious processes.
-
-Alternatively, Container threat detection can be enabled using kubectl:
-
-```bash
-kubectl apply -f - <Exclude a process from Security Events alerts
-
-You can turn off Security Events alerts for processes in your cluster that you know to be safe.
-
-To create an exception, add the process to the Runtime Security resource with kubectl:
-
-```bash title="Example RuntimeSecurity CR with exceptions"
-kubectl apply -f - <
-
diff --git a/calico-cloud/threat/security-event-management.mdx b/calico-cloud/threat/security-event-management.mdx
index 340c96b74a..d9372972c4 100644
--- a/calico-cloud/threat/security-event-management.mdx
+++ b/calico-cloud/threat/security-event-management.mdx
@@ -119,4 +119,4 @@ Security events generated from older managed clusters will not have values for t
**Where can I view security event logs?**
-Go to: **Logs**, Kibana index, `tigera_secure_ee_events`.
+Go to **Logs** and select the `tigera_secure_ee_events` index.
diff --git a/calico-cloud/threat/tor-vpn-feed-and-dashboard.mdx b/calico-cloud/threat/tor-vpn-feed-and-dashboard.mdx
index b95692af09..3fd4dcfd87 100644
--- a/calico-cloud/threat/tor-vpn-feed-and-dashboard.mdx
+++ b/calico-cloud/threat/tor-vpn-feed-and-dashboard.mdx
@@ -30,9 +30,6 @@ In recent times it became a trend to use multiple anonymization networks to hide
### The $[prodname] Tor-VPN dashboard
The Tor-VPN dashboard helps network security teams to monitor and respond to any detected activity by Tor and VPN feeds. It provides a cluster context to the detection and shows multiple artifacts e.g. flow logs, filtering controls, a tag cloud and line graph to analyze the activity and respond faster.
-The Tor-VPN dashboard may be accessed as below:
-
-- Log in to the $[prodname] web console, and go to **kibana**, select **dashboard**, and select **Tor-VPN Dashboard**.
## Before you begin...
@@ -57,8 +54,7 @@ In this section we will look at how to add Tor and VPN feeds to $[prodname]. Ins
```shell
kubectl apply -f $[filesUrl_CE]/manifests/threatdef/tor-exit-feed.yaml
```
-2. Now, you can monitor the Dashboard for any malicious activity. The dashboard can be found at the $[prodname] web console, go to "kibana" and then go to "Dashboard". Select "Tor-VPN Dashboard".
-3. Additionally, feeds can be checked using following command:
+2. Feeds can be checked using following command:
```shell
kubectl get globalthreatfeeds
```
diff --git a/calico-cloud/threat/web-application-firewall.mdx b/calico-cloud/threat/web-application-firewall.mdx
index b92f5e6b5a..8d4d50a108 100644
--- a/calico-cloud/threat/web-application-firewall.mdx
+++ b/calico-cloud/threat/web-application-firewall.mdx
@@ -327,10 +327,6 @@ Read more about the order of execution for plugins here: https://coreruleset.org
To view WAF events in a centralized security events dashboard, go to: **Threat defense**, **Security Events**. For help, see [Security Event Management](../threat/security-event-management).
-### Kibana
-
-To view WAF events In Kibana, select the `tigera_secure_ee_waf*` index pattern.
-
### Disable WAF for a deployment
To disable WAF on a deployment, use the Actions menu on the WAF board, or use the following command:
diff --git a/calico-cloud/tutorials/calico-cloud-features/networksets.mdx b/calico-cloud/tutorials/calico-cloud-features/networksets.mdx
index 93913689a2..1aed8972f4 100644
--- a/calico-cloud/tutorials/calico-cloud-features/networksets.mdx
+++ b/calico-cloud/tutorials/calico-cloud-features/networksets.mdx
@@ -34,7 +34,7 @@ Here are just a few examples of how network sets can be used:
- **Troubleshooting**
- Network sets appear as additional metadata in flow logs and Kibana, Flow Visualizer, and Service Graph.
+ Network sets appear as additional metadata in flow logs, Flow Visualizer, and Service Graph.
- **Efficiency and scaling**
@@ -119,7 +119,7 @@ If we double-click `hipstershop` to drill down, we now see the `google` network
-Service Graph provides a view into how services are interconnected in a consumable view, along with easy access to flow logs. However, you can also see traffic associated with network sets in volumetric display with Flow Visualizer, and query flow log data associated with network sets in Kibana.
+Service Graph provides a view into how services are interconnected in a consumable view, along with easy access to flow logs. You can also see traffic associated with network sets in volumetric display with Flow Visualizer.
## Tutorial
@@ -223,7 +223,7 @@ spec:
- Create a network set label and name schema
- It is helpful to think: what names would be meaningful and easy to understand when you look in Service Graph? Flow Viz? Kibana? What labels will be easy to understand when used in network policies – especially if you are separating users who manage network sets from those who consume them in network policies.
+ It is helpful to think: what names would be meaningful and easy to understand when you look in Service Graph or Flow Visualizer? What labels will be easy to understand when used in network policies – especially if you are separating users who manage network sets from those who consume them in network policies.
- Do not put large sets of CIDRs and domains directly in policy
diff --git a/calico-cloud/tutorials/calico-cloud-features/tour.mdx b/calico-cloud/tutorials/calico-cloud-features/tour.mdx
index 4bb25a4195..2f440e642d 100644
--- a/calico-cloud/tutorials/calico-cloud-features/tour.mdx
+++ b/calico-cloud/tutorials/calico-cloud-features/tour.mdx
@@ -205,22 +205,10 @@ How do you know if you have an infected workload? A possible threat? $[prodname]
## Logs
-$[prodname] includes a fully-integrated deployment of Elastic to collect flow log data that drives key features like the Flow Visualizer, metrics in the Dashboard and Policy Board, policy automation, and testing features and security. $[prodname] also embeds Kibana so you can view raw log data for the traffic within your cluster.
+$[prodname] includes a fully-integrated deployment of Elastic to collect flow log data that drives key features like the Flow Visualizer, metrics in the Dashboard and Policy Board, policy automation, and testing features and security.
> From the left navbar, click **Logs**.
-**Dashboards**
-
-$[prodname] comes with built-in dashboards.
-
-
-
-**Log data**
-
-Kibana provides its own set of filtering capabilities to drill down into log data. For example, use filters to drill into flow log data for specific namespaces and pods. Or view details and metadata for a single flow log entry.
-
-
-
## Threat feeds
You can add threat intelligence feeds to $[prodname] to trace network flows of suspicious IP addresses and domains. Then, you can use network policy to block pods from contacting IPs or domains.
diff --git a/calico-cloud/users/user-management.mdx b/calico-cloud/users/user-management.mdx
index ce6a923334..69e3d93827 100644
--- a/calico-cloud/users/user-management.mdx
+++ b/calico-cloud/users/user-management.mdx
@@ -30,13 +30,10 @@ The Owner role cannot be assigned to new users. The only Owner is the user who c
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
-| Kibana | view, edit |
-| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | view |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
-| Container Threat Detection | view, edit |
| Dashboards | view, edit |
### Admin
@@ -53,13 +50,10 @@ The Admin role provides broad administrative access for day-to-day configuration
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
-| Kibana | view, edit |
-| Image Assurance | view, edit |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
-| Container Threat Detection | view, edit |
| Dashboards | view, edit |
### User Admin
@@ -76,13 +70,10 @@ The User Admin role has the ability to manage team members and their assigned ro
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
-| Kibana | - |
-| Image Assurance | - |
| Manage Team | view, edit |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
-| Container Threat Detection | - |
| Dashboards | - |
### Cluster Connection Admin
@@ -99,13 +90,10 @@ The Cluster Connection Admin role has administrative capabilities of managed clu
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
-| Kibana | - |
-| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
-| Container Threat Detection | - |
| Dashboards | - |
### Viewer
@@ -122,13 +110,10 @@ The Viewer role provides read-only access to most operational and configuration
| Compliance Reports | view |
| Timeline | view |
| Alerts | view |
-| Kibana | view |
-| Image Assurance | - |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view |
| Web Application Firewall | view |
-| Container Threat Detection | view |
| Dashboards | view |
### DevOps
@@ -145,18 +130,15 @@ The DevOps role is designed for users responsible for application deployment, CI
| Compliance Reports | - |
| Timeline | view |
| Alerts | view, edit |
-| Kibana | view, edit |
-| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view |
-| Container Threat Detection | view |
| Dashboards | view |
### Security
-The Security role focuses on security posture management, including policy definition, threat monitoring, vulnerability management (Image Assurance), and incident response.
+The Security role focuses on security posture management, including policy definition, threat monitoring, and incident response.
| Feature | Permission Level |
| :------------------------------ | :--------------- |
@@ -168,13 +150,10 @@ The Security role focuses on security posture management, including policy defin
| Compliance Reports | view |
| Timeline | view |
| Alerts | view, edit |
-| Kibana | view, edit |
-| Image Assurance | view, edit |
| Manage Team | view |
| Usage Metrics | - |
| Threat Feeds | view, edit |
| Web Application Firewall | view, edit |
-| Container Threat Detection | view, edit |
| Dashboards | view |
### Compliance
@@ -191,13 +170,10 @@ The Compliance role provides focused access to compliance reporting and related
| Compliance Reports | view |
| Timeline | - |
| Alerts | - |
-| Kibana | - |
-| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
-| Container Threat Detection | - |
| Dashboards | - |
### Usage Metrics
@@ -214,36 +190,10 @@ This role grants specific access to view usage metrics for the $[prodname] accou
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
-| Kibana | - |
-| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | view |
| Threat Feeds | - |
| Web Application Firewall | - |
-| Container Threat Detection | - |
-| Dashboards | - |
-
-### Image Assurance Admin
-
-This role provides administrative control specifically over the Image Assurance feature, including configuring registries, policies, and viewing scan results.
-
-| Feature | Permission Level |
-| :------------------------------ | :--------------- |
-| Service Graph and Flow Visualizer | - |
-| Policies | - |
-| Nodes and Endpoints | - |
-| Network Sets | - |
-| Managed Clusters | - |
-| Compliance Reports | - |
-| Timeline | - |
-| Alerts | - |
-| Kibana | - |
-| Image Assurance | view, edit |
-| Manage Team | - |
-| Usage Metrics | - |
-| Threat Feeds | - |
-| Web Application Firewall | - |
-| Container Threat Detection | - |
| Dashboards | - |
### Dashboards Admin
@@ -260,13 +210,10 @@ This role grants administrative permissions specifically for creating, managing,
| Compliance Reports | - |
| Timeline | - |
| Alerts | - |
-| Kibana | - |
-| Image Assurance | - |
| Manage Team | - |
| Usage Metrics | - |
| Threat Feeds | - |
| Web Application Firewall | - |
-| Container Threat Detection | - |
| Dashboards | view, edit |
## Add your own identity provider
diff --git a/sidebars-calico-cloud.js b/sidebars-calico-cloud.js
index 2cb1959016..86073c9dd9 100644
--- a/sidebars-calico-cloud.js
+++ b/sidebars-calico-cloud.js
@@ -220,7 +220,6 @@ module.exports = {
'observability/alerts',
'observability/dashboards',
'observability/create-custom-dashboard',
- 'observability/kibana',
'observability/packetcapture',
'observability/visualize-traffic',
{
@@ -274,32 +273,8 @@ module.exports = {
'threat/suspicious-domains',
'threat/tor-vpn-feed-and-dashboard',
'threat/deeppacketinspection',
- 'threat/container-threat-detection',
'threat/web-application-firewall',
'threat/deploying-waf-ingress-gateway',
- {
- type: 'category',
- label: 'Image Assurance (deprecated)',
- link: { type: 'doc', id: 'image-assurance/index' },
- items: [
- {
- type: 'category',
- label: 'Scan images for vulnerabilities',
- link: { type: 'doc', id: 'image-assurance/scanners/index' },
- items: [
- 'image-assurance/scanners/overview',
- 'image-assurance/scanners/cluster-scanner',
- 'image-assurance/scanners/pipeline-scanner',
- 'image-assurance/scanners/registry-scanner',
- ],
- },
- 'image-assurance/understanding-scan-results',
- 'image-assurance/exclude-vulnerabilities-from-scan-results',
- 'image-assurance/set-up-alerts',
- 'image-assurance/install-the-admission-controller',
- 'image-assurance/creating-jira-issues-for-scan-results',
- ],
- },
],
},
{
@@ -473,7 +448,6 @@ module.exports = {
items: [
'reference/api',
'reference/installation/api',
- 'reference/installation/ia-api',
{
type: 'category',
label: 'Resource definitions',
@@ -486,7 +460,6 @@ module.exports = {
'reference/resources/bgpfilter',
'reference/resources/blockaffinity',
'reference/resources/caliconodestatus',
- 'reference/resources/containeradmissionpolicy',
{
type: 'category',
label: 'Compliance reports',
@@ -519,7 +492,6 @@ module.exports = {
'reference/resources/node',
'reference/resources/packetcapture',
'reference/resources/remoteclusterconfiguration',
- 'reference/resources/runtimesecurity',
'reference/resources/securityeventwebhook',
'reference/resources/stagedglobalnetworkpolicy',
'reference/resources/stagedkubernetesnetworkpolicy',
diff --git a/static/_redirects b/static/_redirects
index b0e0230b0e..f9f5daa342 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -135,6 +135,14 @@
# Mylo AI assistant removed (DOCS-2957)
/calico-cloud/tutorials/calico-cloud-features/mylo-ai /calico-cloud/about 301
+# Container security removal (PMREQ-905 / DOCS-2925): Image Assurance, Container Threat Detection, Kibana
+/calico-cloud/image-assurance/* /calico-cloud/about 301
+/calico-cloud/threat/container-threat-detection /calico-cloud/threat 301
+/calico-cloud/reference/installation/ia-api /calico-cloud/reference/installation/api 301
+/calico-cloud/reference/resources/runtimesecurity /calico-cloud/reference/resources 301
+/calico-cloud/reference/resources/containeradmissionpolicy /calico-cloud/reference/resources 301
+/calico-cloud/observability/kibana /calico-cloud/observability 301
+
# Redirect rules for old permalinks.
# Specific 301 redirects. From former CE unversioned URLS.