[TSLA-9066] Change container security features to state disabled

[WilliamTigera]

Product Version(s):

Issue:

Link to docs preview:

SME review:

• An SME has approved this change.

DOCS review:

• A member of the docs team has approved this change.

Additional information:

Merge checklist:

• Deploy preview inspected wherever changes were made
• Build completed successfully
• Test have passed

[netlify]

✅ Deploy Preview for calico-docs-preview-next ready!

Name	Link
🔨 Latest commit	abb76f9
🔍 Latest deploy log	https://app.netlify.com/sites/calico-docs-preview-next/deploys/67e56e3785f28d000869c443
😎 Deploy Preview	https://deploy-preview-1963--calico-docs-preview-next.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview succeeded!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	abb76f9
🔍 Latest deploy log	https://app.netlify.com/sites/tigera/deploys/67e56e373fc2860008d3abd8
😎 Deploy Preview	https://deploy-preview-1963--tigera.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 24 (🔴 down 2 from production) Accessibility: 90 (no change from production) Best Practices: 83 (no change from production) SEO: 85 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[WilliamTigera]

We'll also need to add a note about deprecation here.

Something along the lines of:

"Legacy users - those who have signed up prior to April 2025 - are still able to install the components above by setting the state to be Enabled. If you use the kubectl installs, then you can use deploy-with-container-security.yaml instead."

@ctauchen Is this messaging okay?

cc: @ozdanborne

[ctauchen]

@WilliamTigera Thanks, I'll dig into the implications of the deprecation schedule and add notes myself where necessary.

[ctauchen]

Thanks, @WilliamTigera. Changing the defaults works just fine for me, only thing from me is that we should also include calico-cloud/get-started/install-private-registry.mdx.

I'll go ahead and clean out the old 20-2 version, so you can expect to do a fetch and rebase before we merge.

[ctauchen]

@WilliamTigera Thanks, I'll dig into the implications of the deprecation schedule and add notes myself where necessary.

[WilliamTigera]

Above this, we'll also need to add:

For legacy users that want to install image assurance using kubectl: Replace deploy.yaml with deploy-with-container-security.yaml.

   kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml && curl -H "Authorization: Bearer mprcnz04t:9dav6eoag:s8w7xjslez1x1xkf6ds0h23miz5b1fw6phh9897d0n76e4pjfdekijowjv5lw9dd" "https://www.calicocloud.io/api/managed-cluster/deploy-with-container-security.yaml?version=v19.1.0" | kubectl apply -f -

[ctauchen]

I'm guessing that you're talking about people who are doing upgrades and who have IA enabled. If they run the generated kubectl command for v21.1.0, it will disable IA and CTD. If they want to continue with these enabled, they need to:

1. Generate and copy the kubectl command.
2. s/deploy.yaml/deploy-with-container-security.yaml
3. Apply, and see a successful upgrade with deprecated features working normally.

Is that right?

[WilliamTigera]

That's correct.

[WilliamTigera]

We also need to add a note that if you're not a legacy user, installing with container security enabled will cause an installation error.

@ctauchen If you're able to tell me the best location to place the messaging, I believe you might put them in a deprecated section?

[ctauchen]

Closing here, reproduced in #1975