tigera · ctauchen · Jun 5, 2026
@@ -31,18 +31,16 @@ The following diagram shows the major components in a managed cluster, followed
 | $[prodname] installer         | Gets installation resources from the $[prodname] portal, registers a managed cluster, and reports installation or upgrade progress. | &bull; TCP 443 to $[prodname] hosted service<br />&bull;  TCP 6443 to Kubernetes API server |
 | $[prodname] tunnel server     | Communicates with managed clusters by creating secure TLS tunnels. | Port 9000 from managed clusters                              |
 | calico-node                    | Bundles key components that are required for networking containers with $[prodname]:<br/><br />&bull;  Felix<br />&bull;  BIRD<br />&bull;  confd | &bull; TCP 5473 to Typha<br />&bull;  TCP 9900 and 9081 from Prometheus API service |
-| Container threat detection     | A threat detection engine that analyzes observed file and process activity to detect known malicious and suspicious activity. Monitors the following types of suspicious activity within containers:<br/><br />&bull; Access to sensitive system files and directories<br />&bull; Defense evasion<br />&bull; Discovery<br />&bull; Execution<br />&bull; Persistence<br />&bull; Privilege escalation<br/><br />Includes these components:<br /><br />**Runtime Security Operator**<br />An operator to manage and reconcile container threat defense components.<br/><br />**Runtime Reporter Pods**<br />Pods running on each node in the cluster to perform the detection activity outlined above.They send activity reports to Elasticsearch for analysis by $[prodname]. | TCP  to Kubernetes API server                                |
 | Compliance                     | Generates compliance reports for the Kubernetes cluster. Reports are based on archived flow and audit logs for Calico Cloud resources, plus any audit logs you’ve configured for Kubernetes resources in the Kubernetes API server. Compliance reports provide the following high-level information:<br /><br />&bull; Endpoints explicitly protected using ingress or egress policy<br />&bull; Policies and services<br />   - Policies and services associated with endpoints<br />   - Policy audit logs <br />&bull; Traffic<br />   - Allowed ingress/egress traffic to/from namespaces, and to/from the internet Compliance includes these components: <br /><br />**compliance-snapshotter** <br />Handles listing of required Kubernetes and $[prodname]configuration and pushes snapshots to Elasticsearch. Snapshots give you visibility into configuration changes, and how the cluster-wide configuration has evolved within a reporting interval.<br /><br />**compliance-reporter**<br />Handles report generation. Reads configuration history from Elasticsearch and determines time evolution of cluster-wide configuration, including relationships between policies, endpoints, services, and network sets. Data is then passed through a zero-trust aggregator to determine the “worst-case outliers” in the reporting interval.<br /><br />**compliance-controller**<br />Reads report configuration and manages creation, deletion, and monitoring of report generation jobs.<br /><br />**compliance-benchmarker**<br />A daemonset that runs checks in the CIS Kubernetes Benchmark on each node so you can see if Kubernetes is securely deployed.<br /> | &bull; TCP 8080 to Guardian<br />&bull; TCP 6443 to Kubernetes API server |
 | Fluentd                        | Open-source data collector for unified logging. Collects and forwards $[prodname] logs (flows, DNS, L7) to log storage. | &bull; TCP 8080 to Guardian<br />&bull;  TCP 9080 from Prometheus API service |
 | Guardian                       | An agent running in each managed cluster that proxies communication between the $[prodname] tunnel server and your managed cluster. Secured using TLS tunnels.<br /> | &bull; Port 9000 to tunnel server<br />&bull; TCP 6443 to Kubernetes API server<br />&bull; TCP 6443 from $[prodname] components |
 | Installation endpoints         | Endpoints at  `*.calicocloud.io` and `*.projectcalico.org`. | TCP 443 for both                                             |
 | Intrusion detection controller | Handles integrations with threat intelligence feeds and $[prodname] custom alerts. | &bull; TCP 8080 to Guardian<br />&bull; TCP 6443 to Kubernetes API server |
-| Image Assurance                | Identifies vulnerabilities in container images that you deploy to Kubernetes clusters.  Components of interest are: <br /><br />**Admission controller**<br />Uses Kubernetes Validating Webhook Configuration to control which images can be used to create pods based on scan results. <br /><br />**API**<br />Isolates tenant data and authorizes all external access to Image Assurance data. **Note:** $[prodname] does not store registry credentials in its database and does not pull customer images into the $[prodname] control plane.<br /> | &bull;  TCP 8080 to Guardian<br /> &bull;  TCP 6443 to Kubernetes API server |
 | Kubernetes API server          | A Kubernetes component that validates and configures data for the API objects (for example, pods, services, and others). <br /> | TCP 6443 (from all components)                               |
 | kube-controllers               | Monitors the Kubernetes API and performs actions based on cluster state. $[prodname] kube-controllers container includes these controllers:<br/><br />&bull; Node<br />&bull; Service<br />&bull; Federated services<br />&bull; Authorization<br /> | &bull; TCP 9094 from Prometheus API service<br />&bull;  TCP 6443 to Kubernetes API server |
 | Log storage                    | Storage for logs (flows, L7, DNS, audit).  Data for each managed cluster is isolated and protected against unauthorized access. | n/a                                                          |
 | Packet capture API             | Retrieves capture files (pcap format) generated by a packet capture for use with network protocol analysis tools like Wireshark. Packet capture data is visible in the web console and Service Graph. | &bull; TCP 8449 Guardian to Packet Capture API<br />&bull; TCP 6443 to Kubernetes API server |
 | Prometheus API service         | Collects metrics from $[prodname] components and makes the metrics available to the web console. | &bull; TCP 6443 to Kubernetes API server<br />&bull;  TCP 9080 to Fluentd<br />&bull; TCP 9900 and 9081 to Prometheus API service |
 | Tigera API server              | Allows users to manage $[prodname] resources such as policies and tiers through kubectl or the Kubernetes API server. | &bull; TCP 9095 to Prometheus API service<br />&bull; TCP 8080 from Kubernetes API server |
 | Typha                          | Increases scale by reducing each node’s impact on the datastore. | TCP 5473 from calico-node to Typha                           |
-| User access to the web console      | Authenticated users can access the browser-based the web console, which provides network traffic visibility and troubleshooting, centralized multi-cluster management, threat-defense, container threat detection, policy lifecycle management, scan images for vulnerabilities, and compliance for multiple roles/stakeholders. | Port 443 to $[prodname] tunnel server                       |
+| User access to the web console      | Authenticated users can access the browser-based the web console, which provides network traffic visibility and troubleshooting, centralized multi-cluster management, threat-defense, policy lifecycle management, and compliance for multiple roles/stakeholders. | Port 443 to $[prodname] tunnel server                       |
@@ -91,28 +91,6 @@ If you're upgrading from Calico Cloud 19, the Packet Capture features will remai
 
 :::
 
-<details>
-  <summary>Use alternate feature keys for legacy features</summary>
-
-  The Image Assurance and Container Threat Detection features were removed for new users in Calico Cloud 21.1.0.
-  Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
-
-
-  | Feature | Key | Values |
-  |---------|-----|--------|
-  | Image Assurance | `installer.components.imageAssurance.state` | `Enabled`, `Disabled` (default) |
-  | Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-  | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-  | Compliance Reports | `installer.components.compliance.enabled` | `true`, `false` (default) |
-
-  :::note
-
-  If you're upgrading from Calico Cloud 19, the Container Threat Detection and Packet Capture features will remain enabled unless you explicitly set them to `Disabled`.
-
-  :::
-
-</details>
-
 ### Optional parameters for pod scheduling and resource management
 
 For many Calico Cloud components, you can specify node selectors, tolerations, and resource requests and limits.

@@ -23,22 +23,6 @@ You can quickly connect a cluster to Calico Cloud by generating a unique kubectl
 1. Optional: If you must install a specific older release, select the Calico Cloud version you want to install.
    We always recommend the latest version, which is installed by default.
 1. Click **Connect** to generate a unique kubectl command. Copy the command.
-
-   <details>
-     <summary>Use alternate manifest for legacy features</summary>
-
-     The Image Assurance and Container Threat Detection features were removed for new users in Calico Cloud 21.1.0.
-     Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
-
-     To continue using these features, modify the generated command by replacing **two instances** of `deploy.yaml` with `deploy-with-container-security.yaml`.
-     This change gives you a manifest with all three legacy features enabled.
-     You cannot enable or disable these features individually.
-
-     ```bash title="Example of generated kubectl command with alternate manifest"
-     kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml && curl -H "Authorization: Bearer ..." "https://www.calicocloud.io/api/managed-cluster/deploy-with-container-security.yaml?version=$[cloudUserVersion]" | kubectl apply -f -
-     ```
-   </details>
-
 1. From a terminal, paste and run the command.
 1. On the **Managed Clusters** page, you should immediately see your cluster in the list of managed clusters.
    Monitor the status under **Connection Status**.
@@ -70,29 +54,6 @@ You can quickly connect a cluster to Calico Cloud by generating a unique kubectl
 
    In this example, the command connects the cluster to Calico Cloud with the Packet Capture feature enabled.
 
-   <details>
-     <summary>Use alternate feature keys for legacy features</summary>
-
-   The Image Assurance and Container Threat Detection features were removed for new users in Calico Cloud 21.1.0.
-   Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
-
-
-   | Feature | Key | Values |
-   |---------|-----|--------|
-   | Image Assurance | `installer.components.imageAssurance.state` | `Enabled`, `Disabled` (default) |
-   | Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-   | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-   | Compliance Reports | `installer.components.compliance.enabled` | `true`, `false` (default) |
-
-   ```bash title="Example of generated Helm command with user-added parameters"
-   helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update && helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds --namespace calico-cloud --create-namespace && helm upgrade --install calico-cloud calico-cloud/calico-cloud --namespace calico-cloud --set apiKey=ryl34elz8:9dav6eoag:ifk1uwruwlgp7vzn7ecijt5zjbf5p9p1il1ag8877ylwjo4muu19wzg2g8x5qa7x --set installer.clusterName=my-cluster --set installer.calicoCloudVersion=v19.1.0 \
-   --set installer.components.imageAssurance.state=Enabled \
-   --set installer.components.runtimeSecurity.state=Enabled \
-   ```
-   In this example, the command connects the cluster to Calico Cloud with Image Assurance and Container Threat Detection features enabled.
-
-   </details>
-
 1. From a terminal, paste and run the command.
 1. On the **Managed Clusters** page, you should immediately see your cluster in the list of managed clusters.
    Monitor the status under **Connection Status**.

@@ -48,29 +48,6 @@ You can perform a Helm installation from images stored on a private registry.
 
    In this example, the command connects the cluster to Calico Cloud with the Packet Capture feature enabled.
 
-   <details>
-   <summary>Use alternate feature keys for legacy features</summary>
-
-   The Image Assurance and Container Threat Detection features were removed for new users in Calico Cloud 21.1.0.
-   Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
-
-
-   | Feature | Key | Values |
-   |---------|-----|--------|
-   | Image Assurance | `installer.components.imageAssurance.state` | `Enabled`, `Disabled` (default) |
-   | Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-   | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-   | Compliance Reports | `installer.components.compliance.enabled` | `true`, `false` (default) |
-
-   ```bash title="Example of generated Helm command with user-added parameters"
-   helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update && helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds --namespace calico-cloud --create-namespace && helm upgrade --install calico-cloud calico-cloud/calico-cloud --namespace calico-cloud --set apiKey=ryl34elz8:9dav6eoag:ifk1uwruwlgp7vzn7ecijt5zjbf5p9p1il1ag8877ylwjo4muu19wzg2g8x5qa7x --set installer.clusterName=my-cluster --set installer.calicoCloudVersion=v19.1.0 \
-   --set installer.components.imageAssurance.state=Enabled \
-   --set installer.components.runtimeSecurity.state=Enabled \
-   ```
-   In this example, the command connects the cluster to Calico Cloud with Image Assurance and Container Threat Detection features enabled.
-
-   </details>
-
 1. From a terminal, paste and run the command.
 
 1. On the **Managed Clusters** page, you should immediately see your cluster in the list of managed clusters.

@@ -53,17 +53,10 @@ intrusion-detection             True        False         False      9m49s
 log-collector                   True        False         False      9m29s
 management-cluster-connection   True        False         False      9m54s
 monitor                         True        False         False      10m
-runtime-security                True        False         False      10m
 ```
 
 If all components show a status of "Available" = TRUE, $[prodname] is properly installed.
 
-:::note
-
-The `runtime-security` component is available only if [the container threat detection feature is enabled](../threat/container-threat-detection.mdx#enable-container-threat-detection).
-
-:::
-
 **Issue: $[prodname] is not installed**
 
 If $[prodname] is not installed, you'll get the following error. Install $[prodname] on the node using the `curl` command that you got from Support.
@@ -373,21 +366,6 @@ NAME            AGE
 tigera-secure   98m
 ```
 
-**Check runtime security **
-
-```bash
-kubectl get runtimesecurity.operator.tigera.io default
-```
-
-```
-NAME            AGE
-default         99m
-```
-
-:::note
-The `runtime-security` custom resource will only be available if the container threat detection feature is enabled.
-:::
-
 For more information on operator custom resources see the [Installation API reference](../reference/installation/api.mdx).
 
 ### Deep dive into custom resources
@@ -408,7 +386,6 @@ kubectl get tigerastatus
 | 6   | log-collector                 | TRUE      | FALSE       | FALSE    | 9m29s |
 | 7   | management-cluster-connection | TRUE      | FALSE       | FALSE    | 9m54s |
 | 8   | monitor                       | TRUE      | FALSE       | FALSE    | 11m   |
-| 9   | runtime-security              | TRUE      | FALSE       | FALSE    | 10m   |
 
 **1 - api server**
 
@@ -572,19 +549,6 @@ calico-prometheus-operator-77bf897c9b-7f88x   1/1     Running   0          125m
 prometheus-calico-node-prometheus-0           3/3     Running   1          125m
 ```
 
-**9 - runtime-security**
-
-`runtime-security` is responsible for the container threat detection feature. Check the pods and logs in the `calico-cloud` namespace with the label selector `k8s-app=tigera-runtime-security-operator`.
-
-```bash
-$ kubectl get pods -n calico-cloud -l k8s-app=tigera-runtime-security-operator
-```
-
-```
-NAME                                                          READY   STATUS    RESTARTS   AGE
-tigera-runtime-security-operator-127b606afc-ap25k             1/1     Running   0          80m
-```
-
 ### Check additional custom resources
 
 Check for the presence of other custom resources created by the Tigera Operator: FelixConfiguration, IPPool, Tigera License, and Prometheus for component metrics.

@@ -10,21 +10,6 @@ To upgrade a managed cluster to the latest version of $[prodname]:
 1. If your organization uses multiple projects to group managed clusters, click the **Project** menu and select the project you want your cluster to be part of.
 1. For the cluster you want to upgrade, select **Actions** > **Reinstall**.
 1. In the **Reinstall Cluster** dialog, select a newer version of $[prodname] from the list, click **Reinstall**, and copy the generated kubectl command.
-   <details>
-     <summary>Use alternate manifest for legacy features</summary>
-
-     The Image Assurance and Container Threat Detection features were removed for new users in Calico Cloud 21.1.0.
-     Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
-
-     To continue using these features, modify the generated command by replacing **two instances** of `deploy.yaml` with `deploy-with-container-security.yaml`.
-     This change gives you a manifest with all three legacy features enabled.
-     You cannot enable or disable these features individually.
-
-     ```bash title="Example of generated kubectl command with alternate manifest"
-     kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml && curl -H "Authorization: Bearer ..." "https://www.calicocloud.io/api/managed-cluster/deploy-with-container-security.yaml?version=$[cloudUserVersion]" | kubectl apply -f -
-     ```
-   </details>
-
 1. From a terminal, paste and run the command.
    The cluster's status under **Connection Status** changes to **Disconnected: Installing**.
    When the upgrade is complete, the status changes to **Connected**.