[TSLA-9066] Change container security features to state disabled #1963
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,6 +7,13 @@ title: Install Calico Cloud | |
|
|
||
| You can quickly connect a cluster to Calico Cloud by generating a unique kubectl or Helm command in the web console and running it on your cluster. | ||
|
|
||
| :::note | ||
|
|
||
| Starting from April 2025, container security features will not be enabled by default. | ||
| Image Assurance, Compliance Reports, and Container Threat Detection will need to be enabled explicitly. | ||
|
|
||
| ::: | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| * You have an active Calico Cloud account. You can sign up for a 14-day free trial at [calicocloud.io](https://calicocloud.io). | ||
|
|
@@ -27,6 +34,12 @@ You can quickly connect a cluster to Calico Cloud by generating a unique kubectl | |
| kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy.yaml && curl -H "Authorization: Bearer mprcnz04t:9dav6eoag:s8w7xjslez1x1xkf6ds0h23miz5b1fw6phh9897d0n76e4pjfdekijowjv5lw9dd" "https://www.calicocloud.io/api/managed-cluster/deploy.yaml?version=v19.1.0" | kubectl apply -f - | ||
| ``` | ||
|
|
||
| 1. For legacy users that want to install container security features, change the `deploy.yaml` in the command above to `deploy-with-container-security.yaml` | ||
|
|
||
| ```bash title="Example of generated kubectl installation command" | ||
| kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml && curl -H "Authorization: Bearer mprcnz04t:9dav6eoag:s8w7xjslez1x1xkf6ds0h23miz5b1fw6phh9897d0n76e4pjfdekijowjv5lw9dd" "https://www.calicocloud.io/api/managed-cluster/deploy-with-container-security.yaml?version=v19.1.0" | kubectl apply -f - | ||
| ``` | ||
|
|
||
| 1. From a terminal, paste and run the command. | ||
| 1. On the **Managed Clusters** page, you should immediately see your cluster in the list of managed clusters. | ||
| Monitor the status under **Connection Status**. | ||
|
|
@@ -48,10 +61,10 @@ You can quickly connect a cluster to Calico Cloud by generating a unique kubectl | |
|
|
||
|
Contributor
Author
There was a problem hiding this comment. Above this, we'll also need to add: For legacy users that want to install image assurance using kubectl: Replace deploy.yaml with deploy-with-container-security.yaml. kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml && curl -H "Authorization: Bearer mprcnz04t:9dav6eoag:s8w7xjslez1x1xkf6ds0h23miz5b1fw6phh9897d0n76e4pjfdekijowjv5lw9dd" "https://www.calicocloud.io/api/managed-cluster/deploy-with-container-security.yaml?version=v19.1.0" | kubectl apply -f -
Collaborator
There was a problem hiding this comment. I'm guessing that you're talking about people who are doing upgrades and who have IA enabled. If they run the generated kubectl command for v21.1.0, it will disable IA and CTD. If they want to continue with these enabled, they need to:
Is that right?
Contributor
Author
There was a problem hiding this comment. That's correct. |
||
| | Feature | Key | Values | | ||
| |---------|-----|--------| | ||
| | Image Assurance | `installer.components.imageAssurance.state` | `Enabled`, `Disabled` (default) | | ||
| | Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. | | ||
| | Packet Capture | `installer.components.packetCaptureAPI.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. | | ||
| | Compliance Reports | `installer.components.compliance.enabled` | `true`, `false` (default) | | ||
|
|
||
|
Contributor
Author
There was a problem hiding this comment. We also need to add a note that if you're not a legacy user, installing with container security enabled will cause an installation error. @ctauchen If you're able to tell me the best location to place the messaging, I believe you might put them in a deprecated section? |
||
| ```bash title="Example of generated Helm command with user-added parameters" | ||
| helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update && helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds --namespace calico-cloud --create-namespace && helm upgrade --install calico-cloud calico-cloud/calico-cloud --namespace calico-cloud --set apiKey=ryl34elz8:9dav6eoag:ifk1uwruwlgp7vzn7ecijt5zjbf5p9p1il1ag8877ylwjo4muu19wzg2g8x5qa7x --set installer.clusterName=my-cluster --set installer.calicoCloudVersion=v19.1.0 \ | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll also need to add a note about deprecation here.
Something along the lines of:
"Legacy users - those who have signed up prior to April 2025 - are still able to install the components above by setting the state to be Enabled. If you use the kubectl installs, then you can use deploy-with-container-security.yaml instead."
@ctauchen Is this messaging okay?
cc: @ozdanborne
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@WilliamTigera Thanks, I'll dig into the implications of the deprecation schedule and add notes myself where necessary.