diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CalicoWindowsInstall.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CalicoWindowsInstall.js
deleted file mode 100644
index d9dbc524a1..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CalicoWindowsInstall.js
+++ /dev/null
@@ -1,196 +0,0 @@
-import React from 'react';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-
-import { prodname, prodnameWindows } from '../../variables';
-
-function CalicoWindowsInstallFirstStep(props) {
- if (props.networkingType === 'vxlan') {
- return (
- <>
-
- Ensure that cross-subnet encapsulation is disabled. You must use VXLAN and NOT VXLANCrossSubnet
- as the encapsulation: of your IP pool. Use this command to change it if you only have one IP pool configured:
-
-
-
- {`kubectl patch installation default --type='json' -p='[{"op": "replace", "path": "/spec/calicoNetwork/ipPools/0/encapsulation", "value": "VXLAN"}]`}
-
-
-
- Ensure that BGP is disabled.
-
-
If you installed {prodname} using the manifest, BGP is already disabled.
-
If you installed {prodname} using the operator, run this command:
- Get the cluster's Kubernetes API server host and port, which will be used to update the {prodnameWindows}{' '}
- config map. The API server host and port is required so that the {prodnameWindows} installation script can
- create a kubeconfig file for {prodname} services. If your Windows nodes already have {prodnameWindows}{' '}
- installed manually, skip this step. The installation script will use the API server host and port from your
- node's existing kubeconfig file if the KUBERNETES_SERVICE_HOST and{' '}
- KUBERNETES_SERVICE_PORT variables are not provided in the calico-windows-config{' '}
- ConfigMap.
-
-
First, make a note of the address of the API server:
-
-
-
- If you have a single API server with a static IP address, you can use its IP address and port. The IP can
- be found by running:
-
- kubectl get endpoints kubernetes -o wide
-
The output should look like the following, with a single IP address and port under "ENDPOINTS":
-
- {`NAME ENDPOINTS AGE
-kubernetes 172.16.101.157:6443 40m`}
-
-
- If there are multiple entries under "ENDPOINTS", then your cluster must have more than one API server. In
- this case, use the appropriate load balancing option below for your cluster.
-
-
-
-
- If using DNS load balancing (as used by kops), use the FQDN and port of the API server{' '}
-
- api.internal.{'<'}clustername{'>'}
-
- .
-
-
-
-
- If you have multiple API servers with a load balancer in front, you should use the IP and port of the load
- balancer.
-
-
-
-
- If your cluster uses a ConfigMap to configure kube-proxy you can find the "right" way to
- reach the API server by examining the config map. For example:
-
- In this case, the server is d881b853aea312e00302a84f1e346a77.gr7.us-west-2.eks.amazonaws.com{' '}
- and the port is 443 (the standard HTTPS port).
-
-
-
-
-
-
- Create the kubernetes-services-endpoint ConfigMap with the Kubernetes API server
- host and port (discovered in the previous step) used to create a kubeconfig file for {prodname} services.
- {`kubectl apply -f - << EOF
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: kubernetes-services-endpoint
- namespace: tigera-operator
-data:
- KUBERNETES_SERVICE_HOST: "$\{APISERVER_ADDR\}"
- KUBERNETES_SERVICE_PORT: "$\{APISERVER_PORT\}"
-EOF`}
-
-
-
-
-
- Get the Kubernetes service clusterIP range configured in your cluster. This must
- match the service-cluster-ip-range used by kube-apiserver.
-
-
-
-
- Add the Kubernetes service CIDR (discovered in the previous step) enable {prodnameWindows} on the Tigera Operator installation resource.
-
-
- For example, with a Kubernetes service clusterIP range of 10.96.0.0/12:
- {`kubectl patch installation default --type merge --patch='{"spec": {"serviceCIDRs": ["10.96.0.0/12"], "calicoNetwork": {"windowsDataplane": "HNS"}}}'`}
-
-
-
- Install kube-proxy on Windows nodes.
-
- Depending on your platform, you may already have kube-proxy running on your Windows nodes. If kube-proxy is
- already running on your Windows nodes, skip this step. If kube-proxy is not running, you must install and run
- kube-proxy on each of the Windows nodes in your cluster. Note: The
- manifest provided in the kubernetes-sigs sig-windows-tools repository depends on the kubeconfig
- provided by the kube-proxy ConfigMap in the kube-system namespace.
-
-
- You must replace KUBE_PROXY_VERSION with your cluster's Kubernetes version in kube-proxy.yml to ensure the daemonset uses a kube-proxy Windows image that is compatible with your Kubernetes cluster. Use a command like the following to retrieve the YAML file, replace the version, and apply it:
- {`curl -L https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hostprocess/calico/kube-proxy/kube-proxy.yml | sed "s/KUBE_PROXY_VERSION/\/g" | kubectl apply -f -`}
-
-
-
-
Monitor the installation.
- The {prodnameWindows} HPC installation has 2 initContainers: uninstall-calico, which deals with removing previous manually installed {prodnameWindows} services, if any
- and install-cni, which installs needed CNI binaries and configuration, when using Calico CNI.
-
- kubectl logs -f -n calico-system -l k8s-app=calico-node-windows -c uninstall-calico{'\n'}
- kubectl logs -f -n calico-system -l k8s-app=calico-node-windows -c install-cni{'\n'}
-
-
- After these initContainers finish their execution, installation is complete. Next, the
- {prodnameWindows} services are started in separate containers:
-
- The calico-node-windows pods will be ready after their containers finish initializing.
-
-
-
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CliConfigIntro.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CliConfigIntro.js
deleted file mode 100644
index 930d8de8a3..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CliConfigIntro.js
+++ /dev/null
@@ -1,53 +0,0 @@
-import React from 'react';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-
-import { prodname, baseUrl } from '../../variables';
-
-export default function CliConfigIntro(props) {
- return (
- <>
-
- Many {props.cli} commands require access to the {prodname} datastore. In most circumstances,{' '}
- {props.cli} cannot achieve this connection by default. You can provide
- {props.cli} with the information it needs using either of the following.
-
-
-
-
- Configuration file: by default, {props.cli} will look for a configuration file
- at /etc/calico/{props.cli}.cfg. You can override this using the --config option
- with commands that require datastore access. The file can be in either YAML or JSON format. It must be valid
- and readable by {props.cli}. A YAML example follows.
-
- Environment variables: If {props.cli} cannot locate, read, or access a
- configuration file, it will check a specific set of environment variables.
-
-
-
-
- See the section that corresponds to your datastore type for a
- full set of options and examples.
-
-
- When running {props.cli} inside a container, any environment variables and configuration files must
- be passed to the container so they are available to the process inside. It can be useful to keep a running
- container (that sleeps) configured for your datastore, then it is possible to exec into the
- container and have an already configured environment.
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ComponentVersions.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ComponentVersions.js
deleted file mode 100644
index 3e7ceb9b33..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ComponentVersions.js
+++ /dev/null
@@ -1,64 +0,0 @@
-import React from 'react';
-import Link from '@docusaurus/Link';
-import Heading from '@theme/Heading';
-
-import { toKebab } from '@site/src/components/utils/formatters';
-
-import variables from '../../variables';
-
-export default function ComponentVersions() {
- const { prodname, version, downloadsurl } = variables;
-
- const releases = variables.releases.map((release) => {
- return release;
- }).filter(release => release);
-
- return (
- <>
- {releases.map((release) => (
-
-
- Release archive
- {' '}
- with Kubernetes manifests. Based on Calico {releases[0].calico.minor_version}.
-
- )}
- This release comprises the following components, and can be installed using{' '}
-
- {release['tigera-operator'].registry}/{release['tigera-operator'].image}:
- {release['tigera-operator'].version}
-
-
-
- ))}
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ConfigureManagedCluster.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ConfigureManagedCluster.js
deleted file mode 100644
index ab08a5de46..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ConfigureManagedCluster.js
+++ /dev/null
@@ -1,122 +0,0 @@
-import React from 'react';
-
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-import Heading from '@theme/Heading';
-
-import { baseUrl } from '../../variables';
-
-export default function ConfigureManagedCluster(props) {
- const kubectlCmd = props.kubectlCmd || 'kubectl';
-
- return (
- <>
-
- Create the connection manifest for your managed cluster
-
-
- To connect the managed cluster to your management cluster, you need to create and apply a connection manifest.
- You can create a connection manifest from the Manager UI in the management cluster or manually using{' '}
- {kubectlCmd}.
-
-
- Connect cluster - Manager UI
-
-
-
-
- In the Manager UI left navbar, click Managed Clusters.
-
-
-
-
- On the Managed Clusters page, click the button, Add Cluster.
-
-
-
-
Name your cluster that is easily recognized in a list of managed clusters, and click Create Cluster.
-
-
-
Download the manifest.
-
-
-
- connect-cluster---kubectl
-
-
- Choose a name for your managed cluster and then add it to your management cluster. The
- following commands will create a manifest with the name of your managed cluster in your current directory.
-
-
-
-
- First, decide on the name for your managed cluster. Because you will eventually have several managed
- clusters, choose a name that can be easily recognized in a list of managed clusters. The name is also used
- in steps that follow.
-
- export MANAGED_CLUSTER=my-managed-cluster
-
-
-
- Get the namespace in which the Tigera Operator is running in your managed cluster (in most cases this will
- be tigera-operator):
-
-
- {`mkdir calico
-wget -qO- ${filesUrl}/manifests/ocp.tgz | tar xvz --strip-components=1 -C calico`}
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/EnvironmentFile.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/EnvironmentFile.js
deleted file mode 100644
index cd6eb04b03..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/EnvironmentFile.js
+++ /dev/null
@@ -1,58 +0,0 @@
-import React from 'react';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-
-import { baseUrl } from '../../variables';
-
-export default function EnvironmentFile(props) {
- return (
- <>
-
-
- Use the following guidelines and sample file to define the environment variables for starting Calico on the
- host. For more help, see the{' '}
-
- {props.install === 'container' ? (
- {props.nodecontainer} configuration reference
- ) : (
- Felix configuration reference
- )}
-
-
For the Kubernetes datastore set the following:
-
-
-
-
Variable
-
Configuration guidance
-
-
-
-
-
KUBECONFIG
-
Path to kubeconfig file to access the Kubernetes API Server
-
-
-
- {props.install === 'container' && (
-
- If using certificates and keys, you will need to volume mount them into the container at the location
- specified by the paths mentioned above.
-
- )}
-
- Sample EnvironmentFile - save to /etc/calico/calico.env
-
- );
-};
-
-export default TableResource;
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json
deleted file mode 100644
index e94fce4da1..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json
+++ /dev/null
@@ -1,8983 +0,0 @@
-{
- "Comment": "This file generated by calico-felix-docgen, DO NOT EDIT.",
- "Groups": [
- {
- "Name": "Datastore connection",
- "Fields": [
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "DatastoreType",
- "NameEnvVar": "FELIX_DatastoreType",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "One of: `etcdv3`, `kubernetes` (case insensitive)",
- "StringSchemaHTML": "One of: etcdv3, kubernetes (case insensitive)",
- "StringDefault": "etcdv3",
- "ParsedDefault": "etcdv3",
- "ParsedDefaultJSON": "\"etcdv3\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Controls which datastore driver Felix will use. Typically, this is detected from the environment\nand it does not need to be set manually. (For example, if `KUBECONFIG` is set, the kubernetes datastore driver\nwill be used by default).",
- "DescriptionHTML": "
Controls which datastore driver Felix will use. Typically, this is detected from the environment\nand it does not need to be set manually. (For example, if KUBECONFIG is set, the kubernetes datastore driver\nwill be used by default).
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "EtcdAddr",
- "NameEnvVar": "FELIX_EtcdAddr",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "String matching regex `^[^:/]+:\\d+$`",
- "StringSchemaHTML": "String matching regex ^[^:/]+:\\d+$",
- "StringDefault": "127.0.0.1:2379",
- "ParsedDefault": "127.0.0.1:2379",
- "ParsedDefaultJSON": "\"127.0.0.1:2379\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "**Open source-only parameter**; `etcdv3` datastore driver is not supported in Calico Enterprise/Cloud.\n\nWhen using the `etcdv3` datastore driver, the etcd server and port to connect to. If EtcdEndpoints\nis also specified, it takes precedence.",
- "DescriptionHTML": "
Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.
\n
When using the etcdv3 datastore driver, the etcd server and port to connect to. If EtcdEndpoints\nis also specified, it takes precedence.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": true
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "EtcdCaFile",
- "NameEnvVar": "FELIX_EtcdCaFile",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "**Open source-only parameter**; `etcdv3` datastore driver is not supported in Calico Enterprise/Cloud.\n\nWhen using the `etcdv3` datastore driver, path to TLS CA file to use when connecting to\netcd. If the CA file is specified, the other TLS parameters are mandatory.",
- "DescriptionHTML": "
Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.
\n
When using the etcdv3 datastore driver, path to TLS CA file to use when connecting to\netcd. If the CA file is specified, the other TLS parameters are mandatory.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": true
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "EtcdCertFile",
- "NameEnvVar": "FELIX_EtcdCertFile",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "**Open source-only parameter**; `etcdv3` datastore driver is not supported in Calico Enterprise/Cloud.\n\nWhen using the `etcdv3` datastore driver, path to TLS certificate file to use when connecting to\netcd. If the certificate file is specified, the other TLS parameters are mandatory.",
- "DescriptionHTML": "
Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.
\n
When using the etcdv3 datastore driver, path to TLS certificate file to use when connecting to\netcd. If the certificate file is specified, the other TLS parameters are mandatory.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": true
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "EtcdEndpoints",
- "NameEnvVar": "FELIX_EtcdEndpoints",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "List of HTTP endpoints: comma-delimited list of `http(s)://hostname:port`",
- "StringSchemaHTML": "List of HTTP endpoints: comma-delimited list of http(s)://hostname:port",
- "StringDefault": "",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "[]string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "**Open source-only parameter**; `etcdv3` datastore driver is not supported in Calico Enterprise/Cloud.\n\nWhen using the `etcdv3` datastore driver, comma-delimited list of etcd endpoints to connect to,\nreplaces EtcdAddr and EtcdScheme.",
- "DescriptionHTML": "
Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.
\n
When using the etcdv3 datastore driver, comma-delimited list of etcd endpoints to connect to,\nreplaces EtcdAddr and EtcdScheme.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": true
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "EtcdKeyFile",
- "NameEnvVar": "FELIX_EtcdKeyFile",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "**Open source-only parameter**; `etcdv3` datastore driver is not supported in Calico Enterprise/Cloud.\n\nWhen using the `etcdv3` datastore driver, path to TLS private key file to use when connecting to\netcd. If the key file is specified, the other TLS parameters are mandatory.",
- "DescriptionHTML": "
Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.
\n
When using the etcdv3 datastore driver, path to TLS private key file to use when connecting to\netcd. If the key file is specified, the other TLS parameters are mandatory.
If set, tells Felix to connect to Typha at the given address and port. Overrides TyphaK8sServiceName.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaCAFile",
- "NameEnvVar": "FELIX_TyphaCAFile",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Path to the TLS CA file to use when communicating with Typha. If this parameter is specified,\nthe other TLS parameters must also be specified. For non-cluster hosts, the CA file is extracted from the\ntigera-ca-bundle ConfigMap under the TyphaK8sNamespace namespace.",
- "DescriptionHTML": "
Path to the TLS CA file to use when communicating with Typha. If this parameter is specified,\nthe other TLS parameters must also be specified. For non-cluster hosts, the CA file is extracted from the\ntigera-ca-bundle ConfigMap under the TyphaK8sNamespace namespace.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaCN",
- "NameEnvVar": "FELIX_TyphaCN",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Common name to use when authenticating to Typha over TLS. If any TLS parameters are specified then one of\nTyphaCN and TyphaURISAN must be set.",
- "DescriptionHTML": "
Common name to use when authenticating to Typha over TLS. If any TLS parameters are specified then one of\nTyphaCN and TyphaURISAN must be set.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaCertFile",
- "NameEnvVar": "FELIX_TyphaCertFile",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Path to the TLS certificate to use when communicating with Typha. If this parameter is specified,\nthe other TLS parameters must also be specified. For non-cluster hosts, the certificate will be signed by the\nin-cluster Tigera operator signer.",
- "DescriptionHTML": "
Path to the TLS certificate to use when communicating with Typha. If this parameter is specified,\nthe other TLS parameters must also be specified. For non-cluster hosts, the certificate will be signed by the\nin-cluster Tigera operator signer.
Namespace to look in when looking for Typha's service (see TyphaK8sServiceName).
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaK8sServiceName",
- "NameEnvVar": "FELIX_TyphaK8sServiceName",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "If set, tells Felix to connect to Typha by looking up the Endpoints of the given Kubernetes\nService in namespace specified by TyphaK8sNamespace.",
- "DescriptionHTML": "
If set, tells Felix to connect to Typha by looking up the Endpoints of the given Kubernetes\nService in namespace specified by TyphaK8sNamespace.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaKeyFile",
- "NameEnvVar": "FELIX_TyphaKeyFile",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Path to the TLS private key to use when communicating with Typha. If this parameter is specified,\nthe other TLS parameters must also be specified. For non-cluster hosts, the private key is generated locally\nand rotated when the certificate expires.",
- "DescriptionHTML": "
Path to the TLS private key to use when communicating with Typha. If this parameter is specified,\nthe other TLS parameters must also be specified. For non-cluster hosts, the private key is generated locally\nand rotated when the certificate expires.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaReadTimeout",
- "NameEnvVar": "FELIX_TyphaReadTimeout",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "30",
- "ParsedDefault": "30s",
- "ParsedDefaultJSON": "30000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Read timeout when reading from the Typha connection. If typha sends no data for this long,\nFelix will exit and restart. (Note that Typha sends regular pings so traffic is always expected.)",
- "DescriptionHTML": "
Read timeout when reading from the Typha connection. If typha sends no data for this long,\nFelix will exit and restart. (Note that Typha sends regular pings so traffic is always expected.)
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Datastore connection",
- "GroupWithSortPrefix": "00 Datastore connection",
- "NameConfigFile": "TyphaURISAN",
- "NameEnvVar": "FELIX_TyphaURISAN",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "URI SAN to use when authenticating to Typha over TLS. If any TLS parameters are specified then one of\nTyphaCN and TyphaURISAN must be set.",
- "DescriptionHTML": "
URI SAN to use when authenticating to Typha over TLS. If any TLS parameters are specified then one of\nTyphaCN and TyphaURISAN must be set.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Process: Feature detection/overrides",
- "Fields": [
- {
- "Group": "Process: Feature detection/overrides",
- "GroupWithSortPrefix": "00 Process: Feature detection/overrides",
- "NameConfigFile": "FeatureDetectOverride",
- "NameEnvVar": "FELIX_FeatureDetectOverride",
- "NameYAML": "featureDetectOverride",
- "NameGoAPI": "FeatureDetectOverride",
- "StringSchema": "Comma-delimited list of key=value pairs",
- "StringSchemaHTML": "Comma-delimited list of key=value pairs",
- "StringDefault": "",
- "ParsedDefault": "map[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "map[string]string",
- "YAMLType": "string",
- "YAMLSchema": "String matching the regular expression `^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String matching the regular expression ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to override feature detection based on auto-detected platform\ncapabilities. Values are specified in a comma separated list with no spaces, example;\n\"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\". A value of \"true\" or \"false\" will\nforce enable/disable feature, empty or omitted values fall back to auto-detection.",
- "DescriptionHTML": "
Used to override feature detection based on auto-detected platform\ncapabilities. Values are specified in a comma separated list with no spaces, example;\n\"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\". A value of \"true\" or \"false\" will\nforce enable/disable feature, empty or omitted values fall back to auto-detection.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Feature detection/overrides",
- "GroupWithSortPrefix": "00 Process: Feature detection/overrides",
- "NameConfigFile": "FeatureGates",
- "NameEnvVar": "FELIX_FeatureGates",
- "NameYAML": "featureGates",
- "NameGoAPI": "FeatureGates",
- "StringSchema": "Comma-delimited list of key=value pairs",
- "StringSchemaHTML": "Comma-delimited list of key=value pairs",
- "StringDefault": "",
- "ParsedDefault": "map[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "map[string]string",
- "YAMLType": "string",
- "YAMLSchema": "String matching the regular expression `^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String matching the regular expression ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to enable or disable tech-preview Calico features.\nValues are specified in a comma separated list with no spaces, example;\n\"BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false\". This is\nused to enable features that are not fully production ready.",
- "DescriptionHTML": "
Used to enable or disable tech-preview Calico features.\nValues are specified in a comma separated list with no spaces, example;\n\"BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false\". This is\nused to enable features that are not fully production ready.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Process: Go runtime",
- "Fields": [
- {
- "Group": "Process: Go runtime",
- "GroupWithSortPrefix": "00 Process: Go runtime",
- "NameConfigFile": "GoGCThreshold",
- "NameEnvVar": "FELIX_GoGCThreshold",
- "NameYAML": "goGCThreshold",
- "NameGoAPI": "GoGCThreshold",
- "StringSchema": "Integer: [-1,2^63-1]",
- "StringSchemaHTML": "Integer: [-1,263-1]",
- "StringDefault": "40",
- "ParsedDefault": "40",
- "ParsedDefaultJSON": "40",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [-1,2^63-1]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [-1,263-1]",
- "YAMLDefault": "40",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is\nallowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time\nspent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used\nto disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting.\n\nThis setting is overridden by the GOGC environment variable.",
- "DescriptionHTML": "
Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is\nallowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time\nspent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used\nto disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting.
\n
This setting is overridden by the GOGC environment variable.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Go runtime",
- "GroupWithSortPrefix": "00 Process: Go runtime",
- "NameConfigFile": "GoMaxProcs",
- "NameEnvVar": "FELIX_GoMaxProcs",
- "NameYAML": "goMaxProcs",
- "NameGoAPI": "GoMaxProcs",
- "StringSchema": "Integer: [-1,2^63-1]",
- "StringSchemaHTML": "Integer: [-1,263-1]",
- "StringDefault": "-1",
- "ParsedDefault": "-1",
- "ParsedDefaultJSON": "-1",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [-1,2^63-1]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [-1,263-1]",
- "YAMLDefault": "-1",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means\n\"use the system default\"; typically the number of real CPUs on the system.\n\nthis setting is overridden by the GOMAXPROCS environment variable.",
- "DescriptionHTML": "
Sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means\n\"use the system default\"; typically the number of real CPUs on the system.
\n
this setting is overridden by the GOMAXPROCS environment variable.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Go runtime",
- "GroupWithSortPrefix": "00 Process: Go runtime",
- "NameConfigFile": "GoMemoryLimitMB",
- "NameEnvVar": "FELIX_GoMemoryLimitMB",
- "NameYAML": "goMemoryLimitMB",
- "NameGoAPI": "GoMemoryLimitMB",
- "StringSchema": "Integer: [-1,2^63-1]",
- "StringSchemaHTML": "Integer: [-1,263-1]",
- "StringDefault": "-1",
- "ParsedDefault": "-1",
- "ParsedDefaultJSON": "-1",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [-1,2^63-1]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [-1,263-1]",
- "YAMLDefault": "-1",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory\nusage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to\ntake more than 50% of the process's CPU time. A value of -1 disables the memory limit.\n\nNote that the memory limit, if used, must be considerably less than any hard resource limit set at the container\nor pod level. This is because felix is not the only process that must run in the container or pod.\n\nThis setting is overridden by the GOMEMLIMIT environment variable.",
- "DescriptionHTML": "
Sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory\nusage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to\ntake more than 50% of the process's CPU time. A value of -1 disables the memory limit.
\n
Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container\nor pod level. This is because felix is not the only process that must run in the container or pod.
\n
This setting is overridden by the GOMEMLIMIT environment variable.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Process: Health port and timeouts",
- "Fields": [
- {
- "Group": "Process: Health port and timeouts",
- "GroupWithSortPrefix": "00 Process: Health port and timeouts",
- "NameConfigFile": "HealthEnabled",
- "NameEnvVar": "FELIX_HealthEnabled",
- "NameYAML": "healthEnabled",
- "NameGoAPI": "HealthEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If set to true, enables Felix's health port, which provides readiness and liveness endpoints.",
- "DescriptionHTML": "
If set to true, enables Felix's health port, which provides readiness and liveness endpoints.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Health port and timeouts",
- "GroupWithSortPrefix": "00 Process: Health port and timeouts",
- "NameConfigFile": "HealthHost",
- "NameEnvVar": "FELIX_HealthHost",
- "NameYAML": "healthHost",
- "NameGoAPI": "HealthHost",
- "StringSchema": "String matching regex `^[a-zA-Z0-9:._+-]{1,64}$`",
- "StringSchemaHTML": "String matching regex ^[a-zA-Z0-9:._+-]{1,64}$",
- "StringDefault": "localhost",
- "ParsedDefault": "localhost",
- "ParsedDefaultJSON": "\"localhost\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "localhost",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The host that the health server should bind to.",
- "DescriptionHTML": "
The host that the health server should bind to.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Health port and timeouts",
- "GroupWithSortPrefix": "00 Process: Health port and timeouts",
- "NameConfigFile": "HealthPort",
- "NameEnvVar": "FELIX_HealthPort",
- "NameYAML": "healthPort",
- "NameGoAPI": "HealthPort",
- "StringSchema": "Integer: [0,65535]",
- "StringSchemaHTML": "Integer: [0,65535]",
- "StringDefault": "9099",
- "ParsedDefault": "9099",
- "ParsedDefaultJSON": "9099",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [0,65535]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [0,65535]",
- "YAMLDefault": "9099",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The TCP port that the health server should bind to.",
- "DescriptionHTML": "
The TCP port that the health server should bind to.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Health port and timeouts",
- "GroupWithSortPrefix": "00 Process: Health port and timeouts",
- "NameConfigFile": "HealthTimeoutOverrides",
- "NameEnvVar": "FELIX_HealthTimeoutOverrides",
- "NameYAML": "healthTimeoutOverrides",
- "NameGoAPI": "HealthTimeoutOverrides",
- "StringSchema": "Comma-delimited list of `=` pairs, where durations use Go's standard format (e.g. 1s, 1m, 1h3m2s)",
- "StringSchemaHTML": "Comma-delimited list of <key>=<duration> pairs, where durations use Go's standard format (e.g. 1s, 1m, 1h3m2s)",
- "StringDefault": "",
- "ParsedDefault": "map[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "map[string]time.Duration",
- "YAMLType": "array",
- "YAMLSchema": "List of health timeout overrides: `[{name: \"\", timeout: \"\"}, ...]` where `` is in the Go duration format, for example `1m30s`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of health timeout overrides: [{name: \"<name>\", timeout: \"<duration>\"}, ...] where <duration> is in the Go duration format, for example 1m30s.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Allows the internal watchdog timeouts of individual subcomponents to be\noverridden. This is useful for working around \"false positive\" liveness timeouts that can occur\nin particularly stressful workloads or if CPU is constrained. For a list of active\nsubcomponents, see Felix's logs.",
- "DescriptionHTML": "
Allows the internal watchdog timeouts of individual subcomponents to be\noverridden. This is useful for working around \"false positive\" liveness timeouts that can occur\nin particularly stressful workloads or if CPU is constrained. For a list of active\nsubcomponents, see Felix's logs.
",
- "UserEditable": true,
- "GoType": "[]v3.HealthTimeoutOverride",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Process: Logging",
- "Fields": [
- {
- "Group": "Process: Logging",
- "GroupWithSortPrefix": "00 Process: Logging",
- "NameConfigFile": "LogDebugFilenameRegex",
- "NameEnvVar": "FELIX_LogDebugFilenameRegex",
- "NameYAML": "logDebugFilenameRegex",
- "NameGoAPI": "LogDebugFilenameRegex",
- "StringSchema": "Regular expression",
- "StringSchemaHTML": "Regular expression",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "null",
- "ParsedType": "*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls which source code files have their Debug log output included in the logs.\nOnly logs from files with names that match the given regular expression are included. The filter only applies\nto Debug level logs.",
- "DescriptionHTML": "
Controls which source code files have their Debug log output included in the logs.\nOnly logs from files with names that match the given regular expression are included. The filter only applies\nto Debug level logs.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Logging",
- "GroupWithSortPrefix": "00 Process: Logging",
- "NameConfigFile": "LogDropActionOverride",
- "NameEnvVar": "FELIX_LogDropActionOverride",
- "NameYAML": "logDropActionOverride",
- "NameGoAPI": "LogDropActionOverride",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies whether or not to include the DropActionOverride in the logs when it is triggered.",
- "DescriptionHTML": "
Specifies whether or not to include the DropActionOverride in the logs when it is triggered.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Logging",
- "GroupWithSortPrefix": "00 Process: Logging",
- "NameConfigFile": "LogFilePath",
- "NameEnvVar": "FELIX_LogFilePath",
- "NameYAML": "logFilePath",
- "NameGoAPI": "LogFilePath",
- "StringSchema": "Path to file",
- "StringSchemaHTML": "Path to file",
- "StringDefault": "/var/log/calico/felix.log",
- "ParsedDefault": "/var/log/calico/felix.log",
- "ParsedDefaultJSON": "\"/var/log/calico/felix.log\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "/var/log/calico/felix.log",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "The full path to the Felix log. Set to none to disable file logging.",
- "DescriptionHTML": "
The full path to the Felix log. Set to none to disable file logging.
The log severity above which logs are sent to the syslog. Set to None for no logging to syslog.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Process: Prometheus metrics",
- "Fields": [
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusGoMetricsEnabled",
- "NameEnvVar": "FELIX_PrometheusGoMetricsEnabled",
- "NameYAML": "prometheusGoMetricsEnabled",
- "NameGoAPI": "PrometheusGoMetricsEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Disables Go runtime metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.",
- "DescriptionHTML": "
Disables Go runtime metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusMetricsCAFile",
- "NameEnvVar": "FELIX_PrometheusMetricsCAFile",
- "NameYAML": "prometheusMetricsCAFile",
- "NameGoAPI": "PrometheusMetricsCAFile",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.",
- "DescriptionHTML": "
Defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusMetricsCertFile",
- "NameEnvVar": "FELIX_PrometheusMetricsCertFile",
- "NameYAML": "prometheusMetricsCertFile",
- "NameGoAPI": "PrometheusMetricsCertFile",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.",
- "DescriptionHTML": "
Defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.
Specifies the client authentication type for the /metrics endpoint.\nThis determines how the server validates client certificates. Default is \"RequireAndVerifyClientCert\".
",
- "UserEditable": true,
- "GoType": "*v3.PrometheusMetricsClientAuthType",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusMetricsEnabled",
- "NameEnvVar": "FELIX_PrometheusMetricsEnabled",
- "NameYAML": "prometheusMetricsEnabled",
- "NameGoAPI": "PrometheusMetricsEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Enables the Prometheus metrics server in Felix if set to true.",
- "DescriptionHTML": "
Enables the Prometheus metrics server in Felix if set to true.
The host that the Prometheus metrics server should bind to.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusMetricsKeyFile",
- "NameEnvVar": "FELIX_PrometheusMetricsKeyFile",
- "NameYAML": "prometheusMetricsKeyFile",
- "NameGoAPI": "PrometheusMetricsKeyFile",
- "StringSchema": "Path to file, which must exist",
- "StringSchemaHTML": "Path to file, which must exist",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Defines the absolute path to the private key file corresponding to the TLS certificate\nused for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.",
- "DescriptionHTML": "
Defines the absolute path to the private key file corresponding to the TLS certificate\nused for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.
The TCP port that the Prometheus metrics server should bind to.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusProcessMetricsEnabled",
- "NameEnvVar": "FELIX_PrometheusProcessMetricsEnabled",
- "NameYAML": "prometheusProcessMetricsEnabled",
- "NameGoAPI": "PrometheusProcessMetricsEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Disables process metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.",
- "DescriptionHTML": "
Disables process metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Process: Prometheus metrics",
- "GroupWithSortPrefix": "00 Process: Prometheus metrics",
- "NameConfigFile": "PrometheusWireGuardMetricsEnabled",
- "NameEnvVar": "FELIX_PrometheusWireGuardMetricsEnabled",
- "NameYAML": "prometheusWireGuardMetricsEnabled",
- "NameGoAPI": "PrometheusWireGuardMetricsEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Disables wireguard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.",
- "DescriptionHTML": "
Disables wireguard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.
Overrides the default location where to find the cgroup hierarchy.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "ChainInsertMode",
- "NameEnvVar": "FELIX_ChainInsertMode",
- "NameYAML": "chainInsertMode",
- "NameGoAPI": "ChainInsertMode",
- "StringSchema": "One of: `append`, `insert` (case insensitive)",
- "StringSchemaHTML": "One of: append, insert (case insensitive)",
- "StringDefault": "insert",
- "ParsedDefault": "insert",
- "ParsedDefaultJSON": "\"insert\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Append`, `Insert`.",
- "YAMLEnumValues": [
- "Append",
- "Insert"
- ],
- "YAMLSchemaHTML": "One of: Append, Insert.",
- "YAMLDefault": "Insert",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule\nat the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents\nCalico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains\nsignal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.",
- "DescriptionHTML": "
Controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule\nat the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents\nCalico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains\nsignal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "DataplaneDriver",
- "NameEnvVar": "FELIX_DataplaneDriver",
- "NameYAML": "dataplaneDriver",
- "NameGoAPI": "DataplaneDriver",
- "StringSchema": "Path to executable, which must exist. If not an absolute path, the directory containing this binary and the system path will be searched.",
- "StringSchemaHTML": "Path to executable, which must exist. If not an absolute path, the directory containing this binary and the system path will be searched.",
- "StringDefault": "calico-iptables-plugin",
- "ParsedDefault": "calico-iptables-plugin",
- "ParsedDefaultJSON": "\"calico-iptables-plugin\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "calico-iptables-plugin",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver\nis set to false.",
- "DescriptionHTML": "
Filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver\nis set to false.
The readiness/liveness timeout used for Felix's (internal) dataplane driver.\nDeprecated: replaced by the generic HealthTimeoutOverrides.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "DefaultEndpointToHostAction",
- "NameEnvVar": "FELIX_DefaultEndpointToHostAction",
- "NameYAML": "defaultEndpointToHostAction",
- "NameGoAPI": "DefaultEndpointToHostAction",
- "StringSchema": "One of: `ACCEPT`, `DROP`, `RETURN` (case insensitive)",
- "StringSchemaHTML": "One of: ACCEPT, DROP, RETURN (case insensitive)",
- "StringDefault": "DROP",
- "ParsedDefault": "DROP",
- "ParsedDefaultJSON": "\"DROP\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Accept`, `Drop`, `Return`.",
- "YAMLEnumValues": [
- "Accept",
- "Drop",
- "Return"
- ],
- "YAMLSchemaHTML": "One of: Accept, Drop, Return.",
- "YAMLDefault": "Drop",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls what happens to traffic that goes from a workload endpoint to the host\nitself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload\nendpoints to the host itself with an iptables \"DROP\" action. If you want to allow some or all traffic from\nendpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables\n\"INPUT\" chain; Calico will insert its rules at the top of that chain, then \"RETURN\" packets to the \"INPUT\" chain\nonce it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets\nfrom workloads after processing workload endpoint egress policy.",
- "DescriptionHTML": "
Controls what happens to traffic that goes from a workload endpoint to the host\nitself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload\nendpoints to the host itself with an iptables \"DROP\" action. If you want to allow some or all traffic from\nendpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables\n\"INPUT\" chain; Calico will insert its rules at the top of that chain, then \"RETURN\" packets to the \"INPUT\" chain\nonce it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets\nfrom workloads after processing workload endpoint egress policy.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "DeviceRouteProtocol",
- "NameEnvVar": "FELIX_DeviceRouteProtocol",
- "NameYAML": "deviceRouteProtocol",
- "NameGoAPI": "DeviceRouteProtocol",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "3",
- "ParsedDefault": "3",
- "ParsedDefaultJSON": "3",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "3",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label\nused to identify the owner of the route.",
- "DescriptionHTML": "
Controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label\nused to identify the owner of the route.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "DeviceRouteSourceAddress",
- "NameEnvVar": "FELIX_DeviceRouteSourceAddress",
- "NameYAML": "deviceRouteSourceAddress",
- "NameGoAPI": "DeviceRouteSourceAddress",
- "StringSchema": "IPv4 address",
- "StringSchemaHTML": "IPv4 address",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "net.IP",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "IPv4 address to set as the source hint for routes programmed by Felix. When not set\nthe source address for local traffic from host to workload will be determined by the kernel.",
- "DescriptionHTML": "
IPv4 address to set as the source hint for routes programmed by Felix. When not set\nthe source address for local traffic from host to workload will be determined by the kernel.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "DeviceRouteSourceAddressIPv6",
- "NameEnvVar": "FELIX_DeviceRouteSourceAddressIPv6",
- "NameYAML": "deviceRouteSourceAddressIPv6",
- "NameGoAPI": "DeviceRouteSourceAddressIPv6",
- "StringSchema": "IPv6 address",
- "StringSchemaHTML": "IPv6 address",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "net.IP",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "IPv6 address to set as the source hint for routes programmed by Felix. When not set\nthe source address for local traffic from host to workload will be determined by the kernel.",
- "DescriptionHTML": "
IPv6 address to set as the source hint for routes programmed by Felix. When not set\nthe source address for local traffic from host to workload will be determined by the kernel.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "DisableConntrackInvalidCheck",
- "NameEnvVar": "FELIX_DisableConntrackInvalidCheck",
- "NameYAML": "disableConntrackInvalidCheck",
- "NameGoAPI": "DisableConntrackInvalidCheck",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Disables the check for invalid connections in conntrack. While the conntrack\ninvalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios.",
- "DescriptionHTML": "
Disables the check for invalid connections in conntrack. While the conntrack\ninvalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios.
Overrides the Drop action in Felix, optionally changing the behavior to Accept, and optionally adding Log.\nPossible values are Drop, LogAndDrop, Accept, LogAndAccept.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "EndpointStatusPathPrefix",
- "NameEnvVar": "FELIX_EndpointStatusPathPrefix",
- "NameYAML": "endpointStatusPathPrefix",
- "NameGoAPI": "EndpointStatusPathPrefix",
- "StringSchema": "Path to file",
- "StringSchemaHTML": "Path to file",
- "StringDefault": "/var/run/calico",
- "ParsedDefault": "/var/run/calico",
- "ParsedDefaultJSON": "\"/var/run/calico\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "/var/run/calico",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The path to the directory where endpoint status will be written. Endpoint status\nfile reporting is disabled if field is left empty.\n\nChosen directory should match the directory used by the CNI plugin for PodStartupDelay.",
- "DescriptionHTML": "
The path to the directory where endpoint status will be written. Endpoint status\nfile reporting is disabled if field is left empty.
\n
Chosen directory should match the directory used by the CNI plugin for PodStartupDelay.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "ExternalNodesCIDRList",
- "NameEnvVar": "FELIX_ExternalNodesCIDRList",
- "NameYAML": "externalNodesList",
- "NameGoAPI": "ExternalNodesCIDRList",
- "StringSchema": "Comma-delimited list of CIDRs",
- "StringSchemaHTML": "Comma-delimited list of CIDRs",
- "StringDefault": "",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "[]string",
- "YAMLType": "array",
- "YAMLSchema": "List of strings: `[\"\", ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of strings: [\"<string>\", ...].",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "A list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic\nwill be allowed. By default, external tunneled traffic is blocked to reduce attack surface.",
- "DescriptionHTML": "
A list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic\nwill be allowed. By default, external tunneled traffic is blocked to reduce attack surface.
",
- "UserEditable": true,
- "GoType": "*[]string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "FailsafeInboundHostPorts",
- "NameEnvVar": "FELIX_FailsafeInboundHostPorts",
- "NameYAML": "failsafeInboundHostPorts",
- "NameGoAPI": "FailsafeInboundHostPorts",
- "StringSchema": "Comma-delimited list of numeric ports with optional protocol and CIDR:`(tcp|udp)::`, `(tcp|udp):` or ``. IPv6 CIDRs must be enclosed in square brackets.",
- "StringSchemaHTML": "Comma-delimited list of numeric ports with optional protocol and CIDR:(tcp|udp):<cidr>:<port>, (tcp|udp):<port> or <port>. IPv6 CIDRs must be enclosed in square brackets.",
- "StringDefault": "tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667",
- "ParsedDefault": "[{tcp 22 } {udp 68 } {tcp 179 } {tcp 2379 } {tcp 2380 } {tcp 5473 } {tcp 6443 } {tcp 6666 } {tcp 6667 }]",
- "ParsedDefaultJSON": "[{\"protocol\":\"tcp\",\"port\":22},{\"protocol\":\"udp\",\"port\":68},{\"protocol\":\"tcp\",\"port\":179},{\"protocol\":\"tcp\",\"port\":2379},{\"protocol\":\"tcp\",\"port\":2380},{\"protocol\":\"tcp\",\"port\":5473},{\"protocol\":\"tcp\",\"port\":6443},{\"protocol\":\"tcp\",\"port\":6666},{\"protocol\":\"tcp\",\"port\":6667}]",
- "ParsedType": "[]v3.ProtoPort",
- "YAMLType": "array",
- "YAMLSchema": "List of protocol/port objects with optional CIDR match: `[{protocol: \"TCP|UDP\", port: , net: \"\"}, ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of protocol/port objects with optional CIDR match: [{protocol: \"TCP|UDP\", port: <port>, net: \"<cidr>\"}, ...].",
- "YAMLDefault": "[{\"protocol\":\"tcp\",\"port\":22},{\"protocol\":\"udp\",\"port\":68},{\"protocol\":\"tcp\",\"port\":179},{\"protocol\":\"tcp\",\"port\":2379},{\"protocol\":\"tcp\",\"port\":2380},{\"protocol\":\"tcp\",\"port\":5473},{\"protocol\":\"tcp\",\"port\":6443},{\"protocol\":\"tcp\",\"port\":6666},{\"protocol\":\"tcp\",\"port\":6667}]",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "A list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will\nallow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally\ncutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified,\nit defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports,\nuse the value \"[]\". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API.",
- "DescriptionHTML": "
A list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will\nallow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally\ncutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified,\nit defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports,\nuse the value \"[]\". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API.
",
- "UserEditable": true,
- "GoType": "*[]v3.ProtoPort",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "FailsafeOutboundHostPorts",
- "NameEnvVar": "FELIX_FailsafeOutboundHostPorts",
- "NameYAML": "failsafeOutboundHostPorts",
- "NameGoAPI": "FailsafeOutboundHostPorts",
- "StringSchema": "Comma-delimited list of numeric ports with optional protocol and CIDR:`(tcp|udp)::`, `(tcp|udp):` or ``. IPv6 CIDRs must be enclosed in square brackets.",
- "StringSchemaHTML": "Comma-delimited list of numeric ports with optional protocol and CIDR:(tcp|udp):<cidr>:<port>, (tcp|udp):<port> or <port>. IPv6 CIDRs must be enclosed in square brackets.",
- "StringDefault": "udp:53,udp:67,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667",
- "ParsedDefault": "[{udp 53 } {udp 67 } {tcp 179 } {tcp 2379 } {tcp 2380 } {tcp 5473 } {tcp 6443 } {tcp 6666 } {tcp 6667 }]",
- "ParsedDefaultJSON": "[{\"protocol\":\"udp\",\"port\":53},{\"protocol\":\"udp\",\"port\":67},{\"protocol\":\"tcp\",\"port\":179},{\"protocol\":\"tcp\",\"port\":2379},{\"protocol\":\"tcp\",\"port\":2380},{\"protocol\":\"tcp\",\"port\":5473},{\"protocol\":\"tcp\",\"port\":6443},{\"protocol\":\"tcp\",\"port\":6666},{\"protocol\":\"tcp\",\"port\":6667}]",
- "ParsedType": "[]v3.ProtoPort",
- "YAMLType": "array",
- "YAMLSchema": "List of protocol/port objects with optional CIDR match: `[{protocol: \"TCP|UDP\", port: , net: \"\"}, ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of protocol/port objects with optional CIDR match: [{protocol: \"TCP|UDP\", port: <port>, net: \"<cidr>\"}, ...].",
- "YAMLDefault": "[{\"protocol\":\"udp\",\"port\":53},{\"protocol\":\"udp\",\"port\":67},{\"protocol\":\"tcp\",\"port\":179},{\"protocol\":\"tcp\",\"port\":2379},{\"protocol\":\"tcp\",\"port\":2380},{\"protocol\":\"tcp\",\"port\":5473},{\"protocol\":\"tcp\",\"port\":6443},{\"protocol\":\"tcp\",\"port\":6666},{\"protocol\":\"tcp\",\"port\":6667}]",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "A list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix\nwill allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally\ncutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults\nto \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports,\nuse the value \"[]\". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd\nas well as allowing DHCP, DNS, BGP and the Kubernetes API.",
- "DescriptionHTML": "
A list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix\nwill allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally\ncutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults\nto \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports,\nuse the value \"[]\". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd\nas well as allowing DHCP, DNS, BGP and the Kubernetes API.
Configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived\nfloating IPs are always programmed, regardless of this setting.)
",
- "UserEditable": true,
- "GoType": "*v3.FloatingIPType",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "IPForwarding",
- "NameEnvVar": "FELIX_IPForwarding",
- "NameYAML": "ipForwarding",
- "NameGoAPI": "IPForwarding",
- "StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, Enabled (case insensitive)",
- "StringDefault": "Enabled",
- "ParsedDefault": "Enabled",
- "ParsedDefaultJSON": "\"Enabled\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.",
- "YAMLEnumValues": [
- "Disabled",
- "Enabled"
- ],
- "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".",
- "YAMLDefault": "Enabled",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required\nwhen using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for\nhost protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF\nmust be disabled.",
- "DescriptionHTML": "
Controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required\nwhen using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for\nhost protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF\nmust be disabled.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "InterfaceExclude",
- "NameEnvVar": "FELIX_InterfaceExclude",
- "NameYAML": "interfaceExclude",
- "NameGoAPI": "InterfaceExclude",
- "StringSchema": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with `/`.",
- "StringSchemaHTML": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with /.",
- "StringDefault": "kube-ipvs0",
- "ParsedDefault": "[^kube-ipvs0$]",
- "ParsedDefaultJSON": "[\"^kube-ipvs0$\"]",
- "ParsedType": "[]*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "kube-ipvs0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A comma-separated list of interface names that should be excluded when Felix is resolving\nhost endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you\nwant to exclude multiple interface names using a single value, the list supports regular expressions. For\nregular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude\nall interfaces that begin with `kube` and also the interface `veth1`.",
- "DescriptionHTML": "
A comma-separated list of interface names that should be excluded when Felix is resolving\nhost endpoints. The default value ensures that Felix ignores Kubernetes' internal kube-ipvs0 device. If you\nwant to exclude multiple interface names using a single value, the list supports regular expressions. For\nregular expressions you must wrap the value with /. For example having values /^kube/,veth1 will exclude\nall interfaces that begin with kube and also the interface veth1.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "InterfacePrefix",
- "NameEnvVar": "FELIX_InterfacePrefix",
- "NameYAML": "interfacePrefix",
- "NameGoAPI": "InterfacePrefix",
- "StringSchema": "String matching regex `^[a-zA-Z0-9_-]{1,15}(,[a-zA-Z0-9_-]{1,15})*$`",
- "StringSchemaHTML": "String matching regex ^[a-zA-Z0-9_-]{1,15}(,[a-zA-Z0-9_-]{1,15})*$",
- "StringDefault": "cali",
- "ParsedDefault": "cali",
- "ParsedDefaultJSON": "\"cali\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "cali",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "The interface name prefix that identifies workload endpoints and so distinguishes\nthem from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators\nconfigure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value,\nand our OpenStack integration sets the 'tap' value.",
- "DescriptionHTML": "
The interface name prefix that identifies workload endpoints and so distinguishes\nthem from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators\nconfigure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value,\nand our OpenStack integration sets the 'tap' value.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "InterfaceRefreshInterval",
- "NameEnvVar": "FELIX_InterfaceRefreshInterval",
- "NameYAML": "interfaceRefreshInterval",
- "NameGoAPI": "InterfaceRefreshInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "90",
- "ParsedDefault": "1m30s",
- "ParsedDefaultJSON": "90000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1m30s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The period at which Felix rescans local interfaces to verify their state.\nThe rescan can be disabled by setting the interval to 0.",
- "DescriptionHTML": "
The period at which Felix rescans local interfaces to verify their state.\nThe rescan can be disabled by setting the interval to 0.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "Ipv6Support",
- "NameEnvVar": "FELIX_Ipv6Support",
- "NameYAML": "ipv6Support",
- "NameGoAPI": "IPv6Support",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Felix enables support for IPv6 (if supported by the in-use dataplane).",
- "DescriptionHTML": "
Controls whether Felix enables support for IPv6 (if supported by the in-use dataplane).
Configures Felix to work together with Tigera's Istio distribution.
",
- "UserEditable": true,
- "GoType": "*v3.IstioAmbientMode",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "IstioDSCPMark",
- "NameEnvVar": "FELIX_IstioDSCPMark",
- "NameYAML": "istioDSCPMark",
- "NameGoAPI": "IstioDSCPMark",
- "StringSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
- "StringSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
- "StringDefault": "23",
- "ParsedDefault": "23",
- "ParsedDefaultJSON": "23",
- "ParsedType": "numorstring.DSCP",
- "YAMLType": "integer",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.",
- "DescriptionHTML": "
Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.
",
- "UserEditable": true,
- "GoType": "*numorstring.DSCP",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "KubeMasqueradeBit",
- "NameEnvVar": "FELIX_KubeMasqueradeBit",
- "NameYAML": "kubeMasqueradeBit",
- "NameGoAPI": "KubeMasqueradeBit",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "14",
- "ParsedDefault": "14",
- "ParsedDefaultJSON": "14",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "14",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Should be set to the same value as --iptables-masquerade-bit of kube-proxy\nwhen TPROXY is used. The default is the same as kube-proxy default thus only needs a change\nif kube-proxy is using a non-standard setting. Must be within the range of 0-31.",
- "DescriptionHTML": "
Should be set to the same value as --iptables-masquerade-bit of kube-proxy\nwhen TPROXY is used. The default is the same as kube-proxy default thus only needs a change\nif kube-proxy is using a non-standard setting. Must be within the range of 0-31.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "MTUIfacePattern",
- "NameEnvVar": "FELIX_MTUIfacePattern",
- "NameYAML": "mtuIfacePattern",
- "NameGoAPI": "MTUIfacePattern",
- "StringSchema": "Regular expression",
- "StringSchemaHTML": "Regular expression",
- "StringDefault": "^((en|wl|ww|sl|ib)[Pcopsvx].*|(eth|wlan|wwan).*)",
- "ParsedDefault": "^((en|wl|ww|sl|ib)[Pcopsvx].*|(eth|wlan|wwan).*)",
- "ParsedDefaultJSON": "\"^((en|wl|ww|sl|ib)[Pcopsvx].*|(eth|wlan|wwan).*)\"",
- "ParsedType": "*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "^((en|wl|ww|sl|ib)[Pcopsvx].*|(eth|wlan|wwan).*)",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A regular expression that controls which interfaces Felix should scan in order\nto calculate the host's MTU.\nThis should not match workload interfaces (usually named cali...).",
- "DescriptionHTML": "
A regular expression that controls which interfaces Felix should scan in order\nto calculate the host's MTU.\nThis should not match workload interfaces (usually named cali...).
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "NATOutgoingAddress",
- "NameEnvVar": "FELIX_NATOutgoingAddress",
- "NameYAML": "natOutgoingAddress",
- "NameGoAPI": "NATOutgoingAddress",
- "StringSchema": "IPv4 address",
- "StringSchemaHTML": "IPv4 address",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "net.IP",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies an address to use when performing source NAT for traffic in a natOutgoing pool that\nis leaving the network. By default the address used is an address on the interface the traffic is leaving on\n(i.e. it uses the iptables MASQUERADE target).",
- "DescriptionHTML": "
Specifies an address to use when performing source NAT for traffic in a natOutgoing pool that\nis leaving the network. By default the address used is an address on the interface the traffic is leaving on\n(i.e. it uses the iptables MASQUERADE target).
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "NATOutgoingExclusions",
- "NameEnvVar": "FELIX_NATOutgoingExclusions",
- "NameYAML": "natOutgoingExclusions",
- "NameGoAPI": "NATOutgoingExclusions",
- "StringSchema": "One of: `IPPoolsAndHostIPs`, `IPPoolsOnly` (case insensitive)",
- "StringSchemaHTML": "One of: IPPoolsAndHostIPs, IPPoolsOnly (case insensitive)",
- "StringDefault": "IPPoolsOnly",
- "ParsedDefault": "IPPoolsOnly",
- "ParsedDefaultJSON": "\"IPPoolsOnly\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"IPPoolsAndHostIPs\"`, `\"IPPoolsOnly\"`.",
- "YAMLEnumValues": [
- "IPPoolsAndHostIPs",
- "IPPoolsOnly"
- ],
- "YAMLSchemaHTML": "One of: \"IPPoolsAndHostIPs\", \"IPPoolsOnly\".",
- "YAMLDefault": "IPPoolsOnly",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When a IP pool setting `natOutgoing` is true, packets sent from Calico networked containers in this IP pool to destinations will be masqueraded.\nConfigure which type of destinations is excluded from being masqueraded.\n- IPPoolsOnly: destinations outside of this IP pool will be masqueraded.\n- IPPoolsAndHostIPs: destinations outside of this IP pool and all hosts will be masqueraded.",
- "DescriptionHTML": "
When a IP pool setting natOutgoing is true, packets sent from Calico networked containers in this IP pool to destinations will be masqueraded.\nConfigure which type of destinations is excluded from being masqueraded.\n- IPPoolsOnly: destinations outside of this IP pool will be masqueraded.\n- IPPoolsAndHostIPs: destinations outside of this IP pool and all hosts will be masqueraded.
",
- "UserEditable": true,
- "GoType": "*v3.NATOutgoingExclusionsType",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "NATPortRange",
- "NameEnvVar": "FELIX_NATPortRange",
- "NameYAML": "natPortRange",
- "NameGoAPI": "NATPortRange",
- "StringSchema": "Port range: either a single number in [0,65535] or a range of numbers `n:m`",
- "StringSchemaHTML": "Port range: either a single number in [0,65535] or a range of numbers n:m",
- "StringDefault": "",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "numorstring.Port",
- "YAMLType": "integer or string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the\nnetwork stack is used.",
- "DescriptionHTML": "
Specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the\nnetwork stack is used.
",
- "UserEditable": true,
- "GoType": "*numorstring.Port",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "NFTablesDNSPolicyMode",
- "NameEnvVar": "FELIX_NFTablesDNSPolicyMode",
- "NameYAML": "nftablesDNSPolicyMode",
- "NameGoAPI": "NFTablesDNSPolicyMode",
- "StringSchema": "One of: `DelayDNSResponse`, `DelayDeniedPacket`, `NoDelay` (case insensitive)",
- "StringSchemaHTML": "One of: DelayDNSResponse, DelayDeniedPacket, NoDelay (case insensitive)",
- "StringDefault": "DelayDeniedPacket",
- "ParsedDefault": "DelayDeniedPacket",
- "ParsedDefaultJSON": "\"DelayDeniedPacket\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"DelayDNSResponse\"`, `\"DelayDeniedPacket\"`, `\"NoDelay\"`.",
- "YAMLEnumValues": [
- "DelayDNSResponse",
- "DelayDeniedPacket",
- "NoDelay"
- ],
- "YAMLSchemaHTML": "One of: \"DelayDNSResponse\", \"DelayDeniedPacket\", \"NoDelay\".",
- "YAMLDefault": "DelayDeniedPacket",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies how DNS policy programming will be handled for NFTables.\nDelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches,\nbut did not match. The packet is released after a fixed time, or after the destination IP address was programmed.\nDelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some\nlatency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics\nare accurate. This is the recommended setting when you are making use of staged policies or policy rule hit\nstatistics.\nNoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time\nthe first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial\nconnection attempts fail. This may be problematic for some applications or for very low DNS TTLs.",
- "DescriptionHTML": "
Specifies how DNS policy programming will be handled for NFTables.\nDelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches,\nbut did not match. The packet is released after a fixed time, or after the destination IP address was programmed.\nDelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some\nlatency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics\nare accurate. This is the recommended setting when you are making use of staged policies or policy rule hit\nstatistics.\nNoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time\nthe first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial\nconnection attempts fail. This may be problematic for some applications or for very low DNS TTLs.
",
- "UserEditable": true,
- "GoType": "*v3.NFTablesMode",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "NetlinkTimeoutSecs",
- "NameEnvVar": "FELIX_NetlinkTimeoutSecs",
- "NameYAML": "netlinkTimeout",
- "NameGoAPI": "NetlinkTimeout",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "10",
- "ParsedDefault": "10s",
- "ParsedDefaultJSON": "10000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "10s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The timeout when talking to the kernel over the netlink protocol, used for programming\nroutes, rules, and other kernel objects.",
- "DescriptionHTML": "
The timeout when talking to the kernel over the netlink protocol, used for programming\nroutes, rules, and other kernel objects.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "NfNetlinkBufSize",
- "NameEnvVar": "FELIX_NfNetlinkBufSize",
- "NameYAML": "nfNetlinkBufSize",
- "NameGoAPI": "NfNetlinkBufSize",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "65536",
- "ParsedDefault": "65536",
- "ParsedDefaultJSON": "65536",
- "ParsedType": "int",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "65536",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls the size of NFLOG messages that the kernel will try to send to Felix. NFLOG messages\nare used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors\ndue to a bug in the netlink library.",
- "DescriptionHTML": "
Controls the size of NFLOG messages that the kernel will try to send to Felix. NFLOG messages\nare used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors\ndue to a bug in the netlink library.
Specifies whether Felix should program IPIP routes instead of BIRD.\nFelix always programs VXLAN routes.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "RemoveExternalRoutes",
- "NameEnvVar": "FELIX_RemoveExternalRoutes",
- "NameYAML": "removeExternalRoutes",
- "NameGoAPI": "RemoveExternalRoutes",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Felix will remove unexpected routes to workload interfaces. Felix will\nalways clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must\nuse a distinct protocol (in addition to setting this field to false).",
- "DescriptionHTML": "
Controls whether Felix will remove unexpected routes to workload interfaces. Felix will\nalways clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must\nuse a distinct protocol (in addition to setting this field to false).
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "RequireMTUFile",
- "NameEnvVar": "FELIX_RequireMTUFile",
- "NameYAML": "requireMTUFile",
- "NameGoAPI": "RequireMTUFile",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies whether mtu file is required to start the felix.\nOptional as to keep the same as previous behavior.",
- "DescriptionHTML": "
Specifies whether mtu file is required to start the felix.\nOptional as to keep the same as previous behavior.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "RouteRefreshInterval",
- "NameEnvVar": "FELIX_RouteRefreshInterval",
- "NameYAML": "routeRefreshInterval",
- "NameGoAPI": "RouteRefreshInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "90",
- "ParsedDefault": "1m30s",
- "ParsedDefaultJSON": "90000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1m30s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The period at which Felix re-checks the routes\nin the dataplane to ensure that no other process has accidentally broken Calico's rules.\nSet to 0 to disable route refresh.",
- "DescriptionHTML": "
The period at which Felix re-checks the routes\nin the dataplane to ensure that no other process has accidentally broken Calico's rules.\nSet to 0 to disable route refresh.
Configures where Felix gets its routing information.\n- WorkloadIPs: use workload endpoints to construct routes.\n- CalicoIPAM: the default - use IPAM data to construct routes.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "RouteSyncDisabled",
- "NameEnvVar": "FELIX_RouteSyncDisabled",
- "NameYAML": "routeSyncDisabled",
- "NameGoAPI": "RouteSyncDisabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Will disable all operations performed on the route table. Set to true to\nrun in network-policy mode only.",
- "DescriptionHTML": "
Will disable all operations performed on the route table. Set to true to\nrun in network-policy mode only.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "RouteTableRange",
- "NameEnvVar": "FELIX_RouteTableRange",
- "NameYAML": "routeTableRange",
- "NameGoAPI": "RouteTableRange",
- "StringSchema": "Range of route table indices `n-m`, where `n` and `m` are integers in [0,250].",
- "StringSchemaHTML": "Range of route table indices n-m, where n and m are integers in [0,250].",
- "StringDefault": "",
- "ParsedDefault": "{0 0}",
- "ParsedDefaultJSON": "{\"Min\":0,\"Max\":0}",
- "ParsedType": "idalloc.IndexRange",
- "YAMLType": "object",
- "YAMLSchema": "Route table range: `{min:, max}`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Route table range: {min:<n>, max<m>}.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Deprecated in favor of RouteTableRanges.\nCalico programs additional Linux route tables for various purposes.\nRouteTableRange specifies the indices of the route tables that Calico should use.",
- "DescriptionHTML": "
Deprecated in favor of RouteTableRanges.\nCalico programs additional Linux route tables for various purposes.\nRouteTableRange specifies the indices of the route tables that Calico should use.
",
- "UserEditable": true,
- "GoType": "*v3.RouteTableRange",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "RouteTableRanges",
- "NameEnvVar": "FELIX_RouteTableRanges",
- "NameYAML": "routeTableRanges",
- "NameGoAPI": "RouteTableRanges",
- "StringSchema": "Comma or space-delimited list of route table ranges of the form `n-m` where `n` and `m` are integers in [0,4294967295]. The sum of the sizes of all ranges may not exceed 65535.",
- "StringSchemaHTML": "Comma or space-delimited list of route table ranges of the form n-m where n and m are integers in [0,4294967295]. The sum of the sizes of all ranges may not exceed 65535.",
- "StringDefault": "",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "[]idalloc.IndexRange",
- "YAMLType": "array",
- "YAMLSchema": "List of route table ranges: `[{min:, max}, ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of route table ranges: [{min:<n>, max<m>}, ...].",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Calico programs additional Linux route tables for various purposes.\nRouteTableRanges specifies a set of table index ranges that Calico should use.\nDeprecates`RouteTableRange`, overrides `RouteTableRange`.",
- "DescriptionHTML": "
Calico programs additional Linux route tables for various purposes.\nRouteTableRanges specifies a set of table index ranges that Calico should use.\nDeprecatesRouteTableRange, overrides RouteTableRange.
",
- "UserEditable": true,
- "GoType": "*v3.RouteTableRanges",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "ServiceLoopPrevention",
- "NameEnvVar": "FELIX_ServiceLoopPrevention",
- "NameYAML": "serviceLoopPrevention",
- "NameGoAPI": "ServiceLoopPrevention",
- "StringSchema": "One of: `Disabled`, `Drop`, `Reject` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, Drop, Reject (case insensitive)",
- "StringDefault": "Drop",
- "ParsedDefault": "Drop",
- "ParsedDefaultJSON": "\"Drop\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Disabled`, `Drop`, `Reject`.",
- "YAMLEnumValues": [
- "Disabled",
- "Drop",
- "Reject"
- ],
- "YAMLSchemaHTML": "One of: Disabled, Drop, Reject.",
- "YAMLDefault": "Drop",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When service IP advertisement is enabled, prevent routing loops to service IPs that are\nnot in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy.\nUnless set to \"Disabled\", in which case such routing loops continue to be allowed.",
- "DescriptionHTML": "
When service IP advertisement is enabled, prevent routing loops to service IPs that are\nnot in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy.\nUnless set to \"Disabled\", in which case such routing loops continue to be allowed.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "UseInternalDataplaneDriver",
- "NameEnvVar": "FELIX_UseInternalDataplaneDriver",
- "NameYAML": "useInternalDataplaneDriver",
- "NameGoAPI": "UseInternalDataplaneDriver",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If true, Felix will use its internal dataplane programming logic. If false, it\nwill launch an external dataplane driver and communicate with it over protobuf.",
- "DescriptionHTML": "
If true, Felix will use its internal dataplane programming logic. If false, it\nwill launch an external dataplane driver and communicate with it over protobuf.
Configures the interval at which Felix exports WAFEvent logs.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Common",
- "GroupWithSortPrefix": "10 Dataplane: Common",
- "NameConfigFile": "WorkloadSourceSpoofing",
- "NameEnvVar": "FELIX_WorkloadSourceSpoofing",
- "NameYAML": "workloadSourceSpoofing",
- "NameGoAPI": "WorkloadSourceSpoofing",
- "StringSchema": "One of: `Any`, `Disabled` (case insensitive)",
- "StringSchemaHTML": "One of: Any, Disabled (case insensitive)",
- "StringDefault": "Disabled",
- "ParsedDefault": "Disabled",
- "ParsedDefaultJSON": "\"Disabled\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Any`, `Disabled`.",
- "YAMLEnumValues": [
- "Any",
- "Disabled"
- ],
- "YAMLSchemaHTML": "One of: Any, Disabled.",
- "YAMLDefault": "Disabled",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP\naddress that is not theirs. This is disabled by default. When set to \"Any\", pods can request any prefix.",
- "DescriptionHTML": "
Controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP\naddress that is not theirs. This is disabled by default. When set to \"Any\", pods can request any prefix.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Dataplane: iptables",
- "Fields": [
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IpsetsRefreshInterval",
- "NameEnvVar": "FELIX_IpsetsRefreshInterval",
- "NameYAML": "ipsetsRefreshInterval",
- "NameGoAPI": "IpsetsRefreshInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "90",
- "ParsedDefault": "1m30s",
- "ParsedDefaultJSON": "90000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1m30s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls the period at which Felix re-checks all IP sets to look for discrepancies.\nSet to 0 to disable the periodic refresh.",
- "DescriptionHTML": "
Controls the period at which Felix re-checks all IP sets to look for discrepancies.\nSet to 0 to disable the periodic refresh.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesBackend",
- "NameEnvVar": "FELIX_IptablesBackend",
- "NameYAML": "iptablesBackend",
- "NameGoAPI": "IptablesBackend",
- "StringSchema": "One of: `auto`, `legacy`, `nft` (case insensitive)",
- "StringSchemaHTML": "One of: auto, legacy, nft (case insensitive)",
- "StringDefault": "auto",
- "ParsedDefault": "auto",
- "ParsedDefaultJSON": "\"auto\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Auto`, `Legacy`, `NFT`.",
- "YAMLEnumValues": [
- "Auto",
- "Legacy",
- "NFT"
- ],
- "YAMLSchemaHTML": "One of: Auto, Legacy, NFT.",
- "YAMLDefault": "Auto",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls which backend of iptables will be used. The default is `Auto`.\n\nWarning: changing this on a running system can leave \"orphaned\" rules in the \"other\" backend. These\nshould be cleaned up to avoid confusing interactions.",
- "DescriptionHTML": "
Controls which backend of iptables will be used. The default is Auto.
\n
Warning: changing this on a running system can leave \"orphaned\" rules in the \"other\" backend. These\nshould be cleaned up to avoid confusing interactions.
",
- "UserEditable": true,
- "GoType": "*v3.IptablesBackend",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesFilterAllowAction",
- "NameEnvVar": "FELIX_IptablesFilterAllowAction",
- "NameYAML": "iptablesFilterAllowAction",
- "NameGoAPI": "IptablesFilterAllowAction",
- "StringSchema": "One of: `ACCEPT`, `RETURN` (case insensitive)",
- "StringSchemaHTML": "One of: ACCEPT, RETURN (case insensitive)",
- "StringDefault": "ACCEPT",
- "ParsedDefault": "ACCEPT",
- "ParsedDefaultJSON": "\"ACCEPT\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Accept`, `Return`.",
- "YAMLEnumValues": [
- "Accept",
- "Return"
- ],
- "YAMLSchemaHTML": "One of: Accept, Return.",
- "YAMLDefault": "Accept",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls what happens to traffic that is accepted by a Felix policy chain in the\niptables filter table (which is used for \"normal\" policy). The default will immediately `Accept` the traffic. Use\n`Return` to send the traffic back up to the system chains for further processing.",
- "DescriptionHTML": "
Controls what happens to traffic that is accepted by a Felix policy chain in the\niptables filter table (which is used for \"normal\" policy). The default will immediately Accept the traffic. Use\nReturn to send the traffic back up to the system chains for further processing.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesFilterDenyAction",
- "NameEnvVar": "FELIX_IptablesFilterDenyAction",
- "NameYAML": "iptablesFilterDenyAction",
- "NameGoAPI": "IptablesFilterDenyAction",
- "StringSchema": "One of: `DROP`, `REJECT` (case insensitive)",
- "StringSchemaHTML": "One of: DROP, REJECT (case insensitive)",
- "StringDefault": "DROP",
- "ParsedDefault": "DROP",
- "ParsedDefaultJSON": "\"DROP\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Drop`, `Reject`.",
- "YAMLEnumValues": [
- "Drop",
- "Reject"
- ],
- "YAMLSchemaHTML": "One of: Drop, Reject.",
- "YAMLDefault": "Drop",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls what happens to traffic that is denied by network policy. By default Calico blocks traffic\nwith an iptables \"DROP\" action. If you want to use \"REJECT\" action instead you can configure it in here.",
- "DescriptionHTML": "
Controls what happens to traffic that is denied by network policy. By default Calico blocks traffic\nwith an iptables \"DROP\" action. If you want to use \"REJECT\" action instead you can configure it in here.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesLockProbeIntervalMillis",
- "NameEnvVar": "FELIX_IptablesLockProbeIntervalMillis",
- "NameYAML": "iptablesLockProbeInterval",
- "NameGoAPI": "IptablesLockProbeInterval",
- "StringSchema": "Milliseconds (floating point)",
- "StringSchemaHTML": "Milliseconds (floating point)",
- "StringDefault": "50",
- "ParsedDefault": "50ms",
- "ParsedDefaultJSON": "50000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "50ms",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Configures the interval between attempts to claim\nthe xtables lock. Shorter intervals are more responsive but use more CPU.",
- "DescriptionHTML": "
Configures the interval between attempts to claim\nthe xtables lock. Shorter intervals are more responsive but use more CPU.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesMangleAllowAction",
- "NameEnvVar": "FELIX_IptablesMangleAllowAction",
- "NameYAML": "iptablesMangleAllowAction",
- "NameGoAPI": "IptablesMangleAllowAction",
- "StringSchema": "One of: `ACCEPT`, `RETURN` (case insensitive)",
- "StringSchemaHTML": "One of: ACCEPT, RETURN (case insensitive)",
- "StringDefault": "ACCEPT",
- "ParsedDefault": "ACCEPT",
- "ParsedDefaultJSON": "\"ACCEPT\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Accept`, `Return`.",
- "YAMLEnumValues": [
- "Accept",
- "Return"
- ],
- "YAMLSchemaHTML": "One of: Accept, Return.",
- "YAMLDefault": "Accept",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls what happens to traffic that is accepted by a Felix policy chain in the\niptables mangle table (which is used for \"pre-DNAT\" policy). The default will immediately `Accept` the traffic.\nUse `Return` to send the traffic back up to the system chains for further processing.",
- "DescriptionHTML": "
Controls what happens to traffic that is accepted by a Felix policy chain in the\niptables mangle table (which is used for \"pre-DNAT\" policy). The default will immediately Accept the traffic.\nUse Return to send the traffic back up to the system chains for further processing.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesMarkMask",
- "NameEnvVar": "FELIX_IptablesMarkMask",
- "NameYAML": "iptablesMarkMask",
- "NameGoAPI": "IptablesMarkMask",
- "StringSchema": "32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: `0xffff0000`",
- "StringSchemaHTML": "32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: 0xffff0000",
- "StringDefault": "0xffff0000",
- "ParsedDefault": "4294901760",
- "ParsedDefaultJSON": "4294901760",
- "ParsedType": "uint32",
- "YAMLType": "integer",
- "YAMLSchema": "Unsigned 32-bit integer.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Unsigned 32-bit integer.",
- "YAMLDefault": "0xffff0000",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "The mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal\nnumber with at least 8 bits set, none of which clash with any other mark bits in use on the system.",
- "DescriptionHTML": "
The mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal\nnumber with at least 8 bits set, none of which clash with any other mark bits in use on the system.
",
- "UserEditable": true,
- "GoType": "*uint32",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesNATOutgoingInterfaceFilter",
- "NameEnvVar": "FELIX_IptablesNATOutgoingInterfaceFilter",
- "NameYAML": "iptablesNATOutgoingInterfaceFilter",
- "NameGoAPI": "IptablesNATOutgoingInterfaceFilter",
- "StringSchema": "String matching regex `^[a-zA-Z0-9:._+-]{1,15}$`",
- "StringSchemaHTML": "String matching regex ^[a-zA-Z0-9:._+-]{1,15}$",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a\nCalico IPAM pool with \"NAT outgoing\" enabled. This can be useful if you have a main data interface, where\ntraffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and\ndoesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a\nwildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you\nwant to exclude the docker bridge, you could set this to eth+.",
- "DescriptionHTML": "
This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a\nCalico IPAM pool with \"NAT outgoing\" enabled. This can be useful if you have a main data interface, where\ntraffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and\ndoesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a\nwildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you\nwant to exclude the docker bridge, you could set this to eth+.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesPostWriteCheckIntervalSecs",
- "NameEnvVar": "FELIX_IptablesPostWriteCheckIntervalSecs",
- "NameYAML": "iptablesPostWriteCheckInterval",
- "NameGoAPI": "IptablesPostWriteCheckInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "5",
- "ParsedDefault": "5s",
- "ParsedDefaultJSON": "5000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "5s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The period after Felix has done a write\nto the dataplane that it schedules an extra read back in order to check the write was not\nclobbered by another process. This should only occur if another application on the system\ndoesn't respect the iptables lock.",
- "DescriptionHTML": "
The period after Felix has done a write\nto the dataplane that it schedules an extra read back in order to check the write was not\nclobbered by another process. This should only occur if another application on the system\ndoesn't respect the iptables lock.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "IptablesRefreshInterval",
- "NameEnvVar": "FELIX_IptablesRefreshInterval",
- "NameYAML": "iptablesRefreshInterval",
- "NameGoAPI": "IptablesRefreshInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "180",
- "ParsedDefault": "3m0s",
- "ParsedDefaultJSON": "180000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "3m0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The period at which Felix re-checks the IP sets\nin the dataplane to ensure that no other process has accidentally broken Calico's rules.\nSet to 0 to disable IP sets refresh. Note: the default for this value is lower than the\nother refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel\nversion 4.11. If you are using v4.11 or greater you may want to set this to, a higher value\nto reduce Felix CPU usage.",
- "DescriptionHTML": "
The period at which Felix re-checks the IP sets\nin the dataplane to ensure that no other process has accidentally broken Calico's rules.\nSet to 0 to disable IP sets refresh. Note: the default for this value is lower than the\nother refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel\nversion 4.11. If you are using v4.11 or greater you may want to set this to, a higher value\nto reduce Felix CPU usage.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "KubeNodePortRanges",
- "NameEnvVar": "FELIX_KubeNodePortRanges",
- "NameYAML": "kubeNodePortRanges",
- "NameGoAPI": "KubeNodePortRanges",
- "StringSchema": "List of port ranges: comma-delimited list of either single numbers in range [0,65535] or a ranges of numbers `n:m`",
- "StringSchemaHTML": "List of port ranges: comma-delimited list of either single numbers in range [0,65535] or a ranges of numbers n:m",
- "StringDefault": "30000:32767",
- "ParsedDefault": "[30000:32767]",
- "ParsedDefaultJSON": "[\"30000:32767\"]",
- "ParsedType": "[]numorstring.Port",
- "YAMLType": "array",
- "YAMLSchema": "List of ports: `[, ...]` where `` is a port number (integer) or range (string), for example `80`, `8080:8089`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of ports: [<port>, ...] where <port> is a port number (integer) or range (string), for example 80, 8080:8089.",
- "YAMLDefault": "[\"30000:32767\"]",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.\nFelix uses these ranges to separate host and workload traffic. .",
- "DescriptionHTML": "
Holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.\nFelix uses these ranges to separate host and workload traffic. .
",
- "UserEditable": true,
- "GoType": "*[]numorstring.Port",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: iptables",
- "GroupWithSortPrefix": "20 Dataplane: iptables",
- "NameConfigFile": "MaxIpsetSize",
- "NameEnvVar": "FELIX_MaxIpsetSize",
- "NameYAML": "maxIpsetSize",
- "NameGoAPI": "MaxIpsetSize",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "1048576",
- "ParsedDefault": "1048576",
- "ParsedDefaultJSON": "1048576",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "1048576",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The maximum number of IP addresses that can be stored in an IP set. Not applicable\nif using the nftables backend.",
- "DescriptionHTML": "
The maximum number of IP addresses that can be stored in an IP set. Not applicable\nif using the nftables backend.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Dataplane: nftables",
- "Fields": [
- {
- "Group": "Dataplane: nftables",
- "GroupWithSortPrefix": "21 Dataplane: nftables",
- "NameConfigFile": "NftablesFilterAllowAction",
- "NameEnvVar": "FELIX_NftablesFilterAllowAction",
- "NameYAML": "nftablesFilterAllowAction",
- "NameGoAPI": "NftablesFilterAllowAction",
- "StringSchema": "One of: `ACCEPT`, `RETURN` (case insensitive)",
- "StringSchemaHTML": "One of: ACCEPT, RETURN (case insensitive)",
- "StringDefault": "ACCEPT",
- "ParsedDefault": "ACCEPT",
- "ParsedDefaultJSON": "\"ACCEPT\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Accept`, `Return`.",
- "YAMLEnumValues": [
- "Accept",
- "Return"
- ],
- "YAMLSchemaHTML": "One of: Accept, Return.",
- "YAMLDefault": "Accept",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls the nftables action that Felix uses to represent the \"allow\" policy verdict\nin the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively,\n`RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules.",
- "DescriptionHTML": "
Controls the nftables action that Felix uses to represent the \"allow\" policy verdict\nin the filter table. The default is to ACCEPT the traffic, which is a terminal action. Alternatively,\nRETURN can be used to return the traffic back to the top-level chain for further processing by your rules.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: nftables",
- "GroupWithSortPrefix": "21 Dataplane: nftables",
- "NameConfigFile": "NftablesFilterDenyAction",
- "NameEnvVar": "FELIX_NftablesFilterDenyAction",
- "NameYAML": "nftablesFilterDenyAction",
- "NameGoAPI": "NftablesFilterDenyAction",
- "StringSchema": "One of: `DROP`, `REJECT` (case insensitive)",
- "StringSchemaHTML": "One of: DROP, REJECT (case insensitive)",
- "StringDefault": "DROP",
- "ParsedDefault": "DROP",
- "ParsedDefaultJSON": "\"DROP\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Drop`, `Reject`.",
- "YAMLEnumValues": [
- "Drop",
- "Reject"
- ],
- "YAMLSchemaHTML": "One of: Drop, Reject.",
- "YAMLDefault": "Drop",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls what happens to traffic that is denied by network policy. By default, Calico\nblocks traffic with a \"drop\" action. If you want to use a \"reject\" action instead you can configure it here.",
- "DescriptionHTML": "
Controls what happens to traffic that is denied by network policy. By default, Calico\nblocks traffic with a \"drop\" action. If you want to use a \"reject\" action instead you can configure it here.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: nftables",
- "GroupWithSortPrefix": "21 Dataplane: nftables",
- "NameConfigFile": "NftablesMangleAllowAction",
- "NameEnvVar": "FELIX_NftablesMangleAllowAction",
- "NameYAML": "nftablesMangleAllowAction",
- "NameGoAPI": "NftablesMangleAllowAction",
- "StringSchema": "One of: `ACCEPT`, `RETURN` (case insensitive)",
- "StringSchemaHTML": "One of: ACCEPT, RETURN (case insensitive)",
- "StringDefault": "ACCEPT",
- "ParsedDefault": "ACCEPT",
- "ParsedDefaultJSON": "\"ACCEPT\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Accept`, `Return`.",
- "YAMLEnumValues": [
- "Accept",
- "Return"
- ],
- "YAMLSchemaHTML": "One of: Accept, Return.",
- "YAMLDefault": "Accept",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "Controls the nftables action that Felix uses to represent the \"allow\" policy verdict\nin the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively,\n`RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules.",
- "DescriptionHTML": "
Controls the nftables action that Felix uses to represent the \"allow\" policy verdict\nin the mangle table. The default is to ACCEPT the traffic, which is a terminal action. Alternatively,\nRETURN can be used to return the traffic back to the top-level chain for further processing by your rules.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: nftables",
- "GroupWithSortPrefix": "21 Dataplane: nftables",
- "NameConfigFile": "NftablesMarkMask",
- "NameEnvVar": "FELIX_NftablesMarkMask",
- "NameYAML": "nftablesMarkMask",
- "NameGoAPI": "NftablesMarkMask",
- "StringSchema": "32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: `0xffff0000`",
- "StringSchemaHTML": "32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: 0xffff0000",
- "StringDefault": "0xffff0000",
- "ParsedDefault": "4294901760",
- "ParsedDefaultJSON": "4294901760",
- "ParsedType": "uint32",
- "YAMLType": "integer",
- "YAMLSchema": "Unsigned 32-bit integer.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Unsigned 32-bit integer.",
- "YAMLDefault": "0xffff0000",
- "Required": true,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "The mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal\nnumber with at least 8 bits set, none of which clash with any other mark bits in use on the system.",
- "DescriptionHTML": "
The mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal\nnumber with at least 8 bits set, none of which clash with any other mark bits in use on the system.
",
- "UserEditable": true,
- "GoType": "*uint32",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: nftables",
- "GroupWithSortPrefix": "21 Dataplane: nftables",
- "NameConfigFile": "NftablesRefreshInterval",
- "NameEnvVar": "FELIX_NftablesRefreshInterval",
- "NameYAML": "nftablesRefreshInterval",
- "NameGoAPI": "NftablesRefreshInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "180",
- "ParsedDefault": "3m0s",
- "ParsedDefaultJSON": "180000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "3m0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls the interval at which Felix periodically refreshes the nftables rules.",
- "DescriptionHTML": "
Controls the interval at which Felix periodically refreshes the nftables rules.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Dataplane: eBPF",
- "Fields": [
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFAttachType",
- "NameEnvVar": "FELIX_BPFAttachType",
- "NameYAML": "bpfAttachType",
- "NameGoAPI": "BPFAttachType",
- "StringSchema": "One of: `TCX`, `TC` (case insensitive)",
- "StringSchemaHTML": "One of: TCX, TC (case insensitive)",
- "StringDefault": "TCX",
- "ParsedDefault": "TCX",
- "ParsedDefaultJSON": "\"TCX\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"TC\"`, `\"TCX\"`.",
- "YAMLEnumValues": [
- "TC",
- "TCX"
- ],
- "YAMLSchemaHTML": "One of: \"TC\", \"TCX\".",
- "YAMLDefault": "TCX",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls how are the BPF programs at the network interfaces attached.\nBy default `TCX` is used where available to enable easier coexistence with 3rd party programs.\n`TC` can force the legacy method of attaching via a qdisc. `TCX` falls back to `TC` if `TCX` is not available.",
- "DescriptionHTML": "
Controls how are the BPF programs at the network interfaces attached.\nBy default TCX is used where available to enable easier coexistence with 3rd party programs.\nTC can force the legacy method of attaching via a qdisc. TCX falls back to TC if TCX is not available.
",
- "UserEditable": true,
- "GoType": "*v3.BPFAttachOption",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFCTLBLogFilter",
- "NameEnvVar": "FELIX_BPFCTLBLogFilter",
- "NameYAML": "bpfCTLBLogFilter",
- "NameGoAPI": "BPFCTLBLogFilter",
- "StringSchema": "One of: `all` (case insensitive)",
- "StringSchemaHTML": "One of: all (case insensitive)",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies, what is logged by connect time load balancer when BPFLogLevel is\ndebug. Currently has to be specified as 'all' when BPFLogFilters is set\nto see CTLB logs.",
- "DescriptionHTML": "
Specifies, what is logged by connect time load balancer when BPFLogLevel is\ndebug. Currently has to be specified as 'all' when BPFLogFilters is set\nto see CTLB logs.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFConnectTimeLoadBalancing",
- "NameEnvVar": "FELIX_BPFConnectTimeLoadBalancing",
- "NameYAML": "bpfConnectTimeLoadBalancing",
- "NameGoAPI": "BPFConnectTimeLoadBalancing",
- "StringSchema": "One of: `Disabled`, `Enabled`, `TCP` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, Enabled, TCP (case insensitive)",
- "StringDefault": "TCP",
- "ParsedDefault": "TCP",
- "ParsedDefaultJSON": "\"TCP\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`, `\"TCP\"`.",
- "YAMLEnumValues": [
- "Disabled",
- "Enabled",
- "TCP"
- ],
- "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\", \"TCP\".",
- "YAMLDefault": "TCP",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When in BPF mode, controls whether Felix installs the connect-time load\nbalancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services\nand it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing\nis available only for services with TCP ports.",
- "DescriptionHTML": "
When in BPF mode, controls whether Felix installs the connect-time load\nbalancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services\nand it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing\nis available only for services with TCP ports.
",
- "UserEditable": true,
- "GoType": "*v3.BPFConnectTimeLBType",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFConnectTimeLoadBalancingEnabled",
- "NameEnvVar": "FELIX_BPFConnectTimeLoadBalancingEnabled",
- "NameYAML": "bpfConnectTimeLoadBalancingEnabled",
- "NameGoAPI": "BPFConnectTimeLoadBalancingEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When in BPF mode, controls whether Felix installs the connection-time load\nbalancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services\nand it improves the performance of pod-to-service connections. The only reason to disable it is for debugging\npurposes.\n\nDeprecated: Use BPFConnectTimeLoadBalancing.",
- "DescriptionHTML": "
When in BPF mode, controls whether Felix installs the connection-time load\nbalancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services\nand it improves the performance of pod-to-service connections. The only reason to disable it is for debugging\npurposes.
\n
Deprecated: Use BPFConnectTimeLoadBalancing.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFConntrackCleanupMode",
- "NameEnvVar": "FELIX_BPFConntrackCleanupMode",
- "NameYAML": "bpfConntrackMode",
- "NameGoAPI": "BPFConntrackCleanupMode",
- "StringSchema": "One of: `Auto`, `BPFProgram`, `Userspace` (case insensitive)",
- "StringSchemaHTML": "One of: Auto, BPFProgram, Userspace (case insensitive)",
- "StringDefault": "Auto",
- "ParsedDefault": "Auto",
- "ParsedDefaultJSON": "\"Auto\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"Auto\"`, `\"BPFProgram\"`, `\"Userspace\"`.",
- "YAMLEnumValues": [
- "Auto",
- "BPFProgram",
- "Userspace"
- ],
- "YAMLSchemaHTML": "One of: \"Auto\", \"BPFProgram\", \"Userspace\".",
- "YAMLDefault": "Auto",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported,\nfalling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will\nalways use the BPF program (failing if not supported).\n\n/To be deprecated in future versions as conntrack map type changed to\nlru_hash and userspace cleanup is the only mode that is supported.",
- "DescriptionHTML": "
Controls how BPF conntrack entries are cleaned up. Auto will use a BPF program if supported,\nfalling back to userspace if not. Userspace will always use the userspace cleanup code. BPFProgram will\nalways use the BPF program (failing if not supported).
\n
/To be deprecated in future versions as conntrack map type changed to\nlru_hash and userspace cleanup is the only mode that is supported.
Controls the log level of the BPF conntrack cleanup program, which runs periodically\nto clean up expired BPF conntrack entries.\n.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFConntrackTimeouts",
- "NameEnvVar": "FELIX_BPFConntrackTimeouts",
- "NameYAML": "bpfConntrackTimeouts",
- "NameGoAPI": "BPFConntrackTimeouts",
- "StringSchema": "Comma-delimited list of key=value pairs",
- "StringSchemaHTML": "Comma-delimited list of key=value pairs",
- "StringDefault": "CreationGracePeriod=10s,TCPSynSent=20s,TCPEstablished=1h,TCPFinsSeen=Auto,TCPResetSeen=40s,UDPTimeout=60s,GenericTimeout=10m,ICMPTimeout=5s",
- "ParsedDefault": "map[CreationGracePeriod:10s GenericTimeout:10m ICMPTimeout:5s TCPEstablished:1h TCPFinsSeen:Auto TCPResetSeen:40s TCPSynSent:20s UDPTimeout:60s]",
- "ParsedDefaultJSON": "{\"CreationGracePeriod\":\"10s\",\"GenericTimeout\":\"10m\",\"ICMPTimeout\":\"5s\",\"TCPEstablished\":\"1h\",\"TCPFinsSeen\":\"Auto\",\"TCPResetSeen\":\"40s\",\"TCPSynSent\":\"20s\",\"UDPTimeout\":\"60s\"}",
- "ParsedType": "map[string]string",
- "YAMLType": "object",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "BPFConntrackTimers overrides the default values for the specified conntrack timer if\nset. Each value can be either a duration or `Auto` to pick the value from\na Linux conntrack timeout.\n\nConfigurable timers are: CreationGracePeriod, TCPSynSent,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout,\nICMPTimeout.\n\nUnset values are replaced by the default values with a warning log for\nincorrect values.",
- "DescriptionHTML": "
BPFConntrackTimers overrides the default values for the specified conntrack timer if\nset. Each value can be either a duration or Auto to pick the value from\na Linux conntrack timeout.
Unset values are replaced by the default values with a warning log for\nincorrect values.
",
- "UserEditable": true,
- "GoType": "*v3.BPFConntrackTimeouts",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFDNSPolicyMode",
- "NameEnvVar": "FELIX_BPFDNSPolicyMode",
- "NameYAML": "bpfDNSPolicyMode",
- "NameGoAPI": "BPFDNSPolicyMode",
- "StringSchema": "One of: `Inline`, `NoDelay` (case insensitive)",
- "StringSchemaHTML": "One of: Inline, NoDelay (case insensitive)",
- "StringDefault": "Inline",
- "ParsedDefault": "Inline",
- "ParsedDefaultJSON": "\"Inline\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "Inline",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies how DNS policy programming will be handled.\nInline - BPF parses DNS response inline with DNS response packet\nprocessing. This guarantees the DNS rules reflect any change immediately.\nNoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time\nthe first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial\nconnection attempts fail. This may be problematic for some applications or for very low DNS TTLs.",
- "DescriptionHTML": "
Specifies how DNS policy programming will be handled.\nInline - BPF parses DNS response inline with DNS response packet\nprocessing. This guarantees the DNS rules reflect any change immediately.\nNoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time\nthe first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial\nconnection attempts fail. This may be problematic for some applications or for very low DNS TTLs.
",
- "UserEditable": true,
- "GoType": "*v3.BPFDNSPolicyMode",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFDSROptoutCIDRs",
- "NameEnvVar": "FELIX_BPFDSROptoutCIDRs",
- "NameYAML": "bpfDSROptoutCIDRs",
- "NameGoAPI": "BPFDSROptoutCIDRs",
- "StringSchema": "Comma-delimited list of CIDRs",
- "StringSchemaHTML": "Comma-delimited list of CIDRs",
- "StringDefault": "",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "[]string",
- "YAMLType": "array",
- "YAMLSchema": "List of CIDRs: `[\"\", ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of CIDRs: [\"<cidr>\", ...].",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A list of CIDRs which are excluded from DSR. That is, clients\nin those CIDRs will access service node ports as if BPFExternalServiceMode was set to\nTunnel.",
- "DescriptionHTML": "
A list of CIDRs which are excluded from DSR. That is, clients\nin those CIDRs will access service node ports as if BPFExternalServiceMode was set to\nTunnel.
",
- "UserEditable": true,
- "GoType": "*[]string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFDataIfacePattern",
- "NameEnvVar": "FELIX_BPFDataIfacePattern",
- "NameYAML": "bpfDataIfacePattern",
- "NameGoAPI": "BPFDataIfacePattern",
- "StringSchema": "Regular expression",
- "StringSchemaHTML": "Regular expression",
- "StringDefault": "^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)",
- "ParsedDefault": "^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)",
- "ParsedDefaultJSON": "\"^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)\"",
- "ParsedType": "*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A regular expression that controls which interfaces Felix should attach BPF programs to\nin order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic\nflows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the\ncluster. It should not match the workload interfaces (usually named cali...) or any other special device managed\nby Calico itself (e.g., tunnels).",
- "DescriptionHTML": "
A regular expression that controls which interfaces Felix should attach BPF programs to\nin order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic\nflows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the\ncluster. It should not match the workload interfaces (usually named cali...) or any other special device managed\nby Calico itself (e.g., tunnels).
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFDisableGROForIfaces",
- "NameEnvVar": "FELIX_BPFDisableGROForIfaces",
- "NameYAML": "bpfDisableGROForIfaces",
- "NameGoAPI": "BPFDisableGROForIfaces",
- "StringSchema": "Regular expression",
- "StringSchemaHTML": "Regular expression",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "null",
- "ParsedType": "*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A regular expression that controls which interfaces Felix should disable the\nGeneric Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...).",
- "DescriptionHTML": "
A regular expression that controls which interfaces Felix should disable the\nGeneric Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...).
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFDisableUnprivileged",
- "NameEnvVar": "FELIX_BPFDisableUnprivileged",
- "NameYAML": "bpfDisableUnprivileged",
- "NameGoAPI": "BPFDisableUnprivileged",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable\nunprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and\ncannot insert their own BPF programs to interfere with Calico's.",
- "DescriptionHTML": "
If enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable\nunprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and\ncannot insert their own BPF programs to interfere with Calico's.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFEnabled",
- "NameEnvVar": "FELIX_BPFEnabled",
- "NameYAML": "bpfEnabled",
- "NameGoAPI": "BPFEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If enabled Felix will use the BPF dataplane.",
- "DescriptionHTML": "
Enforce strict RPF on all host interfaces with BPF programs regardless of\nwhat is the per-interfaces or global setting. Possible values are Disabled, Strict\nor Loose.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFExcludeCIDRsFromNAT",
- "NameEnvVar": "FELIX_BPFExcludeCIDRsFromNAT",
- "NameYAML": "bpfExcludeCIDRsFromNAT",
- "NameGoAPI": "BPFExcludeCIDRsFromNAT",
- "StringSchema": "Comma-delimited list of CIDRs",
- "StringSchemaHTML": "Comma-delimited list of CIDRs",
- "StringDefault": "",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "[]string",
- "YAMLType": "array",
- "YAMLSchema": "List of CIDRs: `[\"\", ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of CIDRs: [\"<cidr>\", ...].",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A list of CIDRs that are to be excluded from NAT\nresolution so that host can handle them. A typical usecase is node local\nDNS cache.",
- "DescriptionHTML": "
A list of CIDRs that are to be excluded from NAT\nresolution so that host can handle them. A typical usecase is node local\nDNS cache.
In BPF mode, controls the buffer size used for sending BPF events to felix.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFExtToServiceConnmark",
- "NameEnvVar": "FELIX_BPFExtToServiceConnmark",
- "NameYAML": "bpfExtToServiceConnmark",
- "NameGoAPI": "BPFExtToServiceConnmark",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "0",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "In BPF mode, controls a 32bit mark that is set on connections from an\nexternal client to a local service. This mark allows us to control how packets of that\nconnection are routed within the host and how is routing interpreted by RPF check.",
- "DescriptionHTML": "
In BPF mode, controls a 32bit mark that is set on connections from an\nexternal client to a local service. This mark allows us to control how packets of that\nconnection are routed within the host and how is routing interpreted by RPF check.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFExternalServiceMode",
- "NameEnvVar": "FELIX_BPFExternalServiceMode",
- "NameYAML": "bpfExternalServiceMode",
- "NameGoAPI": "BPFExternalServiceMode",
- "StringSchema": "One of: `dsr`, `tunnel` (case insensitive)",
- "StringSchemaHTML": "One of: dsr, tunnel (case insensitive)",
- "StringDefault": "tunnel",
- "ParsedDefault": "tunnel",
- "ParsedDefaultJSON": "\"tunnel\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `DSR`, `Tunnel`.",
- "YAMLEnumValues": [
- "DSR",
- "Tunnel"
- ],
- "YAMLSchemaHTML": "One of: DSR, Tunnel.",
- "YAMLDefault": "Tunnel",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "In BPF mode, controls how connections from outside the cluster to services (node ports\nand cluster IPs) are forwarded to remote workloads. If set to \"Tunnel\" then both request and response traffic\nis tunneled to the remote node. If set to \"DSR\", the request traffic is tunneled but the response traffic\nis sent directly from the remote node. In \"DSR\" mode, the remote node appears to use the IP of the ingress\nnode; this requires a permissive L2 network.",
- "DescriptionHTML": "
In BPF mode, controls how connections from outside the cluster to services (node ports\nand cluster IPs) are forwarded to remote workloads. If set to \"Tunnel\" then both request and response traffic\nis tunneled to the remote node. If set to \"DSR\", the request traffic is tunneled but the response traffic\nis sent directly from the remote node. In \"DSR\" mode, the remote node appears to use the IP of the ingress\nnode; this requires a permissive L2 network.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFForceTrackPacketsFromIfaces",
- "NameEnvVar": "FELIX_BPFForceTrackPacketsFromIfaces",
- "NameYAML": "bpfForceTrackPacketsFromIfaces",
- "NameGoAPI": "BPFForceTrackPacketsFromIfaces",
- "StringSchema": "Comma-delimited list of strings, each matching the regex `^[a-zA-Z0-9:._+-]{1,15}$`",
- "StringSchemaHTML": "Comma-delimited list of strings, each matching the regex ^[a-zA-Z0-9:._+-]{1,15}$",
- "StringDefault": "docker+",
- "ParsedDefault": "[docker+]",
- "ParsedDefaultJSON": "[\"docker+\"]",
- "ParsedType": "[]string",
- "YAMLType": "array",
- "YAMLSchema": "List of interface names (may use `+` as a wildcard: `[\"\", ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of interface names (may use + as a wildcard: [\"<name>\", ...].",
- "YAMLDefault": "[\"docker+\"]",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "In BPF mode, forces traffic from these interfaces\nto skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be\ntracked by Linux conntrack. Should only be used for interfaces that are not used for\nthe Calico fabric. For example, a docker bridge device for non-Calico-networked\ncontainers.",
- "DescriptionHTML": "
In BPF mode, forces traffic from these interfaces\nto skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be\ntracked by Linux conntrack. Should only be used for interfaces that are not used for\nthe Calico fabric. For example, a docker bridge device for non-Calico-networked\ncontainers.
",
- "UserEditable": true,
- "GoType": "*[]string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFHostConntrackBypass",
- "NameEnvVar": "FELIX_BPFHostConntrackBypass",
- "NameYAML": "bpfHostConntrackBypass",
- "NameGoAPI": "BPFHostConntrackBypass",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether to bypass Linux conntrack in BPF mode for\nworkloads and services.",
- "DescriptionHTML": "
Controls whether to bypass Linux conntrack in BPF mode for\nworkloads and services.
When in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing\ndetermines the CTLB behavior.
",
- "UserEditable": true,
- "GoType": "*v3.BPFHostNetworkedNATType",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFJITHardening",
- "NameEnvVar": "FELIX_BPFJITHardening",
- "NameYAML": "bpfJITHardening",
- "NameGoAPI": "BPFJITHardening",
- "StringSchema": "One of: `Auto`, `Strict` (case insensitive)",
- "StringSchemaHTML": "One of: Auto, Strict (case insensitive)",
- "StringDefault": "Auto",
- "ParsedDefault": "Auto",
- "ParsedDefaultJSON": "\"Auto\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "Auto",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls BPF JIT hardening. When set to \"Auto\", Felix will set JIT hardening to 1\nif it detects the current value is 2 (strict mode that hurts performance). When set to \"Strict\",\nFelix will not modify the JIT hardening setting.",
- "DescriptionHTML": "
Controls BPF JIT hardening. When set to \"Auto\", Felix will set JIT hardening to 1\nif it detects the current value is 2 (strict mode that hurts performance). When set to \"Strict\",\nFelix will not modify the JIT hardening setting.
",
- "UserEditable": true,
- "GoType": "*v3.BPFJITHardeningType",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFKubeProxyHealthzPort",
- "NameEnvVar": "FELIX_BPFKubeProxyHealthzPort",
- "NameYAML": "bpfKubeProxyHealthzPort",
- "NameGoAPI": "BPFKubeProxyHealthzPort",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "10256",
- "ParsedDefault": "10256",
- "ParsedDefaultJSON": "10256",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "10256",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.",
- "DescriptionHTML": "
In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFKubeProxyIptablesCleanupEnabled",
- "NameEnvVar": "FELIX_BPFKubeProxyIptablesCleanupEnabled",
- "NameYAML": "bpfKubeProxyIptablesCleanupEnabled",
- "NameGoAPI": "BPFKubeProxyIptablesCleanupEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If enabled in BPF mode, Felix will proactively clean up the upstream\nKubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running.",
- "DescriptionHTML": "
If enabled in BPF mode, Felix will proactively clean up the upstream\nKubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFKubeProxyMinSyncPeriod",
- "NameEnvVar": "FELIX_BPFKubeProxyMinSyncPeriod",
- "NameYAML": "bpfKubeProxyMinSyncPeriod",
- "NameGoAPI": "BPFKubeProxyMinSyncPeriod",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "1",
- "ParsedDefault": "1s",
- "ParsedDefaultJSON": "1000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "In BPF mode, controls the minimum time between updates to the dataplane for Felix's\nembedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by\nbatching up more work.",
- "DescriptionHTML": "
In BPF mode, controls the minimum time between updates to the dataplane for Felix's\nembedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by\nbatching up more work.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFL3IfacePattern",
- "NameEnvVar": "FELIX_BPFL3IfacePattern",
- "NameYAML": "bpfL3IfacePattern",
- "NameGoAPI": "BPFL3IfacePattern",
- "StringSchema": "Regular expression",
- "StringSchemaHTML": "Regular expression",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "null",
- "ParsedType": "*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.",
- "DescriptionHTML": "
A regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFLogFilters",
- "NameEnvVar": "FELIX_BPFLogFilters",
- "NameYAML": "bpfLogFilters",
- "NameGoAPI": "BPFLogFilters",
- "StringSchema": "Comma-delimited list of key=value pairs",
- "StringSchemaHTML": "Comma-delimited list of key=value pairs",
- "StringDefault": "",
- "ParsedDefault": "map[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "map[string]string",
- "YAMLType": "object",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A map of key=values where the value is\na pcap filter expression and the key is an interface name with 'all'\ndenoting all interfaces, 'weps' all workload endpoints and 'heps' all host\nendpoints.\n\nWhen specified as an env var, it accepts a comma-separated list of\nkey=values.",
- "DescriptionHTML": "
A map of key=values where the value is\na pcap filter expression and the key is an interface name with 'all'\ndenoting all interfaces, 'weps' all workload endpoints and 'heps' all host\nendpoints.
\n
When specified as an env var, it accepts a comma-separated list of\nkey=values.
Controls the log level of the BPF programs when in BPF dataplane mode. One of \"Off\", \"Info\", or\n\"Debug\". The logs are emitted to the BPF trace pipe, accessible with the command tc exec bpf debug.\n.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMaglevMaxEndpointsPerService",
- "NameEnvVar": "FELIX_BPFMaglevMaxEndpointsPerService",
- "NameYAML": "bpfMaglevMaxEndpointsPerService",
- "NameGoAPI": "BPFMaglevMaxEndpointsPerService",
- "StringSchema": "Integer: [1,3000]",
- "StringSchemaHTML": "Integer: [1,3000]",
- "StringDefault": "100",
- "ParsedDefault": "100",
- "ParsedDefaultJSON": "100",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [1,3000]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [1,3000]",
- "YAMLDefault": "100",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The maximum number of endpoints\nexpected to be part of a single Maglev-enabled service.\n\nInfluences the size of the per-service Maglev lookup-tables generated by Felix\nand thus the amount of memory reserved.",
- "DescriptionHTML": "
The maximum number of endpoints\nexpected to be part of a single Maglev-enabled service.
\n
Influences the size of the per-service Maglev lookup-tables generated by Felix\nand thus the amount of memory reserved.
The maximum number of expected Maglev-enabled\nservices that Felix will allocate lookup-tables for.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeConntrack",
- "NameEnvVar": "FELIX_BPFMapSizeConntrack",
- "NameYAML": "bpfMapSizeConntrack",
- "NameGoAPI": "BPFMapSizeConntrack",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "512000",
- "ParsedDefault": "512000",
- "ParsedDefaultJSON": "512000",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "512000",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for the conntrack map. This map must be large enough to hold\nan entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.",
- "DescriptionHTML": "
Sets the size for the conntrack map. This map must be large enough to hold\nan entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeConntrackCleanupQueue",
- "NameEnvVar": "FELIX_BPFMapSizeConntrackCleanupQueue",
- "NameYAML": "bpfMapSizeConntrackCleanupQueue",
- "NameGoAPI": "BPFMapSizeConntrackCleanupQueue",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "100000",
- "ParsedDefault": "100000",
- "ParsedDefaultJSON": "100000",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "100000",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for the map used to hold NAT conntrack entries that are queued\nfor cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval.",
- "DescriptionHTML": "
Sets the size for the map used to hold NAT conntrack entries that are queued\nfor cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeConntrackScaling",
- "NameEnvVar": "FELIX_BPFMapSizeConntrackScaling",
- "NameYAML": "bpfMapSizeConntrackScaling",
- "NameGoAPI": "BPFMapSizeConntrackScaling",
- "StringSchema": "One of: `Disabled`, `DoubleIfFull` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, DoubleIfFull (case insensitive)",
- "StringDefault": "DoubleIfFull",
- "ParsedDefault": "DoubleIfFull",
- "ParsedDefaultJSON": "\"DoubleIfFull\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Disabled`, `DoubleIfFull`.",
- "YAMLEnumValues": [
- "Disabled",
- "DoubleIfFull"
- ],
- "YAMLSchemaHTML": "One of: Disabled, DoubleIfFull.",
- "YAMLDefault": "DoubleIfFull",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether and how we scale the conntrack map size depending\non its usage. 'Disabled' make the size stay at the default or whatever is set by\nBPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even\nafter cleanups.",
- "DescriptionHTML": "
Controls whether and how we scale the conntrack map size depending\non its usage. 'Disabled' make the size stay at the default or whatever is set by\nBPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even\nafter cleanups.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeIPSets",
- "NameEnvVar": "FELIX_BPFMapSizeIPSets",
- "NameYAML": "bpfMapSizeIPSets",
- "NameGoAPI": "BPFMapSizeIPSets",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "1048576",
- "ParsedDefault": "1048576",
- "ParsedDefaultJSON": "1048576",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "1048576",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for ipsets map. The IP sets map must be large enough to hold an entry\nfor each endpoint matched by every selector in the source/destination matches in network policy. Selectors\nsuch as \"all()\" can result in large numbers of entries (one entry per endpoint in that case).",
- "DescriptionHTML": "
Sets the size for ipsets map. The IP sets map must be large enough to hold an entry\nfor each endpoint matched by every selector in the source/destination matches in network policy. Selectors\nsuch as \"all()\" can result in large numbers of entries (one entry per endpoint in that case).
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeIfState",
- "NameEnvVar": "FELIX_BPFMapSizeIfState",
- "NameYAML": "bpfMapSizeIfState",
- "NameGoAPI": "BPFMapSizeIfState",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "1000",
- "ParsedDefault": "1000",
- "ParsedDefaultJSON": "1000",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "1000",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for ifstate map. The ifstate map must be large enough to hold an entry\nfor each device (host + workloads) on a host.",
- "DescriptionHTML": "
Sets the size for ifstate map. The ifstate map must be large enough to hold an entry\nfor each device (host + workloads) on a host.
Sets the size of the BPF map that stores the affinity of a connection (for services that\nenable that feature.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeNATBackend",
- "NameEnvVar": "FELIX_BPFMapSizeNATBackend",
- "NameYAML": "bpfMapSizeNATBackend",
- "NameGoAPI": "BPFMapSizeNATBackend",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "262144",
- "ParsedDefault": "262144",
- "ParsedDefaultJSON": "262144",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "262144",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for NAT back end map.\nThis is the total number of endpoints. This is mostly\nmore than the size of the number of services.",
- "DescriptionHTML": "
Sets the size for NAT back end map.\nThis is the total number of endpoints. This is mostly\nmore than the size of the number of services.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeNATFrontend",
- "NameEnvVar": "FELIX_BPFMapSizeNATFrontend",
- "NameYAML": "bpfMapSizeNATFrontend",
- "NameGoAPI": "BPFMapSizeNATFrontend",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "65536",
- "ParsedDefault": "65536",
- "ParsedDefaultJSON": "65536",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "65536",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for NAT front end map.\nFrontendMap should be large enough to hold an entry for each nodeport,\nexternal IP and each port in each service.",
- "DescriptionHTML": "
Sets the size for NAT front end map.\nFrontendMap should be large enough to hold an entry for each nodeport,\nexternal IP and each port in each service.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizePerCPUConntrack",
- "NameEnvVar": "FELIX_BPFMapSizePerCPUConntrack",
- "NameYAML": "bpfMapSizePerCpuConntrack",
- "NameGoAPI": "BPFMapSizePerCPUConntrack",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "0",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Determines the size of conntrack map based on the number of CPUs. If set to a\nnon-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`.\nThis map must be large enough to hold an entry for each active connection. Warning: changing the size of the\nconntrack map can cause disruption.",
- "DescriptionHTML": "
Determines the size of conntrack map based on the number of CPUs. If set to a\nnon-zero value, overrides BPFMapSizeConntrack with BPFMapSizePerCPUConntrack * (Number of CPUs).\nThis map must be large enough to hold an entry for each active connection. Warning: changing the size of the\nconntrack map can cause disruption.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFMapSizeRoute",
- "NameEnvVar": "FELIX_BPFMapSizeRoute",
- "NameYAML": "bpfMapSizeRoute",
- "NameGoAPI": "BPFMapSizeRoute",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "262144",
- "ParsedDefault": "262144",
- "ParsedDefaultJSON": "262144",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "262144",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the size for the routes map. The routes map should be large enough\nto hold one entry per workload and a handful of entries per host (enough to cover its own IPs and\ntunnel IPs).",
- "DescriptionHTML": "
Sets the size for the routes map. The routes map should be large enough\nto hold one entry per workload and a handful of entries per host (enough to cover its own IPs and\ntunnel IPs).
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFPSNATPorts",
- "NameEnvVar": "FELIX_BPFPSNATPorts",
- "NameYAML": "bpfPSNATPorts",
- "NameGoAPI": "BPFPSNATPorts",
- "StringSchema": "Port range: either a single number in [0,65535] or a range of numbers `n:m`",
- "StringSchemaHTML": "Port range: either a single number in [0,65535] or a range of numbers n:m",
- "StringDefault": "20000:29999",
- "ParsedDefault": "20000:29999",
- "ParsedDefaultJSON": "\"20000:29999\"",
- "ParsedType": "numorstring.Port",
- "YAMLType": "integer or string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "20000:29999",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Sets the range from which we randomly pick a port if there is a source port\ncollision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and\npreferably outside the ephemeral ranges used by common operating systems. Linux uses\n32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily\na problem if this range overlaps with the operating systems. Both ends of the range are\ninclusive.",
- "DescriptionHTML": "
Sets the range from which we randomly pick a port if there is a source port\ncollision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and\npreferably outside the ephemeral ranges used by common operating systems. Linux uses\n32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily\na problem if this range overlaps with the operating systems. Both ends of the range are\ninclusive.
",
- "UserEditable": true,
- "GoType": "*numorstring.Port",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFPolicyDebugEnabled",
- "NameEnvVar": "FELIX_BPFPolicyDebugEnabled",
- "NameYAML": "bpfPolicyDebugEnabled",
- "NameGoAPI": "BPFPolicyDebugEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When true, Felix records detailed information\nabout the BPF policy programs, which can be examined with the calico-bpf command-line tool.",
- "DescriptionHTML": "
When true, Felix records detailed information\nabout the BPF policy programs, which can be examined with the calico-bpf command-line tool.
Controls profiling of BPF programs. At the monent, it can be\nDisabled or Enabled.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: eBPF",
- "GroupWithSortPrefix": "22 Dataplane: eBPF",
- "NameConfigFile": "BPFRedirectToPeer",
- "NameEnvVar": "FELIX_BPFRedirectToPeer",
- "NameYAML": "bpfRedirectToPeer",
- "NameGoAPI": "BPFRedirectToPeer",
- "StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, Enabled (case insensitive)",
- "StringDefault": "Disabled",
- "ParsedDefault": "Disabled",
- "ParsedDefaultJSON": "\"Disabled\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.",
- "YAMLEnumValues": [
- "Disabled",
- "Enabled"
- ],
- "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".",
- "YAMLDefault": "Disabled",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.",
- "DescriptionHTML": "
Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Dataplane: Windows",
- "Fields": [
- {
- "Group": "Dataplane: Windows",
- "GroupWithSortPrefix": "23 Dataplane: Windows",
- "NameConfigFile": "WindowsDNSCacheFile",
- "NameEnvVar": "FELIX_WindowsDNSCacheFile",
- "NameYAML": "windowsDnsCacheFile",
- "NameGoAPI": "WindowsDNSCacheFile",
- "StringSchema": "Path to file",
- "StringSchemaHTML": "Path to file",
- "StringDefault": "c:\\TigeraCalico\\felix-dns-cache.txt",
- "ParsedDefault": "c:\\TigeraCalico\\felix-dns-cache.txt",
- "ParsedDefaultJSON": "\"c:\\\\TigeraCalico\\\\felix-dns-cache.txt\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "c:\\TigeraCalico\\felix-dns-cache.txt",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The name of the file that Felix uses to preserve learnt DNS information when restarting. .",
- "DescriptionHTML": "
The name of the file that Felix uses to preserve learnt DNS information when restarting. .
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Windows",
- "GroupWithSortPrefix": "23 Dataplane: Windows",
- "NameConfigFile": "WindowsDNSExtraTTL",
- "NameEnvVar": "FELIX_WindowsDNSExtraTTL",
- "NameYAML": "windowsDnsExtraTTL",
- "NameGoAPI": "WindowsDNSExtraTTL",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "120",
- "ParsedDefault": "2m0s",
- "ParsedDefaultJSON": "120000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "2m0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name\nor IP's advertised TTL. The default value is 120s which is same as the default value of\nServicePointManager.DnsRefreshTimeout on .net framework. .",
- "DescriptionHTML": "
Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name\nor IP's advertised TTL. The default value is 120s which is same as the default value of\nServicePointManager.DnsRefreshTimeout on .net framework. .
Sets the directory where flow logs files are stored on Windows nodes. .
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: Windows",
- "GroupWithSortPrefix": "23 Dataplane: Windows",
- "NameConfigFile": "WindowsFlowLogsPositionFilePath",
- "NameEnvVar": "FELIX_WindowsFlowLogsPositionFilePath",
- "NameYAML": "windowsFlowLogsPositionFilePath",
- "NameGoAPI": "WindowsFlowLogsPositionFilePath",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "c:\\TigeraCalico\\flowlogs\\flows.log.pos",
- "ParsedDefault": "c:\\TigeraCalico\\flowlogs\\flows.log.pos",
- "ParsedDefaultJSON": "\"c:\\\\TigeraCalico\\\\flowlogs\\\\flows.log.pos\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "c:\\TigeraCalico\\flowlogs\\flows.log.pos",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to specify the position of the external pipeline that reads flow logs on Windows nodes.\n.\nThis parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.",
- "DescriptionHTML": "
Used to specify the position of the external pipeline that reads flow logs on Windows nodes.\n.\nThis parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.
Specifies which Windows HNS networks Felix should operate on. The default is to match\nnetworks that start with \"calico\". Supports regular expression syntax.
Used to specify the path of the stats dump file on Windows nodes.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Dataplane: OpenStack support",
- "Fields": [
- {
- "Group": "Dataplane: OpenStack support",
- "GroupWithSortPrefix": "25 Dataplane: OpenStack support",
- "NameConfigFile": "EndpointReportingDelaySecs",
- "NameEnvVar": "FELIX_EndpointReportingDelaySecs",
- "NameYAML": "endpointReportingDelay",
- "NameGoAPI": "EndpointReportingDelay",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "1",
- "ParsedDefault": "1s",
- "ParsedDefaultJSON": "1000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "**Open source-only parameter**; OpenStack is not supported in Calico Enterprise/Cloud.\n\nThe delay before Felix reports endpoint status to the datastore. This is only used\nby the OpenStack integration.",
- "DescriptionHTML": "
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
The delay before Felix reports endpoint status to the datastore. This is only used\nby the OpenStack integration.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": true
- },
- {
- "Group": "Dataplane: OpenStack support",
- "GroupWithSortPrefix": "25 Dataplane: OpenStack support",
- "NameConfigFile": "EndpointReportingEnabled",
- "NameEnvVar": "FELIX_EndpointReportingEnabled",
- "NameYAML": "endpointReportingEnabled",
- "NameGoAPI": "EndpointReportingEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "**Open source-only parameter**; OpenStack is not supported in Calico Enterprise/Cloud.\n\nControls whether Felix reports endpoint status to the datastore. This is only used\nby the OpenStack integration.",
- "DescriptionHTML": "
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
Controls whether Felix reports endpoint status to the datastore. This is only used\nby the OpenStack integration.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": true
- },
- {
- "Group": "Dataplane: OpenStack support",
- "GroupWithSortPrefix": "25 Dataplane: OpenStack support",
- "NameConfigFile": "MetadataAddr",
- "NameEnvVar": "FELIX_MetadataAddr",
- "NameYAML": "metadataAddr",
- "NameGoAPI": "MetadataAddr",
- "StringSchema": "String matching regex `^[a-zA-Z0-9_.-]+$`",
- "StringSchemaHTML": "String matching regex ^[a-zA-Z0-9_.-]+$",
- "StringDefault": "127.0.0.1",
- "ParsedDefault": "127.0.0.1",
- "ParsedDefaultJSON": "\"127.0.0.1\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "127.0.0.1",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "**Open source-only parameter**; OpenStack is not supported in Calico Enterprise/Cloud.\n\nThe IP address or domain name of the server that can answer VM queries for\ncloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in\nUbuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not\nset up any NAT rule for the metadata path.",
- "DescriptionHTML": "
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
The IP address or domain name of the server that can answer VM queries for\ncloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in\nUbuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not\nset up any NAT rule for the metadata path.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": true
- },
- {
- "Group": "Dataplane: OpenStack support",
- "GroupWithSortPrefix": "25 Dataplane: OpenStack support",
- "NameConfigFile": "MetadataPort",
- "NameEnvVar": "FELIX_MetadataPort",
- "NameYAML": "metadataPort",
- "NameGoAPI": "MetadataPort",
- "StringSchema": "Integer: [0,65535]",
- "StringSchemaHTML": "Integer: [0,65535]",
- "StringDefault": "8775",
- "ParsedDefault": "8775",
- "ParsedDefaultJSON": "8775",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [0,65535]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [0,65535]",
- "YAMLDefault": "8775",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "**Open source-only parameter**; OpenStack is not supported in Calico Enterprise/Cloud.\n\nThe port of the metadata server. This, combined with global.MetadataAddr (if\nnot 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.\nIn most cases this should not need to be changed .",
- "DescriptionHTML": "
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
The port of the metadata server. This, combined with global.MetadataAddr (if\nnot 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.\nIn most cases this should not need to be changed .
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": true
- },
- {
- "Group": "Dataplane: OpenStack support",
- "GroupWithSortPrefix": "25 Dataplane: OpenStack support",
- "NameConfigFile": "OpenstackRegion",
- "NameEnvVar": "FELIX_OpenstackRegion",
- "NameYAML": "openstackRegion",
- "NameGoAPI": "OpenstackRegion",
- "StringSchema": "OpenStack region name (must be a valid DNS label)",
- "StringSchemaHTML": "OpenStack region name (must be a valid DNS label)",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "Exit",
- "AllowedConfigSources": "All",
- "Description": "**Open source-only parameter**; OpenStack is not supported in Calico Enterprise/Cloud.\n\nThe name of the region that a particular Felix belongs to. In a multi-region\nCalico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel,\nor in felix.cfg or the environment on each compute node), and must match the [calico]\nopenstack_region value configured in neutron.conf on each node.",
- "DescriptionHTML": "
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
The name of the region that a particular Felix belongs to. In a multi-region\nCalico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel,\nor in felix.cfg or the environment on each compute node), and must match the [calico]\nopenstack_region value configured in neutron.conf on each node.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": true
- },
- {
- "Group": "Dataplane: OpenStack support",
- "GroupWithSortPrefix": "25 Dataplane: OpenStack support",
- "NameConfigFile": "ReportingIntervalSecs",
- "NameEnvVar": "FELIX_ReportingIntervalSecs",
- "NameYAML": "reportingInterval",
- "NameGoAPI": "ReportingInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "30",
- "ParsedDefault": "30s",
- "ParsedDefaultJSON": "30000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "30s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "**Open source-only parameter**; OpenStack is not supported in Calico Enterprise/Cloud.\n\nThe interval at which Felix reports its status into the datastore or 0 to disable.\nMust be non-zero in OpenStack deployments.",
- "DescriptionHTML": "
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
The interval at which Felix reports its status into the datastore or 0 to disable.\nMust be non-zero in OpenStack deployments.
Open source-only parameter; OpenStack is not supported in Calico Enterprise/Cloud.
\n
The time-to-live setting for process-wide status reports.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": true
- }
- ]
- },
- {
- "Name": "Dataplane: XDP acceleration for iptables dataplane",
- "Fields": [
- {
- "Group": "Dataplane: XDP acceleration for iptables dataplane",
- "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane",
- "NameConfigFile": "GenericXDPEnabled",
- "NameEnvVar": "FELIX_GenericXDPEnabled",
- "NameYAML": "genericXDPEnabled",
- "NameGoAPI": "GenericXDPEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Enables Generic XDP so network cards that don't support XDP offload or driver\nmodes can use XDP. This is not recommended since it doesn't provide better performance than\niptables.",
- "DescriptionHTML": "
Enables Generic XDP so network cards that don't support XDP offload or driver\nmodes can use XDP. This is not recommended since it doesn't provide better performance than\niptables.
Enables XDP acceleration for suitable untracked incoming deny rules.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Dataplane: XDP acceleration for iptables dataplane",
- "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane",
- "NameConfigFile": "XDPRefreshInterval",
- "NameEnvVar": "FELIX_XDPRefreshInterval",
- "NameYAML": "xdpRefreshInterval",
- "NameGoAPI": "XDPRefreshInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "90",
- "ParsedDefault": "1m30s",
- "ParsedDefaultJSON": "90000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1m30s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The period at which Felix re-checks all XDP state to ensure that no\nother process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to\ndisable XDP refresh.",
- "DescriptionHTML": "
The period at which Felix re-checks all XDP state to ensure that no\nother process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to\ndisable XDP refresh.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Overlay: VXLAN overlay",
- "Fields": [
- {
- "Group": "Overlay: VXLAN overlay",
- "GroupWithSortPrefix": "31 Overlay: VXLAN overlay",
- "NameConfigFile": "VXLANEnabled",
- "NameEnvVar": "FELIX_VXLANEnabled",
- "NameYAML": "vxlanEnabled",
- "NameGoAPI": "VXLANEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "null",
- "ParsedType": "*bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking.\nOptional as Felix determines this based on the existing IP pools.",
- "DescriptionHTML": "
Overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking.\nOptional as Felix determines this based on the existing IP pools.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Overlay: VXLAN overlay",
- "GroupWithSortPrefix": "31 Overlay: VXLAN overlay",
- "NameConfigFile": "VXLANMTU",
- "NameEnvVar": "FELIX_VXLANMTU",
- "NameYAML": "vxlanMTU",
- "NameGoAPI": "VXLANMTU",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "0",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the\nMTU of the host's interfaces.",
- "DescriptionHTML": "
The MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the\nMTU of the host's interfaces.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Overlay: VXLAN overlay",
- "GroupWithSortPrefix": "31 Overlay: VXLAN overlay",
- "NameConfigFile": "VXLANMTUV6",
- "NameEnvVar": "FELIX_VXLANMTUV6",
- "NameYAML": "vxlanMTUV6",
- "NameGoAPI": "VXLANMTUV6",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "0",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the\nMTU of the host's interfaces.",
- "DescriptionHTML": "
The MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the\nMTU of the host's interfaces.
Controls the priority value to use for the Wireguard routing rule.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Overlay: Wireguard",
- "GroupWithSortPrefix": "33 Overlay: Wireguard",
- "NameConfigFile": "WireguardThreadingEnabled",
- "NameEnvVar": "FELIX_WireguardThreadingEnabled",
- "NameYAML": "wireguardThreadingEnabled",
- "NameGoAPI": "WireguardThreadingEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Wireguard has Threaded NAPI enabled. \nThis increases the maximum number of packets a Wireguard interface can process.\nConsider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core.\nThere is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting\nthat may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed.\nWorkaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI.",
- "DescriptionHTML": "
Controls whether Wireguard has Threaded NAPI enabled. \nThis increases the maximum number of packets a Wireguard interface can process.\nConsider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated softirq CPU core.\nThere is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting\nthat may cause NAPI to get stuck holding the global rtnl_mutex when a peer is removed.\nWorkaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Overlay: IPSec",
- "Fields": [
- {
- "Group": "Overlay: IPSec",
- "GroupWithSortPrefix": "34 Overlay: IPSec",
- "NameConfigFile": "IPSecAllowUnsecuredTraffic",
- "NameEnvVar": "FELIX_IPSecAllowUnsecuredTraffic",
- "NameYAML": "ipsecAllowUnsecuredTraffic",
- "NameGoAPI": "IPSecAllowUnsecuredTraffic",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this\nnegates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec.",
- "DescriptionHTML": "
Controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this\nnegates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec.
The port that the Prometheus per-flow metrics reporter should bind to.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Flow logs: Syslog reports",
- "Fields": [
- {
- "Group": "Flow logs: Syslog reports",
- "GroupWithSortPrefix": "40 Flow logs: Syslog reports",
- "NameConfigFile": "SyslogReporterAddress",
- "NameEnvVar": "FELIX_SyslogReporterAddress",
- "NameYAML": "syslogReporterAddress",
- "NameGoAPI": "SyslogReporterAddress",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The address to dial to when writing to Syslog. For TCP and UDP networks, the address has\nthe form \"host:port\". The host must be a literal IP address, or a host name that can be resolved to IP addresses.\nThe port must be a literal port number or a service name. For more, see: https://pkg.go.dev/net#Dial.",
- "DescriptionHTML": "
The address to dial to when writing to Syslog. For TCP and UDP networks, the address has\nthe form \"host:port\". The host must be a literal IP address, or a host name that can be resolved to IP addresses.\nThe port must be a literal port number or a service name. For more, see: https://pkg.go.dev/net#Dial.
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: Syslog reports",
- "GroupWithSortPrefix": "40 Flow logs: Syslog reports",
- "NameConfigFile": "SyslogReporterEnabled",
- "NameEnvVar": "FELIX_SyslogReporterEnabled",
- "NameYAML": "syslogReporterEnabled",
- "NameGoAPI": "SyslogReporterEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Turns on the feature to write logs to Syslog. Please note that this can incur significant\ndisk space usage when running felix on non-cluster hosts.",
- "DescriptionHTML": "
Turns on the feature to write logs to Syslog. Please note that this can incur significant\ndisk space usage when running felix on non-cluster hosts.
The network to dial to when writing to Syslog. Known networks are \"tcp\", \"tcp4\"\n(IPv4-only), \"tcp6\" (IPv6-only), \"udp\", \"udp4\" (IPv4-only), \"udp6\" (IPv6-only), \"ip\", \"ip4\" (IPv4-only), \"ip6\"\n(IPv6-only), \"unix\", \"unixgram\" and \"unixpacket\". For more, see: https://pkg.go.dev/net#Dial.
Used specify how far behind the external pipeline that reads flow logs can be. Default is 8192 bytes.\nThis parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsCollectProcessInfo",
- "NameEnvVar": "FELIX_FlowLogsCollectProcessInfo",
- "NameYAML": "flowLogsCollectProcessInfo",
- "NameGoAPI": "FlowLogsCollectProcessInfo",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If enabled Felix will load the kprobe BPF programs to collect process info.",
- "DescriptionHTML": "
If enabled Felix will load the kprobe BPF programs to collect process info.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsCollectProcessPath",
- "NameEnvVar": "FELIX_FlowLogsCollectProcessPath",
- "NameYAML": "flowLogsCollectProcessPath",
- "NameGoAPI": "FlowLogsCollectProcessPath",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are\nboth enabled, each flow log will include information about the process\nthat is sending or receiving the packets in that flow: the\n`process_name` field will contain the full path of the process\nexecutable, and the `process_args` field will have the arguments with\nwhich the executable was invoked. Process information will not be\nreported for connections which use raw sockets.",
- "DescriptionHTML": "
When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are\nboth enabled, each flow log will include information about the process\nthat is sending or receiving the packets in that flow: the\nprocess_name field will contain the full path of the process\nexecutable, and the process_args field will have the arguments with\nwhich the executable was invoked. Process information will not be\nreported for connections which use raw sockets.
Enables Flow logs reporting for GlobalNetworkSets.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileAggregationKindForAllowed",
- "NameEnvVar": "FELIX_FlowLogsFileAggregationKindForAllowed",
- "NameYAML": "flowLogsFileAggregationKindForAllowed",
- "NameGoAPI": "FlowLogsFileAggregationKindForAllowed",
- "StringSchema": "Integer: [0,3]",
- "StringSchemaHTML": "Integer: [0,3]",
- "StringDefault": "2",
- "ParsedDefault": "2",
- "ParsedDefaultJSON": "2",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "One of: `0`, `1`, `2`.",
- "YAMLEnumValues": [
- "0",
- "1",
- "2"
- ],
- "YAMLSchemaHTML": "One of: 0, 1, 2.",
- "YAMLDefault": "2",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for flow log entries created for\nallowed connections. .\nAccepted values are 0, 1 and 2.\n0 - No aggregation.\n1 - Source port based aggregation.\n2 - Pod prefix name based aggreagation.",
- "DescriptionHTML": "
Used to choose the type of aggregation for flow log entries created for\nallowed connections. .\nAccepted values are 0, 1 and 2.\n0 - No aggregation.\n1 - Source port based aggregation.\n2 - Pod prefix name based aggreagation.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileAggregationKindForDenied",
- "NameEnvVar": "FELIX_FlowLogsFileAggregationKindForDenied",
- "NameYAML": "flowLogsFileAggregationKindForDenied",
- "NameGoAPI": "FlowLogsFileAggregationKindForDenied",
- "StringSchema": "Integer: [0,3]",
- "StringSchemaHTML": "Integer: [0,3]",
- "StringDefault": "1",
- "ParsedDefault": "1",
- "ParsedDefaultJSON": "1",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "One of: `0`, `1`, `2`, `3`.",
- "YAMLEnumValues": [
- "0",
- "1",
- "2",
- "3"
- ],
- "YAMLSchemaHTML": "One of: 0, 1, 2, 3.",
- "YAMLDefault": "1",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for flow log entries created for\ndenied connections. .\nAccepted values are 0, 1 and 2.\n0 - No aggregation.\n1 - Source port based aggregation.\n2 - Pod prefix name based aggregation.\n3 - No destination ports based aggregation.",
- "DescriptionHTML": "
Used to choose the type of aggregation for flow log entries created for\ndenied connections. .\nAccepted values are 0, 1 and 2.\n0 - No aggregation.\n1 - Source port based aggregation.\n2 - Pod prefix name based aggregation.\n3 - No destination ports based aggregation.
Sets the directory where flow logs files are stored.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileDomainsLimit",
- "NameEnvVar": "FELIX_FlowLogsFileDomainsLimit",
- "NameYAML": "flowLogsFileDomainsLimit",
- "NameGoAPI": "FlowLogsFileDomainsLimit",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "5",
- "ParsedDefault": "5",
- "ParsedDefaultJSON": "5",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "5",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to configure the number of (destination) domains to include in the flow log.\nThese are not included for workload or host endpoint destinations.",
- "DescriptionHTML": "
Used to configure the number of (destination) domains to include in the flow log.\nThese are not included for workload or host endpoint destinations.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileEnabled",
- "NameEnvVar": "FELIX_FlowLogsFileEnabled",
- "NameYAML": "flowLogsFileEnabled",
- "NameGoAPI": "FlowLogsFileEnabled",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "When set to true, enables logging flow logs to a file. If false no flow logging to file will occur.",
- "DescriptionHTML": "
When set to true, enables logging flow logs to a file. If false no flow logging to file will occur.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileEnabledForAllowed",
- "NameEnvVar": "FELIX_FlowLogsFileEnabledForAllowed",
- "NameYAML": "flowLogsFileEnabledForAllowed",
- "NameGoAPI": "FlowLogsFileEnabledForAllowed",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to enable/disable flow logs entries created for allowed connections. Default is true.\nThis parameter only takes effect when FlowLogsFileReporterEnabled is set to true.",
- "DescriptionHTML": "
Used to enable/disable flow logs entries created for allowed connections. Default is true.\nThis parameter only takes effect when FlowLogsFileReporterEnabled is set to true.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileEnabledForDenied",
- "NameEnvVar": "FELIX_FlowLogsFileEnabledForDenied",
- "NameYAML": "flowLogsFileEnabledForDenied",
- "NameGoAPI": "FlowLogsFileEnabledForDenied",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to enable/disable flow logs entries created for denied flows. Default is true.\nThis parameter only takes effect when FlowLogsFileReporterEnabled is set to true.",
- "DescriptionHTML": "
Used to enable/disable flow logs entries created for denied flows. Default is true.\nThis parameter only takes effect when FlowLogsFileReporterEnabled is set to true.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileIncludeLabels",
- "NameEnvVar": "FELIX_FlowLogsFileIncludeLabels",
- "NameYAML": "flowLogsFileIncludeLabels",
- "NameGoAPI": "FlowLogsFileIncludeLabels",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to configure if endpoint labels are included in a Flow log entry written to file.",
- "DescriptionHTML": "
Used to configure if endpoint labels are included in a Flow log entry written to file.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileIncludePolicies",
- "NameEnvVar": "FELIX_FlowLogsFileIncludePolicies",
- "NameYAML": "flowLogsFileIncludePolicies",
- "NameGoAPI": "FlowLogsFileIncludePolicies",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to configure if policy information are included in a Flow log entry written to file.",
- "DescriptionHTML": "
Used to configure if policy information are included in a Flow log entry written to file.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsFileIncludeService",
- "NameEnvVar": "FELIX_FlowLogsFileIncludeService",
- "NameYAML": "flowLogsFileIncludeService",
- "NameGoAPI": "FlowLogsFileIncludeService",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "false",
- "ParsedDefault": "false",
- "ParsedDefaultJSON": "false",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "false",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to configure if the destination service is included in a Flow log entry written to file.\nThe service information can only be included if the flow was explicitly determined to be directed at the service (e.g.\nwhen the pre-DNAT destination corresponds to the service ClusterIP and port).",
- "DescriptionHTML": "
Used to configure if the destination service is included in a Flow log entry written to file.\nThe service information can only be included if the flow was explicitly determined to be directed at the service (e.g.\nwhen the pre-DNAT destination corresponds to the service ClusterIP and port).
Specifies the number of unique IP addresses (if relevant) that should be included in Flow logs.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsPolicyEvaluationMode",
- "NameEnvVar": "FELIX_FlowLogsPolicyEvaluationMode",
- "NameYAML": "flowLogsPolicyEvaluationMode",
- "NameGoAPI": "FlowLogsPolicyEvaluationMode",
- "StringSchema": "One of: `Continuous`, `OnNewConnection` (case insensitive)",
- "StringSchemaHTML": "One of: Continuous, OnNewConnection (case insensitive)",
- "StringDefault": "Continuous",
- "ParsedDefault": "Continuous",
- "ParsedDefaultJSON": "\"Continuous\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "Continuous",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Defines how policies are evaluated and reflected in flow logs.\nOnNewConnection - In this mode, staged policies are only evaluated when new connections are\nmade in the dataplane. Staged/active policy changes will not be reflected in the\n`pending_policies` field of flow logs for long lived connections.\nContinuous - Felix evaluates active flows on a regular basis to determine the rule\ntraces in the flow logs. Any policy updates that impact a flow will be reflected in the\npending_policies field, offering a near-real-time view of policy changes across flows.",
- "DescriptionHTML": "
Defines how policies are evaluated and reflected in flow logs.\nOnNewConnection - In this mode, staged policies are only evaluated when new connections are\nmade in the dataplane. Staged/active policy changes will not be reflected in the\npending_policies field of flow logs for long lived connections.\nContinuous - Felix evaluates active flows on a regular basis to determine the rule\ntraces in the flow logs. Any policy updates that impact a flow will be reflected in the\npending_policies field, offering a near-real-time view of policy changes across flows.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "Flow logs: file reports",
- "GroupWithSortPrefix": "40 Flow logs: file reports",
- "NameConfigFile": "FlowLogsPolicyScope",
- "NameEnvVar": "FELIX_FlowLogsPolicyScope",
- "NameYAML": "flowLogsPolicyScope",
- "NameGoAPI": "FlowLogsPolicyScope",
- "StringSchema": "One of: `AllPolicies`, `EndpointPolicies` (case insensitive)",
- "StringSchemaHTML": "One of: AllPolicies, EndpointPolicies (case insensitive)",
- "StringDefault": "EndpointPolicies",
- "ParsedDefault": "EndpointPolicies",
- "ParsedDefaultJSON": "\"EndpointPolicies\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "EndpointPolicies",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls which policies are included in flow logs.\nAllPolicies - Processes both transit policies for the local node and\nendpoint policies derived from packet source/destination IPs. Provides comprehensive\nvisibility into all policy evaluations but increases log volume.\nEndpointPolicies - Processes only policies for endpoints identified as the source\nor destination of the packet (whether workload or host endpoints).",
- "DescriptionHTML": "
Controls which policies are included in flow logs.\nAllPolicies - Processes both transit policies for the local node and\nendpoint policies derived from packet source/destination IPs. Provides comprehensive\nvisibility into all policy evaluations but increases log volume.\nEndpointPolicies - Processes only policies for endpoints identified as the source\nor destination of the packet (whether workload or host endpoints).
Used specify the position of the external pipeline that reads flow logs. Default is /var/log/calico/flows.log.pos.\nThis parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.
An arbitrary number that can be changed, at runtime, to tell Felix to discard all its\nlearnt DNS information. .
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSCacheFile",
- "NameEnvVar": "FELIX_DNSCacheFile",
- "NameYAML": "dnsCacheFile",
- "NameGoAPI": "DNSCacheFile",
- "StringSchema": "Path to file",
- "StringSchemaHTML": "Path to file",
- "StringDefault": "/var/run/calico/felix-dns-cache.txt",
- "ParsedDefault": "/var/run/calico/felix-dns-cache.txt",
- "ParsedDefaultJSON": "\"/var/run/calico/felix-dns-cache.txt\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "/var/run/calico/felix-dns-cache.txt",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The name of the file that Felix uses to preserve learnt DNS information when restarting. .",
- "DescriptionHTML": "
The name of the file that Felix uses to preserve learnt DNS information when restarting. .
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSCacheSaveInterval",
- "NameEnvVar": "FELIX_DNSCacheSaveInterval",
- "NameYAML": "dnsCacheSaveInterval",
- "NameGoAPI": "DNSCacheSaveInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "60",
- "ParsedDefault": "1m0s",
- "ParsedDefaultJSON": "60000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "1m0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The periodic interval at which Felix saves learnt DNS information to the cache file. .",
- "DescriptionHTML": "
The periodic interval at which Felix saves learnt DNS information to the cache file. .
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSExtraTTL",
- "NameEnvVar": "FELIX_DNSExtraTTL",
- "NameYAML": "dnsExtraTTL",
- "NameGoAPI": "DNSExtraTTL",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "0",
- "ParsedDefault": "0s",
- "ParsedDefaultJSON": "0",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name\nor IP's advertised TTL. .",
- "DescriptionHTML": "
Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name\nor IP's advertised TTL. .
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSLogsFileAggregationKind",
- "NameEnvVar": "FELIX_DNSLogsFileAggregationKind",
- "NameYAML": "dnsLogsFileAggregationKind",
- "NameGoAPI": "DNSLogsFileAggregationKind",
- "StringSchema": "Integer: [0,1]",
- "StringSchemaHTML": "Integer: [0,1]",
- "StringDefault": "1",
- "ParsedDefault": "1",
- "ParsedDefaultJSON": "1",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "One of: `0`, `1`.",
- "YAMLEnumValues": [
- "0",
- "1"
- ],
- "YAMLSchemaHTML": "One of: 0, 1.",
- "YAMLDefault": "1",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for DNS log entries.\n.\nAccepted values are 0 and 1.\n0 - No aggregation.\n1 - Aggregate over clients with the same name prefix.",
- "DescriptionHTML": "
Used to choose the type of aggregation for DNS log entries.\n.\nAccepted values are 0 and 1.\n0 - No aggregation.\n1 - Aggregate over clients with the same name prefix.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSLogsFilePerNodeLimit",
- "NameEnvVar": "FELIX_DNSLogsFilePerNodeLimit",
- "NameYAML": "dnsLogsFilePerNodeLimit",
- "NameGoAPI": "DNSLogsFilePerNodeLimit",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "0",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "0",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Limit on the number of DNS logs that can be emitted within each flush interval. When\nthis limit has been reached, Felix counts the number of unloggable DNS responses within\nthe flush interval, and emits a WARNING log with that count at the same time as it\nflushes the buffered DNS logs.",
- "DescriptionHTML": "
Limit on the number of DNS logs that can be emitted within each flush interval. When\nthis limit has been reached, Felix counts the number of unloggable DNS responses within\nthe flush interval, and emits a WARNING log with that count at the same time as it\nflushes the buffered DNS logs.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSLogsFlushInterval",
- "NameEnvVar": "FELIX_DNSLogsFlushInterval",
- "NameYAML": "dnsLogsFlushInterval",
- "NameGoAPI": "DNSLogsFlushInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "300",
- "ParsedDefault": "5m0s",
- "ParsedDefaultJSON": "300000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "5m0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Configures the interval at which Felix exports DNS logs.",
- "DescriptionHTML": "
Configures the interval at which Felix exports DNS logs.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSLogsLatency",
- "NameEnvVar": "FELIX_DNSLogsLatency",
- "NameYAML": "dnsLogsLatency",
- "NameGoAPI": "DNSLogsLatency",
- "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.",
- "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.",
- "StringDefault": "true",
- "ParsedDefault": "true",
- "ParsedDefaultJSON": "true",
- "ParsedType": "bool",
- "YAMLType": "boolean",
- "YAMLSchema": "Boolean.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Boolean.",
- "YAMLDefault": "true",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Indicates to include measurements of DNS request/response latency in each DNS log.",
- "DescriptionHTML": "
Indicates to include measurements of DNS request/response latency in each DNS log.
",
- "UserEditable": true,
- "GoType": "*bool",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSPacketsNfqueueID",
- "NameEnvVar": "FELIX_DNSPacketsNfqueueID",
- "NameYAML": "dnsPacketsNfqueueID",
- "NameGoAPI": "DNSPacketsNfqueueID",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "101",
- "ParsedDefault": "101",
- "ParsedDefaultJSON": "101",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "101",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before\nthe response is released. Used when DNSPolicyMode is DelayDNSResponse.",
- "DescriptionHTML": "
The NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before\nthe response is released. Used when DNSPolicyMode is DelayDNSResponse.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSPacketsNfqueueMaxHoldDuration",
- "NameEnvVar": "FELIX_DNSPacketsNfqueueMaxHoldDuration",
- "NameYAML": "dnsPacketsNfqueueMaxHoldDuration",
- "NameGoAPI": "DNSPacketsNfqueueMaxHoldDuration",
- "StringSchema": "Milliseconds (floating point)",
- "StringSchemaHTML": "Milliseconds (floating point)",
- "StringDefault": "3000",
- "ParsedDefault": "3s",
- "ParsedDefaultJSON": "3000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "3s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The max length of time to hold on to a DNS response while waiting for the\nthe dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse.",
- "DescriptionHTML": "
The max length of time to hold on to a DNS response while waiting for the\nthe dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSPacketsNfqueueSize",
- "NameEnvVar": "FELIX_DNSPacketsNfqueueSize",
- "NameYAML": "dnsPacketsNfqueueSize",
- "NameGoAPI": "DNSPacketsNfqueueSize",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "100",
- "ParsedDefault": "100",
- "ParsedDefaultJSON": "100",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "100",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS\npackets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse.",
- "DescriptionHTML": "
The size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS\npackets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSPolicyMode",
- "NameEnvVar": "FELIX_DNSPolicyMode",
- "NameYAML": "dnsPolicyMode",
- "NameGoAPI": "DNSPolicyMode",
- "StringSchema": "One of: `DelayDNSResponse`, `DelayDeniedPacket`, `Inline`, `NoDelay` (case insensitive)",
- "StringSchemaHTML": "One of: DelayDNSResponse, DelayDeniedPacket, Inline, NoDelay (case insensitive)",
- "StringDefault": "DelayDeniedPacket",
- "ParsedDefault": "DelayDeniedPacket",
- "ParsedDefaultJSON": "\"DelayDeniedPacket\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"DelayDNSResponse\"`, `\"DelayDeniedPacket\"`, `\"Inline\"`, `\"NoDelay\"`.",
- "YAMLEnumValues": [
- "DelayDNSResponse",
- "DelayDeniedPacket",
- "Inline",
- "NoDelay"
- ],
- "YAMLSchemaHTML": "One of: \"DelayDNSResponse\", \"DelayDeniedPacket\", \"Inline\", \"NoDelay\".",
- "YAMLDefault": "DelayDeniedPacket",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Specifies how DNS policy programming will be handled.\nDelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches,\nbut did not match. The packet is released after a fixed time, or after the destination IP address was programmed.\nDelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some\nlatency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics\nare accurate. This is the recommended setting when you are making use of staged policies or policy rule hit\nstatistics.\nNoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time\nthe first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial\nconnection attempts fail. This may be problematic for some applications or for very low DNS TTLs.\n\nInline - Parses DNS response inline with DNS response packet processing within IPTables.\nThis guarantees the DNS rules reflect any change immediately.\nThis mode works for iptables only and matches the same mode for BPFDNSPolicyMode.\nThis setting is ignored on Windows and \"NoDelay\" is always used.\n\nThis setting is ignored by eBPF and BPFDNSPolicyMode is used instead.\n\nThis field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead.",
- "DescriptionHTML": "
Specifies how DNS policy programming will be handled.\nDelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches,\nbut did not match. The packet is released after a fixed time, or after the destination IP address was programmed.\nDelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some\nlatency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics\nare accurate. This is the recommended setting when you are making use of staged policies or policy rule hit\nstatistics.\nNoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time\nthe first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial\nconnection attempts fail. This may be problematic for some applications or for very low DNS TTLs.
\n
Inline - Parses DNS response inline with DNS response packet processing within IPTables.\nThis guarantees the DNS rules reflect any change immediately.\nThis mode works for iptables only and matches the same mode for BPFDNSPolicyMode.\nThis setting is ignored on Windows and \"NoDelay\" is always used.
\n
This setting is ignored by eBPF and BPFDNSPolicyMode is used instead.
\n
This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead.
",
- "UserEditable": true,
- "GoType": "*v3.DNSPolicyMode",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSPolicyNfqueueID",
- "NameEnvVar": "FELIX_DNSPolicyNfqueueID",
- "NameYAML": "dnsPolicyNfqueueID",
- "NameGoAPI": "DNSPolicyNfqueueID",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "100",
- "ParsedDefault": "100",
- "ParsedDefaultJSON": "100",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "100",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed\nto ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket.",
- "DescriptionHTML": "
The NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed\nto ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSPolicyNfqueueSize",
- "NameEnvVar": "FELIX_DNSPolicyNfqueueSize",
- "NameYAML": "dnsPolicyNfqueueSize",
- "NameGoAPI": "DNSPolicyNfqueueSize",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "255",
- "ParsedDefault": "255",
- "ParsedDefaultJSON": "255",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "255",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied\npackets that may be queued up pending re-evaluation.\nUsed when DNSPolicyMode is DelayDeniedPacket.",
- "DescriptionHTML": "
DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied\npackets that may be queued up pending re-evaluation.\nUsed when DNSPolicyMode is DelayDeniedPacket.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "DNS logs / policy",
- "GroupWithSortPrefix": "50 DNS logs / policy",
- "NameConfigFile": "DNSTrustedServers",
- "NameEnvVar": "FELIX_DNSTrustedServers",
- "NameYAML": "dnsTrustedServers",
- "NameGoAPI": "DNSTrustedServers",
- "StringSchema": "Comma-delimited list of DNS servers. Each entry can be: ``, an `:` (IPv6 addresses must be wrapped in square brackets), or, a Kubernetes service name `k8s-service:(namespace/)service-name`.",
- "StringSchemaHTML": "Comma-delimited list of DNS servers. Each entry can be: <IP address>, an <IP address>:<port> (IPv6 addresses must be wrapped in square brackets), or, a Kubernetes service name k8s-service:(namespace/)service-name.",
- "StringDefault": "k8s-service:kube-dns",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "[]",
- "ParsedType": "[]config.ServerPort",
- "YAMLType": "array",
- "YAMLSchema": "List of strings: `[\"\", ...]`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "List of strings: [\"<string>\", ...].",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The DNS servers that Felix should trust. Each entry here must be `[:]` - indicating an\nexplicit DNS server IP - or `k8s-service:[/][:port]` - indicating a Kubernetes DNS\nservice. `` defaults to the first service port, or 53 for an IP, and `` to\n`kube-system`. An IPv6 address with a port must use the square brackets convention, for example\n`[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of\neach service specified by a `k8s-service:...` form. .",
- "DescriptionHTML": "
The DNS servers that Felix should trust. Each entry here must be <ip>[:<port>] - indicating an\nexplicit DNS server IP - or k8s-service:[<namespace>/]<name>[:port] - indicating a Kubernetes DNS\nservice. <port> defaults to the first service port, or 53 for an IP, and <namespace> to\nkube-system. An IPv6 address with a port must use the square brackets convention, for example\n[fd00:83a6::12]:5353.Note that Felix (calico-node) will need RBAC permission to read the details of\neach service specified by a k8s-service:... form. .
",
- "UserEditable": true,
- "GoType": "*[]string",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "L7 logs",
- "Fields": [
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationDestinationInfo",
- "NameEnvVar": "FELIX_L7LogsFileAggregationDestinationInfo",
- "NameYAML": "l7LogsFileAggregationDestinationInfo",
- "NameGoAPI": "L7LogsFileAggregationDestinationInfo",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "IncludeL7DestinationInfo",
- "ParsedDefault": "IncludeL7DestinationInfo",
- "ParsedDefaultJSON": "\"IncludeL7DestinationInfo\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7DestinationInfo`, `IncludeL7DestinationInfo`.",
- "YAMLEnumValues": [
- "ExcludeL7DestinationInfo",
- "IncludeL7DestinationInfo"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7DestinationInfo, IncludeL7DestinationInfo.",
- "YAMLDefault": "IncludeL7DestinationInfo",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for the destination metadata on L7 log entries.\n.\nAccepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo.\nIncludeL7DestinationInfo - Include destination metadata in the logs.\nExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type.",
- "DescriptionHTML": "
Used to choose the type of aggregation for the destination metadata on L7 log entries.\n.\nAccepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo.\nIncludeL7DestinationInfo - Include destination metadata in the logs.\nExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationHTTPHeaderInfo",
- "NameEnvVar": "FELIX_L7LogsFileAggregationHTTPHeaderInfo",
- "NameYAML": "l7LogsFileAggregationHTTPHeaderInfo",
- "NameGoAPI": "L7LogsFileAggregationHTTPHeaderInfo",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "ExcludeL7HTTPHeaderInfo",
- "ParsedDefault": "ExcludeL7HTTPHeaderInfo",
- "ParsedDefaultJSON": "\"ExcludeL7HTTPHeaderInfo\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7HTTPHeaderInfo`, `IncludeL7HTTPHeaderInfo`.",
- "YAMLEnumValues": [
- "ExcludeL7HTTPHeaderInfo",
- "IncludeL7HTTPHeaderInfo"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7HTTPHeaderInfo, IncludeL7HTTPHeaderInfo.",
- "YAMLDefault": "ExcludeL7HTTPHeaderInfo",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for HTTP header data on L7 log entries.\n.\nAccepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo.\nIncludeL7HTTPHeaderInfo - Include HTTP header data in the logs.\nExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type.",
- "DescriptionHTML": "
Used to choose the type of aggregation for HTTP header data on L7 log entries.\n.\nAccepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo.\nIncludeL7HTTPHeaderInfo - Include HTTP header data in the logs.\nExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationHTTPMethod",
- "NameEnvVar": "FELIX_L7LogsFileAggregationHTTPMethod",
- "NameYAML": "l7LogsFileAggregationHTTPMethod",
- "NameGoAPI": "L7LogsFileAggregationHTTPMethod",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "IncludeL7HTTPMethod",
- "ParsedDefault": "IncludeL7HTTPMethod",
- "ParsedDefaultJSON": "\"IncludeL7HTTPMethod\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7HTTPMethod`, `IncludeL7HTTPMethod`.",
- "YAMLEnumValues": [
- "ExcludeL7HTTPMethod",
- "IncludeL7HTTPMethod"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7HTTPMethod, IncludeL7HTTPMethod.",
- "YAMLDefault": "IncludeL7HTTPMethod",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for the HTTP request method on L7 log entries.\n.\nAccepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod.\nIncludeL7HTTPMethod - Include HTTP method in the logs.\nExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method.",
- "DescriptionHTML": "
Used to choose the type of aggregation for the HTTP request method on L7 log entries.\n.\nAccepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod.\nIncludeL7HTTPMethod - Include HTTP method in the logs.\nExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationNumURLPath",
- "NameEnvVar": "FELIX_L7LogsFileAggregationNumURLPath",
- "NameYAML": "l7LogsFileAggregationNumURLPath",
- "NameGoAPI": "L7LogsFileAggregationNumURLPath",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "5",
- "ParsedDefault": "5",
- "ParsedDefaultJSON": "5",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "5",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the number of components in the url path to display.\nThis allows for the url to be truncated in case parts of the path provide no value. Setting this value\nto negative will allow all parts of the path to be displayed.\n.",
- "DescriptionHTML": "
Used to choose the number of components in the url path to display.\nThis allows for the url to be truncated in case parts of the path provide no value. Setting this value\nto negative will allow all parts of the path to be displayed.\n.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationResponseCode",
- "NameEnvVar": "FELIX_L7LogsFileAggregationResponseCode",
- "NameYAML": "l7LogsFileAggregationResponseCode",
- "NameGoAPI": "L7LogsFileAggregationResponseCode",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "IncludeL7ResponseCode",
- "ParsedDefault": "IncludeL7ResponseCode",
- "ParsedDefaultJSON": "\"IncludeL7ResponseCode\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7ResponseCode`, `IncludeL7ResponseCode`.",
- "YAMLEnumValues": [
- "ExcludeL7ResponseCode",
- "IncludeL7ResponseCode"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7ResponseCode, IncludeL7ResponseCode.",
- "YAMLDefault": "IncludeL7ResponseCode",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for the response code on L7 log entries.\n.\nAccepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode.\nIncludeL7ResponseCode - Include the response code in the logs.\nExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code.",
- "DescriptionHTML": "
Used to choose the type of aggregation for the response code on L7 log entries.\n.\nAccepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode.\nIncludeL7ResponseCode - Include the response code in the logs.\nExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationServiceInfo",
- "NameEnvVar": "FELIX_L7LogsFileAggregationServiceInfo",
- "NameYAML": "l7LogsFileAggregationServiceInfo",
- "NameGoAPI": "L7LogsFileAggregationServiceInfo",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "IncludeL7ServiceInfo",
- "ParsedDefault": "IncludeL7ServiceInfo",
- "ParsedDefaultJSON": "\"IncludeL7ServiceInfo\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7ServiceInfo`, `IncludeL7ServiceInfo`.",
- "YAMLEnumValues": [
- "ExcludeL7ServiceInfo",
- "IncludeL7ServiceInfo"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7ServiceInfo, IncludeL7ServiceInfo.",
- "YAMLDefault": "IncludeL7ServiceInfo",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for the service data on L7 log entries.\n.\nAccepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo.\nIncludeL7ServiceInfo - Include service data in the logs.\nExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port.",
- "DescriptionHTML": "
Used to choose the type of aggregation for the service data on L7 log entries.\n.\nAccepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo.\nIncludeL7ServiceInfo - Include service data in the logs.\nExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationSourceInfo",
- "NameEnvVar": "FELIX_L7LogsFileAggregationSourceInfo",
- "NameYAML": "l7LogsFileAggregationSourceInfo",
- "NameGoAPI": "L7LogsFileAggregationSourceInfo",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "IncludeL7SourceInfoNoPort",
- "ParsedDefault": "IncludeL7SourceInfoNoPort",
- "ParsedDefaultJSON": "\"IncludeL7SourceInfoNoPort\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7SourceInfo`, `IncludeL7SourceInfo`, `IncludeL7SourceInfoNoPort`.",
- "YAMLEnumValues": [
- "ExcludeL7SourceInfo",
- "IncludeL7SourceInfo",
- "IncludeL7SourceInfoNoPort"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7SourceInfo, IncludeL7SourceInfo, IncludeL7SourceInfoNoPort.",
- "YAMLDefault": "IncludeL7SourceInfoNoPort",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries.\n.\nAccepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo.\nIncludeL7SourceInfo - Include source metadata in the logs.\nIncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port.\nExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type.",
- "DescriptionHTML": "
L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries.\n.\nAccepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo.\nIncludeL7SourceInfo - Include source metadata in the logs.\nIncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port.\nExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationTrimURL",
- "NameEnvVar": "FELIX_L7LogsFileAggregationTrimURL",
- "NameYAML": "l7LogsFileAggregationTrimURL",
- "NameGoAPI": "L7LogsFileAggregationTrimURL",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "IncludeL7FullURL",
- "ParsedDefault": "IncludeL7FullURL",
- "ParsedDefaultJSON": "\"IncludeL7FullURL\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `ExcludeL7URL`, `IncludeL7FullURL`, `TrimURLQuery`, `TrimURLQueryAndPath`.",
- "YAMLEnumValues": [
- "ExcludeL7URL",
- "IncludeL7FullURL",
- "TrimURLQuery",
- "TrimURLQueryAndPath"
- ],
- "YAMLSchemaHTML": "One of: ExcludeL7URL, IncludeL7FullURL, TrimURLQuery, TrimURLQueryAndPath.",
- "YAMLDefault": "IncludeL7FullURL",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to choose the type of aggregation for the url on L7 log entries.\n.\nAccepted values:\nIncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath.\nTrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL.\nTrimURLQueryAndPath - Aggregate over all other fields and the base URL only.\nExcludeL7URL - Aggregate over all other fields ignoring the URL entirely.",
- "DescriptionHTML": "
Used to choose the type of aggregation for the url on L7 log entries.\n.\nAccepted values:\nIncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath.\nTrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL.\nTrimURLQueryAndPath - Aggregate over all other fields and the base URL only.\nExcludeL7URL - Aggregate over all other fields ignoring the URL entirely.
",
- "UserEditable": true,
- "GoType": "*string",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFileAggregationURLCharLimit",
- "NameEnvVar": "FELIX_L7LogsFileAggregationURLCharLimit",
- "NameYAML": "l7LogsFileAggregationURLCharLimit",
- "NameGoAPI": "L7LogsFileAggregationURLCharLimit",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "250",
- "ParsedDefault": "250",
- "ParsedDefaultJSON": "250",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "250",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit\nit is sliced off, and the sliced URL is sent to log storage.",
- "DescriptionHTML": "
Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit\nit is sliced off, and the sliced URL is sent to log storage.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 logs",
- "GroupWithSortPrefix": "50 L7 logs",
- "NameConfigFile": "L7LogsFilePerNodeLimit",
- "NameEnvVar": "FELIX_L7LogsFilePerNodeLimit",
- "NameYAML": "l7LogsFilePerNodeLimit",
- "NameGoAPI": "L7LogsFilePerNodeLimit",
- "StringSchema": "Integer",
- "StringSchemaHTML": "Integer",
- "StringDefault": "1500",
- "ParsedDefault": "1500",
- "ParsedDefaultJSON": "1500",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer",
- "YAMLDefault": "1500",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Limit on the number of L7 logs that can be emitted within each flush interval. When\nthis limit has been reached, Felix counts the number of unloggable L7 responses within\nthe flush interval, and emits a WARNING log with that count at the same time as it\nflushes the buffered L7 logs. A value of 0 means no limit.",
- "DescriptionHTML": "
Limit on the number of L7 logs that can be emitted within each flush interval. When\nthis limit has been reached, Felix counts the number of unloggable L7 responses within\nthe flush interval, and emits a WARNING log with that count at the same time as it\nflushes the buffered L7 logs. A value of 0 means no limit.
Controls the priority that Felix will use for routing rules when programming\nthem for AWS Secondary IP support.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "AWS integration",
- "GroupWithSortPrefix": "60 AWS integration",
- "NameConfigFile": "AWSSecondaryIPSupport",
- "NameEnvVar": "FELIX_AWSSecondaryIPSupport",
- "NameYAML": "awsSecondaryIPSupport",
- "NameGoAPI": "AWSSecondaryIPSupport",
- "StringSchema": "One of: `Disabled`, `EnabledENIPerWorkload`, `Enabled` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, EnabledENIPerWorkload, Enabled (case insensitive)",
- "StringDefault": "Disabled",
- "ParsedDefault": "Disabled",
- "ParsedDefaultJSON": "\"Disabled\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Disabled`, `Enabled`, `EnabledENIPerWorkload`.",
- "YAMLEnumValues": [
- "Disabled",
- "Enabled",
- "EnabledENIPerWorkload"
- ],
- "YAMLSchemaHTML": "One of: Disabled, Enabled, EnabledENIPerWorkload.",
- "YAMLDefault": "Disabled",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Felix will try to provision AWS secondary ENIs for\nworkloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to\n\"EnabledENIPerWorkload\" then each workload with an AWS-backed IP will be assigned its own secondary ENI.\nIf set to \"Enabled\" then each workload with an AWS-backed IP pool will be allocated a secondary IP address\non a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for\nthe primary IP of the secondary ENIs. Accepted value must be one of \"Enabled\", \"EnabledENIPerWorkload\" or\n\"Disabled\".",
- "DescriptionHTML": "
Controls whether Felix will try to provision AWS secondary ENIs for\nworkloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to\n\"EnabledENIPerWorkload\" then each workload with an AWS-backed IP will be assigned its own secondary ENI.\nIf set to \"Enabled\" then each workload with an AWS-backed IP pool will be allocated a secondary IP address\non a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for\nthe primary IP of the secondary ENIs. Accepted value must be one of \"Enabled\", \"EnabledENIPerWorkload\" or\n\"Disabled\".
",
- "UserEditable": true,
- "GoType": "string",
- "OpenSourceOnly": false
- },
- {
- "Group": "AWS integration",
- "GroupWithSortPrefix": "60 AWS integration",
- "NameConfigFile": "AWSSrcDstCheck",
- "NameEnvVar": "FELIX_AWSSrcDstCheck",
- "NameYAML": "awsSrcDstCheck",
- "NameGoAPI": "AWSSrcDstCheck",
- "StringSchema": "One of: `Disable`, `DoNothing`, `Enable` (case insensitive)",
- "StringSchemaHTML": "One of: Disable, DoNothing, Enable (case insensitive)",
- "StringDefault": "DoNothing",
- "ParsedDefault": "DoNothing",
- "ParsedDefaultJSON": "\"DoNothing\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `\"Disable\"`, `\"DoNothing\"`, `\"Enable\"`.",
- "YAMLEnumValues": [
- "Disable",
- "DoNothing",
- "Enable"
- ],
- "YAMLSchemaHTML": "One of: \"Disable\", \"DoNothing\", \"Enable\".",
- "YAMLDefault": "DoNothing",
- "Required": true,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Controls whether Felix will try to change the \"source/dest check\" setting on the EC2 instance\non which it is running. A value of \"Disable\" will try to disable the source/dest check. Disabling the check\nallows for sending workload traffic without encapsulation within the same AWS subnet.",
- "DescriptionHTML": "
Controls whether Felix will try to change the \"source/dest check\" setting on the EC2 instance\non which it is running. A value of \"Disable\" will try to disable the source/dest check. Disabling the check\nallows for sending workload traffic without encapsulation within the same AWS subnet.
The minimum number of poll failures before a remote Egress Gateway is considered\nto have failed.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Egress gateway",
- "GroupWithSortPrefix": "70 Egress gateway",
- "NameConfigFile": "EgressGatewayPollInterval",
- "NameEnvVar": "FELIX_EgressGatewayPollInterval",
- "NameYAML": "egressGatewayPollInterval",
- "NameGoAPI": "EgressGatewayPollInterval",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "10",
- "ParsedDefault": "10s",
- "ParsedDefaultJSON": "10000000000",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "10s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "The interval at which Felix will poll remote egress gateways to check their\nhealth. Only Egress Gateways with a named \"health\" port will be polled in this way. Egress Gateways that\nfail the health check will be taken our of use as if they have been deleted.",
- "DescriptionHTML": "
The interval at which Felix will poll remote egress gateways to check their\nhealth. Only Egress Gateways with a named \"health\" port will be polled in this way. Egress Gateways that\nfail the health check will be taken our of use as if they have been deleted.
",
- "UserEditable": true,
- "GoType": "*v1.Duration",
- "OpenSourceOnly": false
- },
- {
- "Group": "Egress gateway",
- "GroupWithSortPrefix": "70 Egress gateway",
- "NameConfigFile": "EgressIPHostIfacePattern",
- "NameEnvVar": "FELIX_EgressIPHostIfacePattern",
- "NameYAML": "egressIPHostIfacePattern",
- "NameGoAPI": "EgressIPHostIfacePattern",
- "StringSchema": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with `/`.",
- "StringSchemaHTML": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with /.",
- "StringDefault": "",
- "ParsedDefault": "[]",
- "ParsedDefaultJSON": "null",
- "ParsedType": "[]*regexp.Regexp",
- "YAMLType": "string",
- "YAMLSchema": "String.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "String.",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "A comma-separated list of interface names which might send and receive egress traffic\nacross the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure `src_valid_mark` sysctl flags\nare set correctly for matching interfaces.\nTo target multiple interfaces with a single string, the list supports regular expressions.\nFor regular expressions, wrap the value with `/`.\nExample: `/^bond/,eth0` will match all interfaces that begin with `bond` and also the interface `eth0`.",
- "DescriptionHTML": "
A comma-separated list of interface names which might send and receive egress traffic\nacross the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure src_valid_mark sysctl flags\nare set correctly for matching interfaces.\nTo target multiple interfaces with a single string, the list supports regular expressions.\nFor regular expressions, wrap the value with /.\nExample: /^bond/,eth0 will match all interfaces that begin with bond and also the interface eth0.
Controls the priority value to use for the egress IP routing rule.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Egress gateway",
- "GroupWithSortPrefix": "70 Egress gateway",
- "NameConfigFile": "EgressIPSupport",
- "NameEnvVar": "FELIX_EgressIPSupport",
- "NameYAML": "egressIPSupport",
- "NameGoAPI": "EgressIPSupport",
- "StringSchema": "One of: `Disabled`, `EnabledPerNamespaceOrPerPod`, `EnabledPerNamespace` (case insensitive)",
- "StringSchemaHTML": "One of: Disabled, EnabledPerNamespaceOrPerPod, EnabledPerNamespace (case insensitive)",
- "StringDefault": "Disabled",
- "ParsedDefault": "Disabled",
- "ParsedDefaultJSON": "\"Disabled\"",
- "ParsedType": "string",
- "YAMLType": "string",
- "YAMLSchema": "One of: `Disabled`, `EnabledPerNamespace`, `EnabledPerNamespaceOrPerPod`.",
- "YAMLEnumValues": [
- "Disabled",
- "EnabledPerNamespace",
- "EnabledPerNamespaceOrPerPod"
- ],
- "YAMLSchemaHTML": "One of: Disabled, EnabledPerNamespace, EnabledPerNamespaceOrPerPod.",
- "YAMLDefault": "Disabled",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Defines three different support modes for egress IP function. \n- Disabled: Egress IP function is disabled.\n- EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis;\n per-pod egress annotations are ignored.\n- EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod,\n with per-pod egress annotations overriding namespace annotations.",
- "DescriptionHTML": "
Defines three different support modes for egress IP function. \n- Disabled: Egress IP function is disabled.\n- EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis;\n per-pod egress annotations are ignored.\n- EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod,\n with per-pod egress annotations overriding namespace annotations.
Defines two different support modes for external network function. \n- Disabled: External network function is disabled.\n- Enabled: External network function is enabled.
Sets to which port proxied traffic should be redirected.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "L7 proxy",
- "GroupWithSortPrefix": "90 L7 proxy",
- "NameConfigFile": "TPROXYUpstreamConnMark",
- "NameEnvVar": "FELIX_TPROXYUpstreamConnMark",
- "NameYAML": "tproxyUpstreamConnMark",
- "NameGoAPI": "TPROXYUpstreamConnMark",
- "StringSchema": "32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: `0xffff0000`",
- "StringSchemaHTML": "32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: 0xffff0000",
- "StringDefault": "0x17",
- "ParsedDefault": "23",
- "ParsedDefaultJSON": "23",
- "ParsedType": "uint32",
- "YAMLType": "integer",
- "YAMLSchema": "Unsigned 32-bit integer.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Unsigned 32-bit integer.",
- "YAMLDefault": "0x17",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Tells Felix which mark is used by the proxy for its upstream\nconnections so that Felix can program the dataplane correctly.",
- "DescriptionHTML": "
Tells Felix which mark is used by the proxy for its upstream\nconnections so that Felix can program the dataplane correctly.
",
- "UserEditable": true,
- "GoType": "*uint32",
- "OpenSourceOnly": false
- }
- ]
- },
- {
- "Name": "Debug/test-only (generally unsupported)",
- "Fields": [
- {
- "Group": "Debug/test-only (generally unsupported)",
- "GroupWithSortPrefix": "97 Debug/test-only (generally unsupported)",
- "NameConfigFile": "DebugBPFCgroupV2",
- "NameEnvVar": "FELIX_DebugBPFCgroupV2",
- "NameYAML": "",
- "NameGoAPI": "",
- "StringSchema": "String",
- "StringSchemaHTML": "String",
- "StringDefault": "",
- "ParsedDefault": "",
- "ParsedDefaultJSON": "\"\"",
- "ParsedType": "string",
- "YAMLType": "",
- "YAMLSchema": "",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "LocalOnly",
- "Description": "Controls the cgroup v2 path that we apply the connect-time load balancer to. Most distros\nare configured for cgroup v1, which prevents all but the root cgroup v2 from working so this is only useful\nfor development right now.",
- "DescriptionHTML": "
Controls the cgroup v2 path that we apply the connect-time load balancer to. Most distros\nare configured for cgroup v1, which prevents all but the root cgroup v2 from working so this is only useful\nfor development right now.
Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.
",
- "UserEditable": true,
- "GoType": "",
- "OpenSourceOnly": false
- },
- {
- "Group": "Debug/test-only (generally unsupported)",
- "GroupWithSortPrefix": "97 Debug/test-only (generally unsupported)",
- "NameConfigFile": "DebugPort",
- "NameEnvVar": "FELIX_DebugPort",
- "NameYAML": "debugPort",
- "NameGoAPI": "DebugPort",
- "StringSchema": "Integer: [0,65535]",
- "StringSchemaHTML": "Integer: [0,65535]",
- "StringDefault": "",
- "ParsedDefault": "0",
- "ParsedDefaultJSON": "0",
- "ParsedType": "int",
- "YAMLType": "integer",
- "YAMLSchema": "Integer: [0,65535]",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Integer: [0,65535]",
- "YAMLDefault": "",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "If set, enables Felix's debug HTTP port, which allows memory and CPU profiles\nto be retrieved. The debug port is not secure, it should not be exposed to the internet.",
- "DescriptionHTML": "
If set, enables Felix's debug HTTP port, which allows memory and CPU profiles\nto be retrieved. The debug port is not secure, it should not be exposed to the internet.
",
- "UserEditable": true,
- "GoType": "*int",
- "OpenSourceOnly": false
- },
- {
- "Group": "Debug/test-only (generally unsupported)",
- "GroupWithSortPrefix": "97 Debug/test-only (generally unsupported)",
- "NameConfigFile": "DebugSimulateCalcGraphHangAfter",
- "NameEnvVar": "FELIX_DebugSimulateCalcGraphHangAfter",
- "NameYAML": "debugSimulateCalcGraphHangAfter",
- "NameGoAPI": "DebugSimulateCalcGraphHangAfter",
- "StringSchema": "Seconds (floating point)",
- "StringSchemaHTML": "Seconds (floating point)",
- "StringDefault": "0",
- "ParsedDefault": "0s",
- "ParsedDefaultJSON": "0",
- "ParsedType": "time.Duration",
- "YAMLType": "string",
- "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.",
- "YAMLEnumValues": null,
- "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.",
- "YAMLDefault": "0s",
- "Required": false,
- "OnParseFailure": "ReplaceWithDefault",
- "AllowedConfigSources": "All",
- "Description": "Used to simulate a hang in the calculation graph after the specified duration.\nThis is useful in tests of the watchdog system only!",
- "DescriptionHTML": "
Used to simulate a hang in the calculation graph after the specified duration.\nThis is useful in tests of the watchdog system only!
- If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), or you need
- to customize TLS certificates, you must customize this Helm chart by creating a{' '}
- values.yaml file. Otherwise, you can skip this step.
-
-
-
-
- If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), set the{' '}
- kubernetesProvider as described in the{' '}
- Installation reference. For
- example:
-
- For Azure AKS cluster with no Kubernetes CNI pre-installed, create values.yaml with the following
- command:
-
-
- {`cat > values.yaml <
-
-
- Add any other customizations you require to values.yaml by running the following command.
- For help, see Helm installation reference,
- or helm docs.
-
- Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be
- used to deploy Prometheus server and Alertmanager to monitor {prodname} metrics.
-
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with {prodname}, your Prometheus operator must be v0.40.0 or higher.
-
- kubectl create -f {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
-
Install your pull secret.
-
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials instead.
-
- Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be
- used to deploy Prometheus server and Alertmanager to monitor {prodname} metrics.
-
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with {prodname}, your Prometheus operator must be v0.40.0 or higher.
-
- kubectl create -f {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
-
Install your pull secret.
-
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials instead.
-
- To control managed clusters from your central management plane, you must ensure it is reachable for
- connections. The simplest way to get started (but not for production scenarios), is to configure a{' '}
- NodePort service to expose the management cluster. Note that the service must live within the{' '}
- calico-system namespace.
-
-
-
-
Create a service to expose the management cluster.
-
- The following example of a NodePort service may not be suitable for production and high availability.
- For options, see{' '}
-
- Fine-tune multi-cluster management for production
-
- .
-
-
Apply the following service manifest.
-
- {`kubectl create -f - <
-
-
-
- Export the service port number, and the public IP or host of the management cluster. (Ex.
- "example.com:1234" or "10.0.0.10:1234".)
-
-
-
- Create an admin user and verify management cluster connection
-
-
- To access resources in a managed cluster from the {prodname} Manager within the management cluster, the
- logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).
-
-
-
-
- Create an admin user called, mcm-user in the default namespace with full permissions, by
- applying the following commands.
-
- In the top right banner, your management cluster is displayed as the first entry in the cluster
- selection drop-down menu with the fixed name, management cluster.
-
-
-
-
-
You have successfully installed a management cluster.
- >
- )}
- {props.clusterType === 'managed' && (
- <>
-
-
- Provide permissions to view the managed cluster
-
-
- To access resources belonging to a managed cluster from the {prodname} Manager UI, the service or user
- account used to log in must have appropriate permissions defined in the managed cluster.
-
-
- Let's define admin-level permissions for the service account (mcm-user) we created to log in to
- the Manager UI. Run the following command against your managed cluster.
-
-
- kubectl create clusterrolebinding mcm-user-admin --serviceaccount=default:mcm-user
- --clusterrole=tigera-network-admin
-
- >
- )}
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallEKS.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallEKS.js
deleted file mode 100644
index 5486fe984f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallEKS.js
+++ /dev/null
@@ -1,448 +0,0 @@
-import React from 'react';
-
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-import Admonition from '@theme/Admonition';
-import Heading from '@theme/Heading';
-
-import GeekDetails from '@site/src/components/partials/GeekDetails';
-
-import ConfigureManagedCluster from './ConfigureManagedCluster';
-import { prodname, prodnamedash, baseUrl, filesUrl } from '../../variables';
-
-export default function InstallEKS(props) {
- return (
- <>
-
- Install EKS with Amazon VPC networking
-
-
-
-
Install the Tigera Operator and custom resource definitions.
- Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be
- used to deploy Prometheus server and Alertmanager to monitor {prodname} metrics.
-
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with {prodname}, your Prometheus operator must be v0.40.0 or higher.
-
- kubectl create -f {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
-
Install your pull secret.
-
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials instead.
-
You can now monitor progress with the following command:
- watch kubectl get tigerastatus
-
- Wait until the apiserver shows a status of Available, then proceed to{' '}
- install the {prodname} license.
-
-
- )}
-
-
- Install EKS with Calico networking
-
-
- {prodname} networking cannot currently be installed on the EKS control plane nodes. As a result the control
- plane nodes will not be able to initiate network connections to {prodname} pods. (This is a general limitation
- of EKS's custom networking support, not specific to {prodname}.) As a workaround, trusted pods that require
- control plane nodes to connect to them, such as those implementing admission controller webhooks, can include{' '}
- hostNetwork:true in their pod spec. See the Kubernetes API{' '}
-
- pod spec
- {' '}
- definition for more information on this setting.
-
-
- Create an EKS cluster
-
-
- For these instructions, we will use eksctl to provision the cluster. However, you can use any of
- the methods in{' '}
-
- Getting Started with Amazon EKS
-
-
-
- Before you get started, make sure you have downloaded and configured the{' '}
-
- necessary prerequisites
-
-
-
-
-
First, create an Amazon EKS cluster without any nodes.
- Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be
- used to deploy Prometheus server and Alertmanager to monitor {prodname} metrics.
-
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with {prodname}, your Prometheus operator must be v0.40.0 or higher.
-
- kubectl create -f {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
-
Install your pull secret.
-
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials instead.
-
- Install any extra {prodname} resources needed at
- cluster start using calicoctl.
-
-
-
-
- To configure {prodname} for use with the Calico CNI plugin, we must create an Installation{' '}
- resource that has spec.cni.type: Calico. Install the{' '}
- custom-resources-calico-cni.yaml manifest, which includes this configuration. For more
- information on configuration options available in this manifest, see{' '}
- the installation reference.
-
- Tip: Without the --max-pods-per-node option above, EKS will limit the{' '}
-
- number of pods based on node-type
-
- . See eksctl create nodegroup --help for the full set of node group options.
-
-
-
-
-
Monitor progress with the following command:
- watch kubectl get tigerastatus
-
- Wait until the apiserver shows a status of Available, then proceed to the next
- section.
-
- To control managed clusters from your central management plane, you must ensure it is reachable for
- connections. The simplest way to get started (but not for production scenarios), is to configure a{' '}
- NodePort service to expose the management cluster. Note that the service must live within the{' '}
- calico-system namespace.
-
-
-
-
Create a service to expose the management cluster.
-
- The following example of a NodePort service may not be suitable for production and high availability.
- For options, see{' '}
-
- Fine-tune multi-cluster management for production
-
- .
-
-
Apply the following service manifest.
-
- {`kubectl create -f - <
-
-
-
- Export the service port number, and the public IP or host of the management cluster. (Ex.
- "example.com:1234" or "10.0.0.10:1234".)
-
-
-
- Create an admin user and verify management cluster connection
-
-
- To access resources in a managed cluster from the {prodname} Manager within the management cluster, the
- logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).
-
-
-
-
- Create an admin user called, mcm-user in the default namespace with full permissions, by
- applying the following commands.
-
- In the top right banner, your management cluster is displayed as the first entry in the cluster
- selection drop-down menu with the fixed name, management cluster.
-
-
-
-
-
You have successfully installed a management cluster.
- >
- )}
- {props.clusterType === 'managed' && (
- <>
-
-
- Provide permissions to view the managed cluster
-
-
- To access resources belonging to a managed cluster from the {prodname} Manager UI, the service or user
- account used to log in must have appropriate permissions defined in the managed cluster.
-
-
- Let's define admin-level permissions for the service account (mcm-user) we created to log in to
- the Manager UI. Run the following command against your managed cluster.
-
-
- {`kubectl create clusterrolebinding mcm-user-admin --serviceaccount=default:mcm-user --clusterrole=tigera-network-admin`}
-
- >
- )}
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGKE.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGKE.js
deleted file mode 100644
index 694a6c48e1..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGKE.js
+++ /dev/null
@@ -1,263 +0,0 @@
-import React from 'react';
-import { If, When, Then, Else } from 'react-if';
-
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-import Admonition from '@theme/Admonition';
-import Heading from '@theme/Heading';
-
-import ConfigureManagedCluster from './ConfigureManagedCluster';
-import { prodname, baseUrl, filesUrl } from '../../variables';
-
-export default function InstallGKE(props) {
- return (
- <>
-
- Install {prodname}
-
-
-
-
Install the Tigera Operator and custom resource definitions.
- Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be
- used to deploy Prometheus server and Alertmanager to monitor {prodname} metrics.
-
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with {prodname}, your Prometheus operator must be v0.40.0 or higher.
-
- kubectl create -f {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
-
Install your pull secret.
-
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials instead.
-
You can now monitor progress with the following command:
- watch kubectl get tigerastatus
-
- Wait until the apiserver shows a status of Available, then proceed to the next
- section.
-
-
-
-
-
-
-
- Install the {prodname} license
-
-
In order to use {prodname}, you must install the license provided to you by Tigera.
- {`kubectl create -f `}
-
You can now monitor progress with the following command:
- watch kubectl get tigerastatus
-
-
-
- Create a management cluster
-
-
- To control managed clusters from your central management plane, you must ensure it is reachable for
- connections. The simplest way to get started (but not for production scenarios), is to configure a{' '}
- NodePort service to expose the management cluster. Note that the service must live within the{' '}
- calico-system namespace.
-
-
-
-
Create a service to expose the management cluster.
-
- The following example of a NodePort service may not be suitable for production and high availability. For
- options, see{' '}
-
- Fine-tune multi-cluster management for production
-
- .
-
-
Apply the following service manifest.
-
- {`kubectl create -f - <
-
-
-
- Export the service port number, and the public IP or host of the management cluster. (Ex.
- "example.com:1234" or "10.0.0.10:1234".)
-
-
-
- Create an admin user and verify management cluster connection
-
-
- To access resources in a managed cluster from the {prodname} Manager within the management cluster, the
- logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).
-
-
-
-
- Create an admin user called, mcm-user in the default namespace with full permissions, by
- applying the following commands.
-
- In the top right banner, your management cluster is displayed as the first entry in the cluster selection
- drop-down menu with the fixed name, management cluster.
-
-
-
-
-
You have successfully installed a management cluster.
-
-
-
-
-
-
- Provide permissions to view the managed cluster
-
-
- To access resources belonging to a managed cluster from the {prodname} Manager UI, the service or user account
- used to log in must have appropriate permissions defined in the managed cluster.
-
-
- Let's define admin-level permissions for the service account (mcm-user) we created to log in to
- the Manager UI. Run the following command against your managed cluster.
-
-
- {`kubectl create clusterrolebinding mcm-user-admin --serviceaccount=default:mcm-user --clusterrole=tigera-network-admin`}
-
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric.js
deleted file mode 100644
index 5266d4ca60..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric.js
+++ /dev/null
@@ -1,278 +0,0 @@
-import React from 'react';
-import { When } from 'react-if';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-import Heading from '@theme/Heading';
-
-import ConfigureManagedCluster from './ConfigureManagedCluster';
-import { prodname, prodnamedash, baseUrl, filesUrl } from '../../variables';
-
-export default function InstallGeneric(props) {
- return (
- <>
-
- Install {prodname}
-
-
-
- Configure storage for {prodname}.
-
-
-
-
-
Install the Tigera Operator and custom resource definitions.
- Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be
- used to deploy Prometheus server and Alertmanager to monitor {prodname} metrics.
-
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with {prodname}, your Prometheus operator must be v0.40.0 or higher.
-
- kubectl create -f {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
- Install your pull secret.
-
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials.
-
- (Optional) If your cluster architecture requires any custom{' '}
- {prodname} resources to function at startup, install them
- now using calicoctl.
-
-
-
- (Optional) Compliance and packet capture features are optional. To enable these features during
- installation, download and review the custom-resources.yaml file. Uncomment the necessary CRs and use this
- custom-resources.yaml for installation.
-
You can now monitor progress with the following command:
- watch kubectl get tigerastatus
- >
-
-
- <>
-
- Create a management cluster
-
-
- To control managed clusters from your central management plane, you must ensure it is reachable for
- connections. The simplest way to get started (but not for production scenarios), is to configure a{' '}
- NodePort service to expose the management cluster. Note that the service must live within the{' '}
- calico-system namespace.
-
-
-
-
- Create a service to expose the management cluster. The following example of a NodePort service may not
- be suitable for production and high availability. For options, see{' '}
-
- Fine-tune multi-cluster management for production
-
- . Apply the following service manifest.
-
-
- {`kubectl create -f - <
-
-
-
- Export the service port number, and the public IP or host of the management cluster. (Ex.
- "example.com:1234" or "10.0.0.10:1234".)
-
-
-
- Create an admin user and verify management cluster connection
-
-
- To access resources in a managed cluster from the {prodname} Manager within the management cluster, the
- logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).
-
-
-
-
- Create an admin user called, mcm-user in the default namespace with full permissions, by
- applying the following commands.
-
- In the top right banner, your management cluster is displayed as the first entry in the cluster
- selection drop-down menu with the fixed name, management cluster.
-
-
-
-
-
-
-
You have successfully installed a management cluster.
- >
-
-
- <>
-
-
- Provide permissions to view the managed cluster
-
-
- To access resources belonging to a managed cluster from the {prodname} Manager UI, the service or user
- account used to log in must have appropriate permissions defined in the managed cluster.
-
-
- Let's define admin-level permissions for the service account (mcm-user) we created to log
- in to the Manager UI. Run the following command against your managed cluster.
-
-
- kubectl create clusterrolebinding mcm-user-admin --serviceaccount=default:mcm-user
- --clusterrole=tigera-network-admin
-
- >
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShift.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShift.js
deleted file mode 100644
index c6920050b2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShift.js
+++ /dev/null
@@ -1,663 +0,0 @@
-import React from 'react';
-import { When } from 'react-if';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-import Heading from '@theme/Heading';
-
-import InstallOpenShiftManifests from './InstallOpenShiftManifests';
-import OpenShiftPullSecret from './OpenShiftPullSecret';
-import OpenShiftPrometheusOperator from './OpenShiftPrometheusOperator';
-import ConfigureManagedCluster from './ConfigureManagedCluster';
-
-import { prodname, prodnameWindows, prodnamedash, rootDirWindows, baseUrl, filesUrl, tempFilesURL } from '../../variables';
-
-export default function InstallOpenShift(props) {
- return (
- <>
-
- Create a configuration file for the OpenShift installer
-
-
- First, create a staging directory for the installation. This directory will contain the configuration file,
- along with cluster state files, that OpenShift installer will create:
-
- mkdir openshift-tigera-install && cd openshift-tigera-install
-
Now run OpenShift installer to create a default configuration file:
- openshift-install create install-config
-
- See the{' '}
-
- OpenShift installer documentation
- {' '}
- for more information about the installer and any configuration changes required for your platform.
-
-
- After the installer finishes, your staging directory will contain the configuration file{' '}
- install-config.yaml.
-
-
-
- Update the configuration file to use {prodname}
-
-
- Override the OpenShift networking to use {prodname} and update the AWS instance types to meet the{' '}
- system requirements:
-
-
- sed -i 's/\(OpenShiftSDN\|OVNKubernetes\)/Calico/' install-config.yaml{'\n'}
-
-
-
-
By default openshift-installer creates 3 replicas, you can change these settings by modifying the cloud-provider part in the install-config.yaml
-
The following example changes the default deployment instance type and replica quantity.
Now generate the Kubernetes manifests using your configuration file:
- openshift-install create manifests
-
-
For OpenShift v4.16 or newer on AWS, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests.
-
Edit spec.network.cni.cniIngressRules in the cluster-api/02_infra-cluster.yaml file to add
- Edit the Installation custom resource manifest manifests/03-cr-installation.yaml so that it
- enables VXLAN and disables BGP. This is required for {prodnameWindows}:
-
- To provide additional configuration during installation (for example, BGP configuration or peers), use a
- Kubernetes ConfigMap with your desired {prodname} resources. If you do not need to provide additional
- configuration, skip this section.
-
-
- To include {prodname} resources during installation, edit{' '}
- manifests/02-configmap-calico-resources.yaml in order to add your own configuration.
-
-
-
If you have a directory with the {prodname} resources, you can create the file with the command:
- With recent versions of kubectl it is necessary to have a kubeconfig configured or add{' '}
- --server='127.0.0.1:443' even though it is not used.
-
-
-
-
- If you have provided a calico-resources configmap and the tigera-operator pod fails to come up
- with Init:CrashLoopBackOff, check the output of the init-container with{' '}
- kubectl logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources.
-
-
-
-
- Create the cluster
-
-
Start the cluster creation with the following command and wait for it to complete.
- openshift-install create cluster
-
-
- Create a storage class
-
-
- {prodname} requires storage for logs and reports. Before finishing the installation, you must{' '}
- create a StorageClass for {prodname}.
-
-
-
- <>
-
- Install the {prodname} license
-
-
- In order to use {prodname}, you must install the license provided to you by a Tigera support representative.
- Before applying the license, wait until the Tigera API server is ready with the following command:
-
- watch oc get tigerastatus
-
- Wait until the apiserver shows a status of Available.
-
-
After the Tigera API server is ready, apply the license:
- {'oc create -f '}
- >
-
-
-
- Install {prodname} resources
-
-
- {/* OCP_ENTERPRISE_RESOURCES variable in Makefile needs to be updated for any addition or deletion of enterprise resources */}
-
-
- <>
-
- Download the Tigera custom resources. For more information on configuration options available in this
- manifest, see the installation reference.
-
- To control managed clusters from your central management plane, you must ensure it is reachable for
- connections. The simplest way to get started (but not for production scenarios), is to configure a{' '}
- NodePort service to expose the management cluster. Note that the service must live within the{' '}
- calico-system namespace.
-
-
-
-
- Create a service to expose the management cluster. The following example of a NodePort service may not
- be suitable for production and high availability. For options, see{' '}
-
- Fine-tune multi-cluster management for production
-
- . Apply the following service manifest.
-
-
- {`oc create -f - <
-
-
-
- Export the service port number, and the public IP or host of the management cluster. (Ex.
- "example.com:1234" or "10.0.0.10:1234".)
-
-
-
- Create an admin user and verify management cluster connection
-
-
- To access resources in a managed cluster from the {prodname} Manager within the management cluster, the
- logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).
-
-
-
-
- Create an admin user called, mcm-user in the default namespace with full permissions, by
- applying the following commands.
-
- In the top right banner, your management cluster is displayed as the first entry in the cluster
- selection drop-down menu with the fixed name, management cluster.
-
-
-
-
-
-
-
You have successfully installed a management cluster.
- >
-
-
-
- <>
-
-
- Provide permissions to view the managed cluster
-
-
- To access resources belonging to a managed cluster from the {prodname} Manager UI, the service or user
- account used to log in must have appropriate permissions defined in the managed cluster.
-
-
- Let's define admin-level permissions for the service account (mcm-user) we created to log
- in to the Manager UI. Run the following command against your managed cluster.
-
-
- For OpenShift 4.6, use the latest wni for OpenShift 4.5. A wni binary for OpenShift 4.6 is not published yet.
-
-
- Next, determine the AMI id corresponding to Windows Server 1903 (build 18317) or greater. wni{' '}
- defaults to using Windows Server 2019 (build 10.0.17763) which does not include WinDSR support. One way to do
- this is by searching for AMI's matching the string{' '}
- Windows_Server-1903-English-Core-ContainersLatest in the Amazon EC2 console.
-
-
- Next, run wni to add a Windows node to your cluster. Replace AMI_ID, AWS_CREDENTIALS_PATH,
- AWS_KEY_NAME and AWS_PRIVATE_KEY_PATH with your values:
-
-
- {`$ chmod u+x wni
-$ ./wni aws create \
-> --kubeconfig openshift-tigera-install/auth/kubeconfig \\
-> --credentials ~/.aws/credentials \\
-> --credential-account default \\
-> --instance-type m5a.large \\
-> --ssh-key test-key \\
-> --private-key /home/user/.ssh/test-key.pem
-2020/10/05 12:52:51 kubeconfig source: /home/user/openshift-tigera-install/auth/kubeconfig
-2020/10/05 12:52:59 Added rule with port 5986 to the security groups of your local IP
-2020/10/05 12:52:59 Added rule with port 22 to the security groups of your local IP
-2020/10/05 12:52:59 Added rule with port 3389 to the security groups of your local IP
-2020/10/05 12:52:59 Using existing Security Group: sg-06d1de22807d5dc48
-2020/10/05 12:57:30 External IP: 52.35.12.231
-2020/10/05 12:57:30 Internal IP: 10.0.90.193`}
-
-
- Get the administrator password
-
-
- The wni binary writes the instance details to the file windows-node-installer.json. An
- example of the file:
-
- From the Windows node, download the Windows Machine Config Bootstrapper wmcb.exe that matches your
- OpenShift minor version from{' '}
-
- Windows Machine Config Bootstrapper releases
-
- . For example, for OpenShift 4.5.x:
-
-
- curl https://github.com/openshift/windows-machine-config-bootstrapper/releases/download/v4.5.2-alpha/wmcb.exe -o
- c:\wmcb.exe
-
-
- For OpenShift 4.6, use the latest wmcb.exe for OpenShift 4.5. A wmcb.ex binary for OpenShift 4.6 is not
- published yet.
-
-
- Next, we will download the worker.ign file from the API server:
-
-
- c:\wmcb.exe initialize-kubelet --ignition-file worker.ign --kubelet-path c:\k\kubelet.exe
-
-
- The kubelet configuration installed by Windows Machine Config Bootstrapper includes{' '}
- --register-with-taints="os=Windows:NoSchedule" which will require Windows pods to
- tolerate that taint.
-
-
- Next, we make a copy of the kubeconfig because wmcb.exe expects the kubeconfig to be the file{' '}
- c:\k\kubeconfig. Then we configure kubelet to use Calico CNI:
-
- Cluster meets the {prodname}{' '}
- system requirements
-
-
-
-
- If installing on AWS, a{' '}
-
- configured AWS account
- {' '}
- appropriate for OpenShift 4, and have{' '}
-
- set up your AWS credentials
-
- . Note that the OpenShift installer supports a subset of{' '}
-
- AWS regions
-
- .
-
-
-
-
- OpenShift installer and OpenShift command line interface from{' '}
- docs.redhat.com
-
-
-
-
- A{' '}
-
- generated a local SSH private key
- {' '}
- that is added to your ssh-agent
-
-
-
-
- A Tigera license key and credentials
-
-
- {props.clusterOS === 'hybrid' && (
- <>
-
The {prodnameWindows} installation zip archive, which you can get from your support representative.
-
- Limitations
-
-
- Due to an upstream issue, Windows
- pods can only be run in specific namespaces if you disable SCC. To do this, label the namespace with{' '}
- openshift.io/run-level: "1".
-
- >
- )}
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/MaintenanceClisCalicoqInstalling.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/MaintenanceClisCalicoqInstalling.js
deleted file mode 100644
index e5796989b7..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/MaintenanceClisCalicoqInstalling.js
+++ /dev/null
@@ -1,17 +0,0 @@
-// Temporary component for "calico-enterprise\maintenance\clis\calicoq\installing.mdx"
-
-import React from 'react';
-
-import CodeBlock from '@theme/CodeBlock';
-
-import { downloadsurl, releaseTitle, filesUrl, version } from '../../variables';
-
-export default function MaintenanceClisCalicoqInstalling() {
- const ver = version === 'master' ? version : releaseTitle;
- const code =
- ver === 'master'
- ? `${filesUrl}/download/binaries/${ver}/calicoq`
- : `curl -o calicoq -O -L ${downloadsurl}/ee/binaries/${ver}/calicoq`;
-
- return {code};
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPrometheusOperator.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPrometheusOperator.js
deleted file mode 100644
index 003e6e431b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPrometheusOperator.js
+++ /dev/null
@@ -1,28 +0,0 @@
-import React from 'react';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-
-import { prodname, baseUrl, filesUrl } from '../../variables';
-
-export default function OpenShiftPrometheusOperator(props) {
- const createSecret = `oc create secret generic tigera-pull-secret \\
- --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \\
- --from-file=.dockerconfigjson=\n`;
- const notOSCodeBlock = props.upgradeFrom !== 'OpenSource' ? createSecret : '';
-
- return (
- <>
-
Apply the {prodname} manifests for the Prometheus operator.
-
- Complete this step only if you are using the {prodname} Prometheus operator (including adding your own
- Prometheus operator). Skip this step if you are using{' '}
- BYO Prometheus that you manage yourself.
-
- {props.operation === 'install'
- ? oc create -f {filesUrl}/manifests/ocp/tigera-prometheus-operator.yaml
- : oc apply -f {filesUrl}/manifests/ocp/tigera-prometheus-operator.yaml}
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPullSecret.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPullSecret.js
deleted file mode 100644
index c807e51edb..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPullSecret.js
+++ /dev/null
@@ -1,20 +0,0 @@
-import React from 'react';
-
-import CodeBlock from '@theme/CodeBlock';
-
-export default function OpenShiftPullSecret() {
- return (
- <>
-
- Update the contents of the secret with the image pull secret provided to you by Tigera support representative.
-
-
- For example, if the secret is located at ~/.docker/config.json, run the following commands.
-
- Push {prodname} images to your private registry image path
-
-
- In order to install images from your private registry, you must first pull the images from Tigera's
- registry, re-tag them with your own registry, and then push the newly tagged images to your own registry.
-
-
-
-
Use the following commands to pull the required {prodname} images.
-
- {`docker push $PRIVATE_REGISTRY/$IMAGE_PATH/${mapImageToImageName(tigeraOperator.image)}:${
- tigeraOperator.version
- }`}
- {componentsWithImage.filter(filters.isNotWindows).map((component) => {
- const imageName = mapImageToImageName(component.image);
-
- return `docker push $PRIVATE_REGISTRY/$IMAGE_PATH/${imageName}:${component.version}\n`;
- }).join('')}
-
- Do not push the private {prodname} images to a public registry.
-
-
Use crane cp to copy the Windows images to your private registry.
-
-
For hybrid Linux + Windows clusters, use crane cp on the following Windows images to copy them to your private registry.
-
- {componentsWithImage.filter(filters.isWindows).map((component) => {
- const imageName = mapImageToImageName(component.image);
-
- return `crane cp ${registry}${component.image}:${component.version} $PRIVATE_REGISTRY/$IMAGE_PATH/${imageName}:${component.version}\n`;
- }).join('')}
-
-
- Do not crane cp the private {prodnameWindows} images to a public registry.
-
-
-
- Run the operator using images from your private registry image path
-
-
- Before applying tigera-operator.yaml, modify registry references to use your custom registry:
-
-
- {`sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" tigera-operator.yaml`}
-
-
- {/* The second 'sed' should be removed once operator launches Prometheus & Alertmanager */}
-
-
- Next, ensure that an image pull secret has been configured for your custom registry. Set the enviroment variable{' '}
- PRIVATE_REGISTRY_PULL_SECRET to the secret name. Then add the image pull secret to the operator
- deployment spec:
-
- If you are installing Prometheus operator as part of {prodname}, then before applying{' '}
- tigera-prometheus-operator.yaml, modify registry references to use your custom registry:
-
-
- {`sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" tigera-prometheus-operator.yaml
-sed -ie "/serviceAccountName: calico-prometheus-operator/a \ imagePullSecrets:\\n\ - name: $PRIVATE_REGISTRY_PULL_SECRET" tigera-prometheus-operator.yaml`}
-
-
- {/* The second 'sed' should be removed once operator launches Prometheus & Alertmanager */}
-
-
- Before applying custom-resources.yaml, modify registry references to use your custom registry:
-
- {`sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" custom-resources.yaml`}
-
- {/* The second 'sed' should be removed once operator launches Prometheus & Alertmanager */}
-
-
- For OpenShift, after downloading all manifests modify the following to use your custom registry:
-
-
- {`sed -ie "s?quay.io.*/?$PRIVATE_REGISTRY/$IMAGE_PATH/?" manifests/02-tigera-operator.yaml`}
-
-
-
- Add the image pull secret for your registry to the secret tigera-pull-secret
-
-
-
- Configure the operator to use images from your private registry image path.
-
-
- Set the spec.registry and spec.imagePath field of your Installation resource to the
- name of your custom registry. For example:
-
- In order to install images from your private registry, you must first pull the images from Tigera's
- registry, re-tag them with your own registry, and then push the newly tagged images to your own registry.
-
-
-
-
Use the following commands to pull the required {prodname} images.
-
- {`docker push $PRIVATE_REGISTRY/${tigeraOperator.image}:${tigeraOperator.version}\n`}
- {componentsWithImage.filter(filters.isNotWindows).map((component) => {
- return `docker push $PRIVATE_REGISTRY/${component.image}:${component.version}\n`;
- }).join('')}
-
- Do not push the private {prodname} images to a public registry.
-
-
-
Use crane cp to copy the Windows images to your private registry.
-
For hybrid Linux + Windows clusters, use crane cp on the following Windows images to copy them to your private registry.
-
- {componentsWithImage.filter(filters.isWindows).map((component) => {
- const registry = mapComponentToRegistry(component);
- const imageName = component.image.split('/').pop();
-
- return `crane cp ${registry}${component.image}:${component.version} $PRIVATE_REGISTRY/$IMAGE_PATH/${imageName}:${component.version}\n`;
- }).join('')}
-
-
- Do not crane cp the private {prodnameWindows} images to a public registry.
-
-
-
-
- Run the operator using images from your private registry
-
-
- Before applying tigera-operator.yaml, modify registry references to use your custom registry:
-
- Next, ensure that an image pull secret has been configured for your custom registry. Set the enviroment variable{' '}
- PRIVATE_REGISTRY_PULL_SECRET to the secret name. Then add the image pull secret to the operator
- deployment spec:
-
-
- {`sed -ie "/serviceAccountName: tigera-operator/a \ imagePullSecrets:\\n\ - name: $PRIVATE_REGISTRY_PULL_SECRET" tigera-operator.yaml`}
-
- {/* The second 'sed' should be removed once operator launches Prometheus & Alertmanager */}
-
- If you are installing Prometheus operator as part of {prodname}, then before applying{' '}
- tigera-prometheus-operator.yaml, modify registry references to use your custom registry:
-
-
- {`sed -ie "s?quay.io?$PRIVATE_REGISTRY?g" tigera-prometheus-operator.yaml
-sed -ie "/serviceAccountName: calico-prometheus-operator/a \ imagePullSecrets:\\n\ - name: $PRIVATE_REGISTRY_PULL_SECRET" tigera-prometheus-operator.yaml`}
-
- {/* The second 'sed' should be removed once operator launches Prometheus & Alertmanager */}
-
- Before applying custom-resources.yaml, modify registry references to use your custom registry:
-
- sed -ie "s?quay.io?$PRIVATE_REGISTRY?g" custom-resources.yaml
- {/* This step should be removed once operator launches Prometheus & Alertmanager */}
-
-
- Configure the operator to use images from your private registry.
-
-
- Set the spec.registry field of your Installation resource to the name of your custom registry. For
- example:
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsKernel.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsKernel.js
deleted file mode 100644
index 124f85b24c..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsKernel.js
+++ /dev/null
@@ -1,69 +0,0 @@
-import React from 'react';
-import Admonition from '@theme/Admonition';
-import Heading from '@theme/Heading';
-
-import { prodname } from '../../variables';
-
-export default function ReqsKernel() {
- return (
- <>
-
- Kernel dependencies
-
-
-
If you are using one of the recommended distributions, you will already satisfy these.
-
-
- Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names
- of the particular kernel modules that are required to run {prodname}. However, in general, you’ll need:
-
-
-
-
- The iptables modules (both the “legacy” and “nft” variants are supported). These are typically
- broken up into many small modules, one for each type of match criteria and one for each type of action.{' '}
- {prodname} requires:
-
-
-
The “base” modules (including the IPv6 versions if IPv6 is enabled in your cluster).
-
- At least the following match criteria: set, rpfilter, addrtype,{' '}
- comment, conntrack, icmp, tcp, udp,{' '}
- ipvs, icmpv6 (if IPv6 is enabled in your kernel), mark,{' '}
- multiport, rpfilter, sctp, ipvs (if using
- kube-proxy in IPVS mode).
-
-
- At least the following actions: REJECT, ACCEPT, DROP,{' '}
- LOG.
-
-
-
-
-
IP sets support.
-
-
-
Netfilter Conntrack support compiled in (with SCTP support if using SCTP).
-
-
-
- IPVS support if using kube-proxy in IPVS mode.
-
-
-
-
- IPIP, VXLAN, Wireguard support, if using {prodname} networking in one of those modes.
-
-
-
-
- eBPF (including the tc hook support) and XDP (if you want to use the eBPF data plane).
-
-
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsSys.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsSys.js
deleted file mode 100644
index 5637c945c3..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsSys.js
+++ /dev/null
@@ -1,425 +0,0 @@
-import React from 'react';
-
-import Admonition from '@theme/Admonition';
-import Link from '@docusaurus/Link';
-import Heading from '@theme/Heading';
-import CodeBlock from '@theme/CodeBlock';
-
-import { orchestrators } from '@site/variables';
-import { prodname, baseUrl } from '../../variables';
-
-function NodeRequirementsEnt(props) {
- return (
- <>
-
- Node requirements
-
-
-
-
x86-64 or arm64 processor with at least 2 cores, 8.0GB RAM and 20 GB free disk space
-
-
-
- Linux kernel 5.10 or later with required dependencies. The
- following distributions have the required kernel, its dependencies, and are known to work well with{' '}
- {prodname} and {props.orch}.
-
- If your node is running RHEL 8 or RHEL 9, you must install a specialized policy package before you install {prodname}.
- With this package, {prodname} can use SELinux contexts in a series of rules that allow it to interact with persistent and ephemeral data in nonstandard host system locations.
-
-
-
-
If your node has RHEL 8 installed, then run the following command:
- {prodname} must be able to manage cali*
- interfaces on the host. When IPIP is enabled (the default),
- {prodname} also needs to be able to manage tunl*
- interfaces. When VXLAN is enabled, {prodname} also needs to be able to manage the vxlan.calico{' '}
- interface.
-
-
-
- Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager
- does not allow
- {prodname} to manage interfaces. If your nodes have NetworkManager, complete the steps in{' '}
-
- Preventing NetworkManager from controlling {prodname} interfaces
- {' '}
- before installing {prodname}.
-
-
-
-
-
- If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled.
- These may interfere with rules added by {prodname} and result in unexpected behavior.
-
-
-
- If a host firewall is needed, it can be configured by {prodname} HostEndpoint and GlobalNetworkPolicy.
- More information about configuration at Security for host.
-
-
-
-
-
- In order to properly run Elasticsearch, nodes must be configured according to the{' '}
-
- Elasticsearch system configuration documentation.
-
-
-
-
-
- The Typha autoscaler requires a minimum number of Linux worker nodes based on total number of schedulable
- nodes.
-
- Ensure that your hosts and firewalls allow the necessary traffic based on your configuration. See{' '}
- Component architecture to view the following
- components.
-
-
-
-
-
-
-
-
-
-
Configuration
-
Host(s)
-
Port/protocol
-
-
-
-
-
- {prodname} networking options
-
-
IP-in-IP (default)
-
Protocol number 4
-
-
-
-
BGP
-
TCP 179
-
-
-
-
VXLAN
-
UDP 4789
-
-
-
-
Wireguard
-
UDP 51820 (default)
-
-
-
-
IPv6 Wireguard
-
UDP 51821 (default)
-
-
-
- Cluster scaling
-
-
Any {prodname} networking option above with Typha agents enabled
- *{' '}
-
- The value passed to kube-apiserver using the --secure-port
- flag. If you cannot locate this, check the targetPort value returned by
- kubectl get svc kubernetes -o yaml.
-
-
- When installed as a Kubernetes daemon set, {prodname} meets this requirement by running as a privileged
- container. This requires that the kubelet be allowed to run privileged containers. There are two ways this
- can be achieved.
-
-
-
- Specify --allow-privileged on the kubelet (deprecated).
-
-
- Use a{' '}
- pod security policy.
-
-
- >
- )}
- >
- );
-}
-
-export default function ReqsSys(props) {
- return (
- <>
-
-
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/UpgradeOperatorSimple.js b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/UpgradeOperatorSimple.js
deleted file mode 100644
index 55e61e56b1..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/UpgradeOperatorSimple.js
+++ /dev/null
@@ -1,265 +0,0 @@
-import React from 'react';
-import {Else, If, Then, When} from 'react-if';
-
-import Admonition from '@theme/Admonition';
-import CodeBlock from '@theme/CodeBlock';
-import Link from '@docusaurus/Link';
-
-import { baseUrl, filesUrl, tmpScriptsURL } from '../../variables';
-
-export default function UpgradeOperatorSimple(props) {
- return (
- <>
-
-
-
-
- Switch the active operator to the one that will be installed to the new namespace. First, download the
- helper script:
-
Download the new manifests for Prometheus operator.
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work
- with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
-
- curl -L -O {filesUrl}/manifests/tigera-prometheus-operator.yaml
-
-
-
-
- If you previously{' '}
-
- installed using a private registry
-
- , you will need to{' '}
-
- push the new images{' '}
-
- and then{' '}
-
- update the manifest
- {' '}
- downloaded in the previous step.
-
-
-
-
-
Apply the manifest for Tigera Operator.
- kubectl apply --server-side --force-conflicts -f tigera-operator.yaml
-
-
- If you intend to update any operator.tigera.io or projectcalico.org resources to
- utilize new fields available in the update you must make sure you make those changes after applying the{' '}
- tigera-operator.yaml.
-
-
-
-
-
-
If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.
- {' '}
- If pulling images directly from quay.io/tigera, you will likely want to use the credentials
- provided to you by your Tigera support representative. If using a private registry, use your private
- registry credentials instead.
-
- If you are{' '}
-
- installing using a private registry
-
- , you will need to update the manifest downloaded in the previous step. Update the spec.registry, spec.imagePath, and spec.imagePrefix fields of the installation resource with the registry name, image path, and image prefix of your private registry.
-
-
-
-
-
- Apply the Tigera custom resources manifest. For more information on configuration options available in this
- manifest, see the installation reference.
-
- kubectl apply -f custom-resources.yaml
-
-
-
-
-
- Install the Tigera custom resources. For more information on configuration options available in this
- manifest, see the installation reference.
-
- c. If you are currently using v3.2 and are using OIDC with Kibana verify that you have the following
- resources in your cluster:
-
-
- kubectl get authentication tigera-secure{'\n'}
- kubectl get secret tigera-oidc-credentials -n tigera-operator
-
-
- If both of these resources are present, you can continue with the next step. Otherwise, use the
- instructions to{' '}
-
- configure an identity provider
- {' '}
- to configure OIDC.
-
-
- d. Follow{' '}
-
- configure an identity provider
-
- .
-
-
-
-
- If your cluster is a management cluster using v3.1 or older, apply a{' '}
-
- ManagementCluster{' '}
-
- CR to your cluster.
-
-
- {`kubectl apply -f - <
-
-
-
- If your cluster is v3.7 or older, apply a new{' '}
- Monitor
- CR to your cluster.
-
-
- {`kubectl apply -f - <
-
-
-
- If your cluster is v3.16 or older, apply a new{' '}
- PolicyRecommendation
- CR to your cluster.
-
-
- {`kubectl apply -f - <
-
-
-
- If your cluster is v3.19 or older, apply a new{' '}
- PacketCaptureAPI
- CR to your cluster.
-
-
- {`kubectl apply -f - <
-
-
-
You can monitor progress with the following command:
- watch kubectl get tigerastatus
-
- If there are any problems you can use kubectl get tigerastatus -o yaml to get more details.
-
-
-
-
- If your cluster includes egress gateways, follow the{' '}
-
- egress gateway upgrade instructions
-
- .
-
-
- >
-
-
- >
- );
-}
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_calicoctl-version.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_calicoctl-version.mdx
deleted file mode 100644
index 5ae136c92d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_calicoctl-version.mdx
+++ /dev/null
@@ -1,7 +0,0 @@
-| Field | Value |
-| ------------------- | ------------------------------------------------------ |
-| `Client Version` | Version of `calicoctl` |
-| `Build date` | Time and date of `calicoctl` build |
-| `Git commit` | Git commit number of `calicoctl` |
-| `Cluster Version`\* | Version number of `$[nodecontainer]` and $[prodname] |
-| `Cluster Type`\* | Other details about the cluster |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_cli-config-datastore.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_cli-config-datastore.mdx
deleted file mode 100644
index 74400ed2e3..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_cli-config-datastore.mdx
+++ /dev/null
@@ -1,97 +0,0 @@
-## Default configuration
-
-By default, calicoctl will attempt to read from the Kubernetes API using the default kubeconfig located at `$(HOME)/.kube/config`.
-
-If the default kubeconfig does not exist, or you would like to specify alternative API access information, you can do so using the following configuration options.
-
-## Complete list of Kubernetes API connection configuration
-
-| Configuration file option | Environment variable | Description | Schema |
-| ------------------------- | -------------------- | --------------------------------------------------------------------------------------------------------- | ---------------------- |
-| `datastoreType` | `DATASTORE_TYPE` | Indicates the datastore to use. [Default: `kubernetes`] | `kubernetes`, `etcdv3` |
-| `kubeconfig` | `KUBECONFIG` | When using the Kubernetes datastore, the location of a kubeconfig file to use, e.g. /path/to/kube/config. | string |
-| `k8sAPIEndpoint` | `K8S_API_ENDPOINT` | Location of the Kubernetes API. Not required if using kubeconfig. [Default: `https://kubernetes-api:443`] | string |
-| `k8sCertFile` | `K8S_CERT_FILE` | Location of a client certificate for accessing the Kubernetes API, e.g., `/path/to/cert`. | string |
-| `k8sKeyFile` | `K8S_KEY_FILE` | Location of a client key for accessing the Kubernetes API, e.g., `/path/to/key`. | string |
-| `k8sCAFile` | `K8S_CA_FILE` | Location of a CA for accessing the Kubernetes API, e.g., `/path/to/ca`. | string |
-| `k8sToken` | `K8S_TOKEN` | Token to be used for accessing the Kubernetes API. | string |
-
-:::note
-
-The `kubeconfig` file specifies the user whose privileges are used. We recommend
-giving only trusted administrators the permission to modify $[prodname]
-Custom Resource Definitions.
-All environment variables may also be prefixed with `"CALICO_"`, for
-example `"CALICO_DATASTORE_TYPE"` and `"CALICO_KUBECONFIG"` etc. may be used.
-This is useful if the non-prefixed names clash with existing environment
-variables defined on your system.
-
-:::
-
-## Examples
-
-### Kubernetes command line
-
-```bash
-DATASTORE_TYPE=kubernetes KUBECONFIG=~/.kube/config calicoctl get nodes
-```
-
-### Example configuration file
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: CalicoAPIConfig
-metadata:
-spec:
- datastoreType: 'kubernetes'
- kubeconfig: '/path/to/.kube/config'
-```
-
-### Example using environment variables
-
-```bash
-export DATASTORE_TYPE=kubernetes
-export KUBECONFIG=~/.kube/config
-calicoctl get workloadendpoints
-```
-
-And using `CALICO_` prefixed names:
-
-```bash
-export CALICO_DATASTORE_TYPE=kubernetes
-export CALICO_KUBECONFIG=~/.kube/config
-calicoctl get workloadendpoints
-```
-
-With multiple `kubeconfig` files:
-
-```bash
-export DATASTORE_TYPE=kubernetes
-export KUBECONFIG=~/.kube/main:~/.kube/auxy
-calicoctl get --context main workloadendpoints
-calicoctl get --context auxy workloadendpoints
-```
-
-## Checking the configuration
-
-Here is a simple command to check that the installation and configuration is
-correct.
-
-```bash
-calicoctl get nodes
-```
-
-A correct setup will yield a list of the nodes that have registered. If an
-empty list is returned you are either pointed at the wrong datastore or no
-nodes have registered. If an error is returned then attempt to correct the
-issue then try again.
-
-## Next steps
-
-Now you are ready to read and configure most aspects of $[prodname]. You can
-find the full list of commands in the
-[Command Reference](../../reference/clis/calicoctl/overview.mdx).
-
-The full list of resources that can be managed, including a description of each,
-can be found in the
-[Resource Definitions](../../reference/resources/overview.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_create-kubeconfig.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_create-kubeconfig.mdx
deleted file mode 100644
index a22ffb6a45..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_create-kubeconfig.mdx
+++ /dev/null
@@ -1,67 +0,0 @@
-1. Create a service account
-
- ```bash
- SA_NAME=my-host
- kubectl create serviceaccount $SA_NAME -n calico-system -o yaml
- ```
-
-1. Create a secret for the service account
-
- :::note
-
- This step is needed if your Kubernetes cluster is version v1.24 or above. Prior to Kubernetes v1.24, this secret is created automatically.
-
- :::
-
- ```bash
- kubectl apply -f - <
-
- clusters:
- - cluster:
- certificate-authority-data:
- server:
- name:
-
- contexts:
- - context:
- cluster: my-cluster
- user: my-host
- name: my-host
-
- current-context: my-cluster
- ```
-
- Take the cluster information from an already existing kubeconfig.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_default-install.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_default-install.mdx
deleted file mode 100644
index e458061512..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_default-install.mdx
+++ /dev/null
@@ -1,10 +0,0 @@
-| **Initial install** | **You get...** |
-| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Cluster | A working cluster of $[prodname] nodes with verified connectivity. |
-| Networking | Default networking implementation based on your provider and platform. Default IP pool/CIDR range. |
-| Tiered network policy | Tiered network policy components. Existing Kubernetes clusters are put in default tier. $[prodname] components are secured with network policy. |
-| User interface | the $[prodname] web console user interface (with a default of “no access outside the cluster”). |
-| Logs and data | All nodes configured for log data collection using fluentdLog storage for a single node. One instance of Elasticsearch and Kibana. |
-| Threat prevention and detection | Components and dashboards for tracing and blocking suspicious activity. |
-| Compliance reporting | Components and dashboards to assess Kubernetes workloads and environments for regulatory compliance to enforce controls, and generate audit and evidence data. |
-| Scaling | Built-in node scaling using Typha. |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_determine-ipam.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_determine-ipam.mdx
deleted file mode 100644
index f44121d82a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_determine-ipam.mdx
+++ /dev/null
@@ -1,9 +0,0 @@
-If you are not sure which IPAM your cluster is using, the way to tell depends on install method.
-
-The IPAM plugin can be queried on the default Installation resource.
-
-```
-kubectl get installation default -o go-template --template {{.spec.cni.ipam.type}}
-```
-
-If your cluster is using Calico IPAM, the above command should return a result of `Calico`.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_docker-container-service.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_docker-container-service.mdx
deleted file mode 100644
index dd5c3f79e6..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_docker-container-service.mdx
+++ /dev/null
@@ -1,70 +0,0 @@
-import NonClusterReadOnlyStep from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-read-only-step.mdx';
-import EnvironmentFile from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/EnvironmentFile';
-
-This section describes how to run `$[nodecontainer]` as a Docker container.
-
-
-
-### Step 2: Create environment file
-
-
-
-### Step 3: Configure the init system
-
-Use an init daemon (like systemd or upstart) to start the $[nodecontainer] image as a service using the EnvironmentFile values.
-
-Sample systemd service file: `$[noderunning].service`
-
-```shell
-[Unit]
-Description=$[noderunning]
-After=docker.service
-Requires=docker.service
-
-[Service]
-EnvironmentFile=/etc/calico/calico.env
-ExecStartPre=-/usr/bin/docker rm -f $[noderunning]
-ExecStart=/usr/bin/docker run --net=host --privileged \
- --name=$[noderunning] \
- -e NODENAME=${CALICO_NODENAME} \
- -e IP=${CALICO_IP} \
- -e IP6=${CALICO_IP6} \
- -e CALICO_NETWORKING_BACKEND=${CALICO_NETWORKING_BACKEND} \
- -e AS=${CALICO_AS} \
- -e NO_DEFAULT_POOLS=${NO_DEFAULT_POOLS} \
- -e DATASTORE_TYPE=${DATASTORE_TYPE} \
- -e KUBECONFIG=${KUBECONFIG} \
- -v /var/log/calico:/var/log/calico \
- -v /var/lib/calico:/var/lib/calico \
- -v /var/run/calico:/var/run/calico \
- -v /run/docker/plugins:/run/docker/plugins \
- -v /lib/modules:/lib/modules \
- -v /etc/pki:/pki \
- $[registry]$[componentImage.cnxNode] /bin/calico-node -felix
-
-ExecStop=-/usr/bin/docker stop $[noderunning]
-
-Restart=on-failure
-StartLimitBurst=3
-StartLimitInterval=60s
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Upon start, the systemd service:
-
-- Confirms Docker is installed under the `[Unit]` section
-- Gets environment variables from the environment file above
-- Removes existing `$[nodecontainer]` container (if it exists)
-- Starts `$[nodecontainer]`
-
-The script also stops the `$[nodecontainer]` container when the service is stopped.
-
-:::note
-
-Depending on how you've installed Docker, the name of the Docker service
-under the `[Unit]` section may be different (such as `docker-engine.service`).
-Be sure to check this before starting the service.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_domain-names.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_domain-names.mdx
deleted file mode 100644
index 615e7be150..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_domain-names.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
-When a configured domain name has no wildcard (`*`), it matches exactly that domain name. For example:
-
-- `microsoft.com`
-- `tigera.io`
-
-With a single asterisk in any part of the domain name, it matches 1 or more path components at that position. For example:
-
-- `*.google.com` matches `www.google.com` and `www.ipv6.google.com`, but not `google.com`
-- `www.*.com` matches `www.sun.com` and `www.apple.com`, but not `www.com`
-- `update.*.mycompany.com` matches `update.tools.mycompany.com`, `update.secure.suite.mycompany.com`, and so on
-
-**Not** supported are:
-
-- Multiple wildcards in the same domain, for example: `*.*.mycompany.com`
-- Asterisks that are not the entire component, for example: `www.g*.com`
-- A wildcard as the last component, for example: `www.mycompany.*`
-- More general wildcards, such as regular expressions
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ebpf-value.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ebpf-value.mdx
deleted file mode 100644
index fe2072d88f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ebpf-value.mdx
+++ /dev/null
@@ -1,12 +0,0 @@
-The eBPF data plane mode has several advantages over standard Linux networking pipeline mode:
-
-- It scales to higher throughput.
-- It uses less CPU per GBit.
-- It has native support for Kubernetes services (without needing kube-proxy) that:
-
- - Reduces first packet latency for packets to services.
- - Preserves external client source IP addresses all the way to the pod.
- - Supports DSR (Direct Server Return) for more efficient service routing.
- - Uses less CPU than kube-proxy to keep the data plane in sync.
-
-To learn more and see performance metrics from our test environment, see the blog, [Introducing the Calico eBPF data plane](https://www.projectcalico.org/introducing-the-calico-ebpf-dataplane/).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_endpointport.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_endpointport.mdx
deleted file mode 100644
index 05dde33612..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_endpointport.mdx
+++ /dev/null
@@ -1,15 +0,0 @@
-An EndpointPort associates a name with a particular TCP/UDP/SCTP port of the endpoint, allowing it to
-be referenced as a named port in [policy rules](../../reference/resources/networkpolicy.mdx#entityrule).
-
-| Field | Description | Accepted Values | Schema | Default |
-| -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ------ | ------- |
-| name | The name to attach to this port, allowing it to be referred to in [policy rules](../../reference/resources/networkpolicy.mdx#entityrule). Names must be unique within an endpoint. | | string | |
-| protocol | The protocol of this named port. | `TCP`, `UDP`, `SCTP` | string | |
-| port | The workload port number. | `1`-`65535` | int | |
-
-:::note
-
-On their own, EndpointPort entries don't result in any change to the connectivity of the port.
-They only have an effect if they are referred to in policy.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_entityrule.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_entityrule.mdx
deleted file mode 100644
index 70995c5487..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_entityrule.mdx
+++ /dev/null
@@ -1,82 +0,0 @@
-import DomainNames from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_domain-names.mdx';
-
-Entity rules specify the attributes of the source or destination of a packet that must match for the rule as a whole
-to match. Packets can be matched on combinations of:
-
-- Identity of the source/destination, by using [Selectors](#selectors) or by specifying a particular
- Kubernetes `Service`. Selectors can match [workload endpoints](../../reference/resources/workloadendpoint.mdx),
- [host endpoints](../../reference/resources/hostendpoint.mdx) and ([namespaced](../../reference/resources/networkset.mdx) or
- [global](../../reference/resources/globalnetworkset.mdx)) network sets.
-- Source/destination IP address, protocol and port.
-
-If the rule contains multiple match criteria (for example, an IP and a port) then all match criteria must match
-for the rule as a whole to match a packet.
-
-| Field | Description | Accepted Values | Schema | Default |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ------- |
-| nets | Match packets with IP in any of the listed CIDRs. | List of valid IPv4 CIDRs or list of valid IPv6 CIDRs (IPv4 and IPv6 CIDRs shouldn't be mixed in one rule) | list of cidrs |
-| notNets | Negative match on CIDRs. Match packets with IP not in any of the listed CIDRs. | List of valid IPv4 CIDRs or list of valid IPv6 CIDRs (IPv4 and IPv6 CIDRs shouldn't be mixed in one rule) | list of cidrs |
-| selector | Positive match on selected endpoints. If a `namespaceSelector` is also defined, the set of endpoints this applies to is limited to the endpoints in the selected namespaces. | Valid selector | [selector](#selector) | |
-| notSelector | Negative match on selected endpoints. If a `namespaceSelector` is also defined, the set of endpoints this applies to is limited to the endpoints in the selected namespaces. | Valid selector | [selector](#selector) | |
-| namespaceSelector | Positive match on selected namespaces. If specified, only workload endpoints in the selected Kubernetes namespaces are matched. Matches namespaces based on the labels that have been applied to the namespaces. Defines the scope that selectors will apply to, if not defined then selectors apply to the NetworkPolicy's namespace. Match a specific namespace by name using the `projectcalico.org/name` label. Select the non-namespaced resources like GlobalNetworkSet(s), host endpoints to which this policy applies by using `global()` selector. | Valid selector | [selector](#selector) | |
-| ports | Positive match on the specified ports | | list of [ports](#ports) | |
-| domains | Positive match on [domain names](#exact-and-wildcard-domain-names). | List of [exact or wildcard domain names](#exact-and-wildcard-domain-names) | list of strings |
-| notPorts | Negative match on the specified ports | | list of [ports](#ports) | |
-| serviceAccounts | Match endpoints running under service accounts. If a `namespaceSelector` is also defined, the set of service accounts this applies to is limited to the service accounts in the selected namespaces. | | [ServiceAccountMatch](#serviceaccountmatch) | |
-| services | Match the specified service(s). If specified on egress rule destinations, no other selection criteria can be set. If specified on ingress rule sources, only positive or negative matches on ports can be specified. | | [ServiceMatch](#servicematch) | |
-
-:::note
-
-You cannot mix IPv4 and IPv6 CIDRs in a single rule using `nets` or `notNets`. If you need to match both, create 2 rules.
-
-:::
-
-#### Selector performance in EntityRules
-
-When rendering policy into the data plane, $[prodname] must identify the endpoints that match the selectors
-in all active rules. This calculation is optimized for certain common selector types.
-Using the optimized selector types reduces CPU usage (and policy rendering time) by orders of magnitude.
-This becomes important at high scale (hundreds of active rules, hundreds of thousands of endpoints).
-
-The optimized operators are as follows:
-
-- `label == "value"`
-- `label in { 'v1', 'v2' }`
-- `has(label)`
-- ` && ` is optimized if **either** `` or `` is
- optimized.
-
-The following perform like `has(label)`. All endpoints with the label will be scanned to find matches:
-
-- `label contains 's'`
-- `label starts with 's'`
-- `label ends with 's'`
-
-The other operators, and in particular, `all()`, `!`, `||` and `!=` are not optimized.
-
-Examples:
-
-- `a == 'b'` - optimized
-- `a == 'b' && has(c)` - optimized
-- `a == 'b' || has(c)` - **not** optimized due to use of `||`
-- `c != 'd'` - **not** optimized due to use of `!=`
-- `!has(a)` - **not** optimized due to use of `!`
-- `a == 'b' && c != 'd'` - optimized, `a =='b'` is optimized so `a == 'b' && ` is optimized.
-- `c != 'd' && a == 'b'` - optimized, `a =='b'` is optimized so ` && a == 'b'` is optimized.
-
-### Exact and wildcard domain names
-
-The `domains` field is only valid for egress Allow rules. It restricts the
-rule to apply only to traffic to one of the specified domains. If this field is specified, the
-parent [Rule](#rule)'s `action` must be `Allow`, and `nets` and `selector` must both be left empty.
-
-
-
-:::note
-
-$[prodname] implements policy for domain names by learning the
-corresponding IPs from DNS, then programming rules to allow those IPs. This means that
-if multiple domain names A, B and C all map to the same IP, and there is domain-based
-policy to allow A, traffic to B and C will be allowed as well.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_httpmatch.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_httpmatch.mdx
deleted file mode 100644
index 4420e829e1..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_httpmatch.mdx
+++ /dev/null
@@ -1,45 +0,0 @@
-An HTTPMatch matches attributes of an HTTP request. The presence of an HTTPMatch clause on a Rule will cause that rule to only match HTTP traffic. Other application layer protocols will not match the rule.
-
-Example:
-
-```yaml
-http:
- methods: ['GET', 'PUT']
- paths:
- - exact: '/projects/calico'
- - prefix: '/users'
- headers:
- - header: 'x-forwarded-for'
- operator: 'HasPrefix'
- values: ['192.168.0.1', '192.168.0.254']
-```
-
-| Field | Description | Schema |
-| ------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
-| methods | Match HTTP methods. Case sensitive. [Standard HTTP method descriptions.](https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) | list of strings |
-| paths | Match HTTP paths. Case sensitive. | list of [HTTPPathMatch](#httppathmatch) |
-| headers | Match HTTP headers. | list of [HTTPHeaderMatch](#httpheadermatch) |
-
-### HTTPPathMatch
-
-| Syntax | Example | Description |
-| ------ | ------------------- | ------------------------------------------------------------------------------- |
-| exact | `exact: "/foo/bar"` | Matches the exact path as written, not including the query string or fragments. |
-| prefix | `prefix: "/keys"` | Matches any path that begins with the given prefix. |
-
-### HTTPHeaderMatch
-
-| Syntax | Example | Description |
-| -------- | ---------------------------------- | ------------------------------------------------------------------------------------------ |
-| header | `x-forwarded-for` | Name of a HTTP header. Header names are case insensitive, please use lowercase characters. |
-| operator | `In` | Operator name to apply to the HTTP header value. Case sensitive. |
-| values | `['192.168.0.1', '192.168.0.254']` | Values that the operator will test the HTTP header value against. Case sensitive. |
-
-The following operators are allowed:
-- `Exists`: matches the HTTP request header if the specified header exists. `values` are ignored.
-- `DoesNotExist`: matches the HTTP request header if the specified header does not exist. `values` are ignored.
-- `HasPrefix`: matches the HTTP request header if the specified header has a prefix from any the values provided.
-- `HasSuffix`: matches the HTTP request header if the specified header has a suffix from any the values provided.
-- `In`: matches the HTTP request header if its value is in the set of values provided.
-- `NotIn`: matches the HTTP request header if its value is not in the set of values provided.
-- `MatchesRegex`: matches the HTTP request header if its value matches any of the regular expressions in values field.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_icmp.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_icmp.mdx
deleted file mode 100644
index 1adb456472..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_icmp.mdx
+++ /dev/null
@@ -1,4 +0,0 @@
-| Field | Description | Accepted Values | Schema | Default |
-| ----- | ------------------- | -------------------- | ------- | ------- |
-| type | Match on ICMP type. | Can be integer 0-254 | integer |
-| code | Match on ICMP code. | Can be integer 0-255 | integer |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ipnat.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ipnat.mdx
deleted file mode 100644
index 9cfa2fb904..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ipnat.mdx
+++ /dev/null
@@ -1,6 +0,0 @@
-IPNAT contains a single NAT mapping for a WorkloadEndpoint resource.
-
-| Field | Description | Accepted Values | Schema | Default |
-| ---------- | ------------------------------------------- | ------------------ | ------ | ------- |
-| internalIP | The internal IP address of the NAT mapping. | A valid IP address | string | |
-| externalIP | The external IP address. | A valid IP address | string | |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_license.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_license.mdx
deleted file mode 100644
index 87186566b4..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_license.mdx
+++ /dev/null
@@ -1,30 +0,0 @@
-### How long does it take to get a new $[prodname] license?
-
-After you submit a sales purchase order to Tigera, 1-2 days.
-
-### Is there a grace period?
-
-Yes, there is a grace period of 30 days (as of April 2022).
-
-### Does the web console display license expiration?
-
-Yes. The license indicator in the web console (top right banner) turns red when the license expires.
-
-
-
-### What happens when a license expires or is invalid?
-
-:::caution
-
-$[prodname] stops reporting flow logs, DNS logs, and $[prodname] metrics, which affects other UI elements like Service Graph and dashboards. Although some elements in the UI may appear to work, actions are not saved. We recommend that you proactively manage your license to avoid disruption.
-
-:::
-
-### Do licenses cover free upgrades in $[prodname]?
-
-Yes.
-
-### How do I get information about my license? Monitor the expiration date?
-
-- [Prometheus!](../../operations/monitor/metrics/license-agent.mdx).
-- Use `kubectl` to get [license key information](../../reference/resources/licensekey.mdx#viewing-information-about-your-license-key)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-binary-install.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-binary-install.mdx
deleted file mode 100644
index 184ebf5db4..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-binary-install.mdx
+++ /dev/null
@@ -1,149 +0,0 @@
-import NonClusterReadOnlyStep from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-read-only-step.mdx';
-import EnvironmentFile from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/EnvironmentFile';
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-
-
-### Step 2: Download and extract the binary
-
-This step requires Docker, but it can be run from any machine with Docker installed. It doesn't have to be the host you will run it on (i.e your laptop is fine).
-
-1. Use the following command to download the $[nodecontainer] image.
-
- ```bash
- docker pull $[registry]$[componentImage.cnxNode]
- ```
-
-1. Confirm that the image has loaded by typing `docker images`.
-
- ```
- REPOSITORY TAG IMAGE ID CREATED SIZE
- $[registry]$[releases.0.components.cnx-node.image] $[releases.0.components.cnx-node.version] e07d59b0eb8a 2 minutes ago 42MB
- ```
-
-1. Create a temporary $[nodecontainer] container.
-
- ```bash
- docker create --name container $[registry]$[componentImage.cnxNode]
- ```
-
-1. Copy the calico-node binary from the container to the local file system.
-
- ```bash
- docker cp container:/bin/calico-node $[nodecontainer]
- ```
-
-1. Delete the temporary container.
-
- ```bash
- docker rm container
- ```
-
-1. Set the extracted binary file to be executable.
-
- ```bash
- chmod +x $[nodecontainer]
- chown root:root $[nodecontainer]
- ```
-
-### Step 3: Copy the `calico-node` binary
-
-Copy the binary from Step 2 to the target machine, using any means (`scp`, `ftp`, USB stick, etc.).
-
-### Step 4: Create environment file
-
-
-
-### Step 5: Start Felix
-
-There are a few ways to start Felix: create a startup script, or manually configure Felix.
-
-
-
-
-Felix should be started at boot by your init system and the init system
-**must** be configured to restart Felix if it stops. Felix relies on
-that behavior for certain configuration changes.
-
-If your distribution uses systemd, then you could use the following unit file:
-
-```bash
-[Unit]
-Description=Calico Felix agent
-After=syslog.target network.target
-
-[Service]
-User=root
-EnvironmentFile=/etc/calico/calico.env
-ExecStartPre=/usr/bin/mkdir -p /var/run/calico
-ExecStart=/usr/local/bin/$[nodecontainer] -felix
-KillMode=process
-Restart=on-failure
-LimitNOFILE=32000
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Or, for upstart:
-
-```bash
-description "Felix (Calico agent)"
-author "Project Calico Maintainers "
-
-start on stopped rc RUNLEVEL=[2345]
-stop on runlevel [!2345]
-
-limit nofile 32000 32000
-
-respawn
-respawn limit 5 10
-
-chdir /var/run
-
-pre-start script
- mkdir -p /var/run/calico
- chown root:root /var/run/calico
-end script
-
-exec /usr/local/bin/$[nodecontainer] -felix
-```
-
-**Start Felix**
-
-After you've configured Felix, start it via your init system.
-
-```bash
-service calico-felix start
-```
-
-
-
-
-Configure Felix by creating a file at `/kubernetes/calico/felix.cfg`.
-See [Felix configuration](../../reference/component-resources/node/felix/configuration.mdx) for help with environment variables.
-
-:::note
-
-Felix tries to detect whether IPv6 is available on your platform but
-the detection can fail on older (or more unusual) systems. If Felix
-exits soon after startup with `ipset` or `iptables` errors try
-setting the `Ipv6Support` setting to `false`.
-
-:::
-
-Next, configure Felix to interact with a Kubernetes datastore. You
-must set the `DatastoreType` setting to `kubernetes`. You must also set the environment variable `CALICO_KUBECONFIG`
-to point to a valid kubeconfig for your kubernetes cluster and `CALICO_NETWORKING_BACKEND` to `none`.
-
-:::note
-
-For the Kubernetes datastore, Felix works in policy-only mode. Even though pod networking is
-disabled on the baremetal host Felix is running on, policy can still be used to secure the host.
-
-:::
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-read-only-step.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-read-only-step.mdx
deleted file mode 100644
index a4382b71b5..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_non-cluster-read-only-step.mdx
+++ /dev/null
@@ -1,21 +0,0 @@
-import CreateKubeconfig from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_create-kubeconfig.mdx';
-
-### Step 1: (Optional) Configure access for the non-cluster-host
-
-To run Calico Node as a container, it will need a kubeconfig. You can skip this step if you already have a kubeconfig ready to use.
-
-
-
-Run the following two commands to create a cluster role with read-only access and a corresponding cluster role binding.
-
-```bash
-kubectl apply -f $[filesUrl]/manifests/non-cluster-host-clusterrole.yaml
-kubectl create clusterrolebinding $SA_NAME --serviceaccount=calico-system:$SA_NAME --clusterrole=non-cluster-host-read-only
-```
-
-:::note
-
-We include examples for systemd, but the commands can be
-applied to other init daemons such as upstart.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_persistent-storage-terms.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_persistent-storage-terms.mdx
deleted file mode 100644
index 5f0038ef6d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_persistent-storage-terms.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
-### Persistent volume
-
-Used by pods to persist storage within the cluster. Combined with **persistent volume claims**, pods can persist data across restarts and rescheduling.
-
-### Persistent volume claim
-
-Used by pods to request and mount storage volumes. The claim specifies the volume requirements for the request: size, access rights, and storage class.
-
-### Dynamic provisioner
-
-Provisions types of persistent volumes on demand. Although most managed public-cloud clusters provide a dynamic provisioner using cloud-specific storage APIs (for example, Amazon EBS or Google persistent disks), not all clusters have a dynamic provisioner.
-
-When a pod makes a persistent volume claim from a storage class that uses a dynamic provisioner, the volume is automatically created. If the storage class does not use a dynamic provisioner (for example the local storage class), the volumes must be created in advance. For help, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/).
-
-### Storage class
-
-The storage provided by the cluster. Storage classes can be used with dynamic provisioners to automatically provision persistent volumes on demand, or with manually-provisioned persistent volumes. Different storage classes provide different service levels.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ports.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ports.mdx
deleted file mode 100644
index 4517f59290..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_ports.mdx
+++ /dev/null
@@ -1,33 +0,0 @@
-$[prodname] supports the following syntaxes for expressing ports.
-
-| Syntax | Example | Description |
-| --------- | ---------- | ------------------------------------------------------------------- |
-| int | 80 | The exact (numeric) port specified |
-| start:end | 6040:6050 | All (numeric) ports within the range start ≤ x ≤ end |
-| string | named-port | A named port, as defined in the ports list of one or more endpoints |
-
-An individual numeric port may be specified as a YAML/JSON integer. A port range or
-named port must be represented as a string. For example, this would be a valid list of ports:
-
-```yaml
-ports: [8080, '1234:5678', 'named-port']
-```
-
-#### Named ports
-
-Using a named port in an `EntityRule`, instead of a numeric port, gives a layer of indirection,
-allowing for the named port to map to different numeric values for each endpoint.
-
-For example, suppose you have multiple HTTP servers running as workloads; some exposing their HTTP
-port on port 80 and others on port 8080. In each workload, you could create a named port called
-`http-port` that maps to the correct local port. Then, in a rule, you could refer to the name
-`http-port` instead of writing a different rule for each type of server.
-
-:::note
-
-Since each named port may refer to many endpoints (and $[prodname] has to expand a named port into
-a set of endpoint/port combinations), using a named port is considerably more expensive in terms
-of CPU than using a simple numeric port. We recommend that they are used sparingly, only where
-the extra indirection is required.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_rule.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_rule.mdx
deleted file mode 100644
index bf7042888f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_rule.mdx
+++ /dev/null
@@ -1,46 +0,0 @@
-A single rule matches a set of packets and applies some action to them. When multiple rules are specified, they
-are executed in order.
-
-| Field | Description | Accepted Values | Schema | Default |
-| ----------- | ------------------------------------------ | ------------------------------------------------------------ | ----------------------------- | ------- |
-| metadata | Per-rule metadata. | | [RuleMetadata](#rulemetadata) | |
-| action | Action to perform when matching this rule. | `Allow`, `Deny`, `Log`, `Pass` | string | |
-| protocol | Positive protocol match. | `TCP`, `UDP`, `ICMP`, `ICMPv6`, `SCTP`, `UDPLite`, `1`-`255` | string \| integer | |
-| notProtocol | Negative protocol match. | `TCP`, `UDP`, `ICMP`, `ICMPv6`, `SCTP`, `UDPLite`, `1`-`255` | string \| integer | |
-| icmp | ICMP match criteria. | | [ICMP](#icmp) | |
-| notICMP | Negative match on ICMP. | | [ICMP](#icmp) | |
-| ipVersion | Positive IP version match. | `4`, `6` | integer | |
-| source | Source match parameters. | | [EntityRule](#entityrule) | |
-| destination | Destination match parameters. | | [EntityRule](#entityrule) | |
-| http | Match HTTP request parameters. Application layer policy must be enabled to use this field.| | [HTTPMatch](#httpmatch) | |
-
-After a `Log` action, processing continues with the next rule; `Allow` and `Deny` are immediate
-and final and no further rules are processed.
-
-An `action` of `Pass` in a `NetworkPolicy` or `GlobalNetworkPolicy` will skip over the remaining policies and jump to the
-first [profile](../../reference/resources/profile.mdx) assigned to the endpoint, applying the policy configured in the
-profile; if there are no Profiles configured for the endpoint the default applied action is `Deny`.
-
-### RuleMetadata
-
-Metadata associated with a specific rule (rather than the policy as a whole). The contents of the metadata does not affect how a rule is interpreted or enforced; it is
-simply a way to store additional information for use by operators or applications that interact with $[prodname].
-
-| Field | Description | Schema | Default |
-| ----------- | ----------------------------------- | ----------------------- | ------- |
-| annotations | Arbitrary non-identifying metadata. | map of string to string | |
-
-Example:
-
-```yaml
-metadata:
- annotations:
- app: database
- owner: devops
-```
-
-Annotations follow the
-[same rules as Kubernetes for valid syntax and character set](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set).
-
-On Linux with the iptables data plane, rule annotations are rendered as comments in the form `-m comment --comment "="` on the iptables rule(s) that correspond
-to the $[prodname] rule.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_selector-scopes.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_selector-scopes.mdx
deleted file mode 100644
index 9d9fbc8c54..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_selector-scopes.mdx
+++ /dev/null
@@ -1,20 +0,0 @@
-Understanding scopes and the `all()` and `global()` operators: selectors have a scope of resources
-that they are matched against, which depends on the context in which they are used. For example:
-
-- The `nodeSelector` in an `IPPool` selects over `Node` resources.
-
-- The top-level selector in a `NetworkPolicy` selects over the workloads _in the same namespace_ as the
- `NetworkPolicy`.
-- The top-level selector in a `GlobalNetworkPolicy` doesn't have the same restriction, it selects over all endpoints
- including namespaced `WorkloadEndpoint`s and non-namespaced `HostEndpoint`s.
-
-- The `namespaceSelector` in a `NetworkPolicy` (or `GlobalNetworkPolicy`) _rule_ selects over the labels on namespaces
- rather than workloads.
-
-- The `namespaceSelector` determines the scope of the accompanying `selector` in the entity rule. If no `namespaceSelector`
- is present then the rule's `selector` matches the default scope for that type of policy. (This is the same namespace
- for `NetworkPolicy` and all endpoints/network sets for `GlobalNetworkPolicy`)
-- The `global()` operator can be used (only) in a `namespaceSelector` to change the scope of the main `selector` to
- include non-namespaced resources such as [GlobalNetworkSet](../../reference/resources/globalnetworkset.mdx).
- This allows namespaced `NetworkPolicy` resources to refer to global non-namespaced resources, which would otherwise
- be impossible.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_selectors.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_selectors.mdx
deleted file mode 100644
index 52baf960ae..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_selectors.mdx
+++ /dev/null
@@ -1,50 +0,0 @@
-A label selector is an expression which either matches or does not match a resource based on its labels.
-
-$[prodname] label selectors support a number of operators, which can be combined into larger expressions
-using the boolean operators and parentheses.
-
-| Expression | Meaning |
-| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| **Logical operators** |
-| `( )` | Matches if and only if `` matches. (Parentheses are used for grouping expressions.) |
-| `! ` | Matches if and only if `` does not match. **Tip:** `!` is a special character at the start of a YAML string, if you need to use `!` at the start of a YAML string, enclose the string in quotes. |
-| ` && ` | "And": matches if and only if both ``, and, `` matches |
-| \ || \ | "Or": matches if and only if either ``, or, `` matches. |
-| **Match operators** |
-| `all()` | Match all in-scope resources. To match _no_ resources, combine this operator with `!` to form `!all()`. |
-| `global()` | Match all non-namespaced resources. Useful in a `namespaceSelector` to select global resources such as global network sets. |
-| `k == 'v'` | Matches resources with the label 'k' and value 'v'. |
-| `k != 'v'` | Matches resources without label 'k' or with label 'k' and value _not_ equal to `v` |
-| `has(k)` | Matches resources with label 'k', independent of value. To match pods that do not have label `k`, combine this operator with `!` to form `!has(k)` |
-| `k in { 'v1', 'v2' }` | Matches resources with label 'k' and value in the given set |
-| `k not in { 'v1', 'v2' }` | Matches resources without label 'k' or with label 'k' and value _not_ in the given set |
-| `k contains 's'` | Matches resources with label 'k' and value containing the substring 's' |
-| `k starts with 's'` | Matches resources with label 'k' and value starting with the substring 's' |
-| `k ends with 's'` | Matches resources with label 'k' and value ending with the substring 's' |
-
-Operators have the following precedence:
-
-- **Highest**: all the match operators
-- Parentheses `( ... )`
-- Negation with `!`
-- Conjunction with `&&`
-- **Lowest**: Disjunction with `||`
-
-For example, the expression
-
-```
-! has(my-label) || my-label starts with 'prod' && role in {'frontend','business'}
-```
-
-Would be "bracketed" like this:
-
-```
-((!(has(my-label)) || ((my-label starts with 'prod') && (role in {'frontend','business'}))
-```
-
-It would match:
-
-- Any resource that did not have label "my-label".
-- Any resource that both:
- - Has a value for `my-label` that starts with "prod", and,
- - Has a role label with value either "frontend", or "business".
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_serviceaccountmatch.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_serviceaccountmatch.mdx
deleted file mode 100644
index c3aff9c184..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_serviceaccountmatch.mdx
+++ /dev/null
@@ -1,6 +0,0 @@
-A ServiceAccountMatch matches service accounts in an EntityRule.
-
-| Field | Description | Schema |
-| -------- | ------------------------------- | --------------------- |
-| names | Match service accounts by name | list of strings |
-| selector | Match service accounts by label | [selector](#selector) |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_servicematch.mdx b/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_servicematch.mdx
deleted file mode 100644
index 2d47fed02c..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_servicematch.mdx
+++ /dev/null
@@ -1,6 +0,0 @@
-A ServiceMatch matches a service in an EntityRule.
-
-| Field | Description | Schema |
-| --------- | ------------------------ | ------ |
-| name | The service's name. | string |
-| namespace | The service's namespace. | string |
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/about/calico-product-editions.mdx b/calico-enterprise_versioned_docs/version-3.23-1/about/calico-product-editions.mdx
deleted file mode 100644
index 4808160a01..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/about/calico-product-editions.mdx
+++ /dev/null
@@ -1,133 +0,0 @@
----
-description: Side-by-side comparison of Calico Enterprise against Calico Open Source and Calico Cloud across management, networking, security, and observability features.
----
-
-import { CheckIcon } from '@chakra-ui/icons';
-import { CalicoProducts } from '/src/___new___/components';
-
-# Calico product editions
-
-
-
-## Which product edition is right for me?
-
-| My needs | Calico product edition |
-| ----- | ----- |
-| I want open source, best-in-class networking, network security, and observability capabilities that can work across any Kubernetes distribution, for free. | Calico Open Source [Get Started](/calico/latest/getting-started) |
-| I’m a Calico Open Source user who wants to leverage some of the improved observability and policy management capabilities that are available in Calico Cloud, for free. | Calico Cloud Free Tier [Sign up](https://auth.calicocloud.io/u/signup/identifier?state=hKFo2SBoMWV0M1RBUDlvWU83V2pGOS1ybVpCdmJGcDJRXzRSdaFur3VuaXZlcnNhbC1sb2dpbqN0aWTZIEJMclZBR2NmZzFacHRMclRIOFBzVEdNdVozOFlOSkpio2NpZNkgcTZ4MVM2dHdxZ0pHOVZLSEQzRGR0S0tEQTB2MlNuYkU) |
-| My organization wants a **fully managed SaaS** platform for network security and observability. | Calico Cloud [Get Started](/calico-cloud/get-started) |
-| My organization wants a **self-managed platform** for network security and observability. | Calico Enterprise [Get Started](../getting-started/index.mdx) |
-
-## Feature comparison matrix
-
-| | Calico Open Source | Calico Cloud Free Tier\* | Calico Cloud | Calico Enterprise |
-| ----- | :-----: | :-----: | :-----: | :-----: |
-| **Management and Support** | | | | |
-| Mutli-cluster security controls management | | | | |
-| Data retention | In-memory | 24 hours | 7 days | Unlimited |
-| Number of clusters | Unlimited | One | Unlimited | Unlimited |
-| Number of users | N/A | One | Unlimited | Unlimited |
-| Support and maintenance | Community-driven | Community-driven | Standard/Business | Standard/Business |
-| **Networking** | | | | |
-| High performance, scalable pod networking | | | | |
-| Advanced IP address management | | | | |
-| Direct infrastructure peering without the overlay | | | | |
-| eBPF data plane | | | | |
-| Windows data plane | | | | |
-| nftables data plane | | | | |
-| iptables data plane | | | | |
-| VPP data plane | | | | |
-| Multiple Calico networks on a pod | | | | |
-| Dual ToR peering | | | | |
-| Ingress gateway | | | | |
-| Egress gateway | | | | |
-| Cluster mesh | | | | |
-| **Network Security** | | | | |
-| Seamless support for Kubernetes network policy | | | | |
-| Label-based policies for K8s and non-K8s workloads | | | | |
-| Namespace and cluster-wide scope | | | | |
-| Global default deny policy design | | | | |
-| Application layer policy | | | | |
-| Policy for services | | | | |
-| Policy board | | View only | | |
-| DNS/FQDN-based policy | | | | |
-| Hierarchical tiered network policy | | | | |
-| Policy recommendations | | Manual workflow | | |
-| Staged network policy | | | | |
-| Preview staged policies | | | | |
-| Network sets to limit IP ranges for egress and ingress traffic to workloads | | | | |
-| Data-in-transit encryption | | | | |
-| Universal firewall integration | | | | |
-| Workload-based IDS/IPS | | | | |
-| Deep packet inspection | | | | |
-| DDoS protection | | | | |
-| Workload-centric WAF | | | | |
-| Compliance reporting and alerts | | | | |
-| SIEM integrations | | | | |
-| **Network Security for VMs and Bare Metal** | | | | |
-| Restrict traffic to/from hosts and VMs using network policy | | | | |
-| Automatic host endpoints | | | | |
-| Apply policy to host-forwarded traffic | | | | |
-| **Observability** | | | | |
-| Flow logs API | | | | |
-| Calico Whisker web console | | | | |
-| Dynamic service and threat graph | | | | |
-| Application level observability | | | | |
-| Dynamic packet capture | | | | |
-| Flow visualizer | | | | |
-| Logs (flow) | | | | |
-| Logs (http traffic, audit, bgp, dns, events) | | | | |
-| Dashboards | | \*\* | | |
-| Alerts | | | | |
-
-\* Calico Cloud Free Tier requires a cluster with Calico Open Source 3.30 or higher.
-
-\*\* Calico Cloud Free Tier includes some of the dashboards that are available in Calico Cloud and Calico Enterprise.
-
-## How to get started with Calico
-
-Calico powers 100M+ containers across 8M+ nodes in 166 countries, and is supported across all major cloud providers and Kubernetes distributions.
-
-### Ready to get started?
-
-Start a free trial or request a demo to see Calico in action.
-
-* [Sign up for a Calico Cloud Free Tier account](https://www.calicocloud.io/?code=free)
-* [Schedule a 30-minute demo with our experts](https://www.tigera.io/demo/)
-
-### Installation guides
-
-* [Install Calico Open Source](../getting-started/index.mdx)
-* [Install Calico Cloud Free Tier](/calico-cloud/free/connect-cluster-free)
-* [Install Calico Cloud](/calico-cloud/get-started/install-cluster)
-* [Install Calico Enterprise](/calico-enterprise/latest/getting-started/)
-
-## How to engage
-
-### Learning resources
-
-* [Blog](https://www.tigera.io/blog/)
-* [Certifications](https://www.tigera.io/lp/calico-certification/) (self-paced)
-* [Product tutorials](https://www.tigera.io/tutorials/) (self-paced)
-* [Learn guides](https://www.tigera.io/learn/guides/kubernetes-networking/)
-* [Webinars and workshops](https://www.tigera.io/events/) (live and on demand)
-* [Resources](https://www.tigera.io/resources/)
-
-### Get involved
-
-* [Calico Open Source Community](https://www.tigera.io/project-calico/community/)
-* GitHub
- * [Project Calico](https://github.com/projectcalico/calico)
- * [Tigera](https://github.com/tigera)
-
-### Get in touch
-
-* [Slack](https://calicousers.slack.com/) (Calico Open Source users)
-* [YouTube](https://www.youtube.com/channel/UCFpTnXDNcBoXI4gqCDmegFA) (@ProjectCalico)
-* LinkedIn
- * [Tigera](https://www.linkedin.com/company/tigera/)
- * [Project Calico](https://www.linkedin.com/company/project-calico/)
-* X
- * [Tigera](https://x.com/tigeraio)
- * [Project Calico](https://x.com/projectcalico)
-* [Contact us](https://www.tigera.io/contact/)
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/about/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/about/index.mdx
deleted file mode 100644
index 414d02dc93..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/about/index.mdx
+++ /dev/null
@@ -1,261 +0,0 @@
----
-description: Overview of Calico Enterprise, the self-managed, Tigera-supported distribution for Kubernetes networking, security, and observability in production clusters.
----
-
-import { DocCardLink, DocCardLinkLayout, PaidProductDocCardLink } from '/src/___new___/components';
-import { CheckIcon } from '@chakra-ui/icons';
-import { CalicoProducts } from '/src/___new___/components';
-
-# About Calico
-
-## What is Calico?
-
-Calico is a single platform for networking, network security, and observability for any Kubernetes distribution in the cloud, on-premises, or at the edge.
-Whether you're just starting with Kubernetes or operating at scale, Calico's open source, enterprise, and cloud editions provide the networking, security, and observability you need.
-
-The key advantages of Calico are:
-
-* A single platform to address all networking, network security, and observability needs for Kubernetes environments
-* Consistent networking and network security controls for any Kubernetes distribution, ensuring workload portability
-* Ability to scale networking and network security to multi-cluster applications, VMs, and bare metal servers without additional software
-
-The Calico portfolio of products includes Calico Open Source, Calico Enterprise (self-managed), and Calico Cloud (fully-managed SaaS).
-Calico Cloud Free Tier is a free version of Calico Cloud that focuses on observability and policy management for a single cluster.
-All of this is built on Calico Open Source, the most widely used container networking and security solution.
-
-## Calico overview
-
-### Networking
-
-
-
-
-
-
- {/* We don't have a good docs page for this one.
- */}
-
-
-### Network security
-
-
-
-
-
-
-
-
-
-### Threat detection, observability, and incident response
-
-
-
-
-
-
-
-
-### CI/CD automation and tools
-
-
- {/**/}
-
-
-
-
-
-
-## Calico product editions
-
-
-
-## Which product edition is right for me?
-
-| My needs | Calico product edition |
-| ----- | ----- |
-| I want open source, best-in-class networking, network security, and observability capabilities that can work across any Kubernetes distribution, for free. | Calico Open Source [Get Started](../getting-started/index.mdx) |
-| I’m a Calico Open Source user who wants to leverage some of the improved observability and policy management capabilities that are available in Calico Cloud, for free. | Calico Cloud Free Tier [Sign up](https://auth.calicocloud.io/u/signup/identifier?state=hKFo2SBoMWV0M1RBUDlvWU83V2pGOS1ybVpCdmJGcDJRXzRSdaFur3VuaXZlcnNhbC1sb2dpbqN0aWTZIEJMclZBR2NmZzFacHRMclRIOFBzVEdNdVozOFlOSkpio2NpZNkgcTZ4MVM2dHdxZ0pHOVZLSEQzRGR0S0tEQTB2MlNuYkU) |
-| My organization wants a **fully managed SaaS** platform for network security and observability. | Calico Cloud [Get Started](/calico-cloud/get-started) |
-| My organization wants a **self-managed platform** for network security and observability. | Calico Enterprise [Get Started](/calico-enterprise/latest/getting-started/) |
-
-## Feature comparison matrix
-
-| | Calico Open Source | Calico Cloud Free Tier\* | Calico Cloud | Calico Enterprise |
-| ----- | :-----: | :-----: | :-----: | :-----: |
-| **Management and Support** | | | | |
-| Mutli-cluster security controls management | | | | |
-| Data retention | In-memory | 24 hours | 7 days | Unlimited |
-| Number of clusters | Unlimited | One | Unlimited | Unlimited |
-| Number of users | N/A | One | Unlimited | Unlimited |
-| Support and maintenance | Community-driven | Community-driven | Standard/Business | Standard/Business |
-| **Networking** | | | | |
-| High performance, scalable pod networking | | | | |
-| Advanced IP address management | | | | |
-| Direct infrastructure peering without the overlay | | | | |
-| eBPF data plane | | | | |
-| Windows data plane | | | | |
-| nftables data plane | | | | |
-| iptables data plane | | | | |
-| VPP data plane | | | | |
-| Multiple Calico networks on a pod | | | | |
-| Dual ToR peering | | | | |
-| Ingress gateway | | | | |
-| Egress gateway | | | | |
-| Cluster mesh | | | | |
-| **Network Security** | | | | |
-| Seamless support for Kubernetes network policy | | | | |
-| Label-based policies for K8s and non-K8s workloads | | | | |
-| Namespace and cluster-wide scope | | | | |
-| Global default deny policy design | | | | |
-| Application layer policy | | | | |
-| Policy for services | | | | |
-| Policy board | | View only | | |
-| DNS/FQDN-based policy | | | | |
-| Hierarchical tiered network policy | | | | |
-| Policy recommendations | | Manual workflow | | |
-| Staged network policy | | | | |
-| Preview staged policies | | | | |
-| Network sets to limit IP ranges for egress and ingress traffic to workloads | | | | |
-| Data-in-transit encryption | | | | |
-| Universal firewall integration | | | | |
-| Workload-based IDS/IPS | | | | |
-| Deep packet inspection | | | | |
-| DDoS protection | | | | |
-| Workload-centric WAF | | | | |
-| Compliance reporting and alerts | | | | |
-| SIEM integrations | | | | |
-| **Network Security for VMs and Bare Metal** | | | | |
-| Restrict traffic to/from hosts and VMs using network policy | | | | |
-| Automatic host endpoints | | | | |
-| Apply policy to host-forwarded traffic | | | | |
-| **Observability** | | | | |
-| Flow logs API | | | | |
-| Calico Whisker web console | | | | |
-| Dynamic service and threat graph | | | | |
-| Application level observability | | | | |
-| Dynamic packet capture | | | | |
-| Flow visualizer | | | | |
-| Logs (flow) | | | | |
-| Logs (http traffic, audit, bgp, dns, events) | | | | |
-| Dashboards | | \*\* | | |
-| Alerts | | | | |
-
-\* Calico Cloud Free Tier requires a cluster with Calico Open Source 3.30 or higher.
-
-\*\* Calico Cloud Free Tier includes some of the dashboards that are available in Calico Cloud and Calico Enterprise.
-
-## How to get started with Calico
-
-Calico powers 100M+ containers across 8M+ nodes in 166 countries, and is supported across all major cloud providers and Kubernetes distributions.
-
-### Ready to get started?
-
-Start a free trial or request a demo to see Calico in action.
-
-* [Sign up for a Calico Cloud Free Tier account](https://www.calicocloud.io/?code=free)
-* [Schedule a 30-minute demo with our experts](https://www.tigera.io/demo/)
-
-### Installation guides
-
-* [Install Calico Open Source](../getting-started/index.mdx)
-* [Install Calico Cloud Free Tier](/calico-cloud/free/connect-cluster-free)
-* [Install Calico Cloud](/calico-cloud/get-started/install-cluster)
-* [Install Calico Enterprise](/calico-enterprise/latest/getting-started/)
-
-## How to engage
-
-### Learning resources
-
-* [Blog](https://www.tigera.io/blog/)
-* [Certifications](https://www.tigera.io/lp/calico-certification/) (self-paced)
-* [Product tutorials](https://www.tigera.io/tutorials/) (self-paced)
-* [Learn guides](https://www.tigera.io/learn/guides/kubernetes-networking/)
-* [Webinars and workshops](https://www.tigera.io/events/) (live and on demand)
-* [Resources](https://www.tigera.io/resources/)
-
-### Get involved
-
-* [Calico Open Source Community](https://www.tigera.io/project-calico/community/)
-* GitHub
- * [Project Calico](https://github.com/projectcalico/calico)
- * [Tigera](https://github.com/tigera)
-
-### Get in touch
-
-* [Slack](https://calicousers.slack.com/) (Calico Open Source users)
-* [YouTube](https://www.youtube.com/channel/UCFpTnXDNcBoXI4gqCDmegFA) (@ProjectCalico)
-* LinkedIn
- * [Tigera](https://www.linkedin.com/company/tigera/)
- * [Project Calico](https://www.linkedin.com/company/project-calico/)
-* X
- * [Tigera](https://x.com/tigeraio)
- * [Project Calico](https://x.com/projectcalico)
-* [Contact us](https://www.tigera.io/contact/)
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/compliance-reports-cis.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/compliance-reports-cis.mdx
deleted file mode 100644
index dd3258e609..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/compliance-reports-cis.mdx
+++ /dev/null
@@ -1,199 +0,0 @@
----
-description: Configure CIS Kubernetes benchmark reports in Calico Enterprise to assess node and cluster compliance and download results from the in-cluster reporter as CSV.
----
-
-# Configure CIS benchmark reports
-
-:::info[deprecation notice]
-
-The compliance features described on this page are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
-
-:::
-
-## Big picture
-
-Use the $[prodname] Kubernetes CIS benchmark report to assess compliance for all assets in a Kubernetes cluster.
-
-## Value
-
-A standard requirement for an organization’s security and compliance posture is to assess your Kubernetes clusters against CIS benchmarks. The $[prodname] Kubernetes CIS benchmark report provides this comprehensive view into your Kubernetes clusters while strengthening your threat detection capability by looking beyond networking data.
-
-## Concepts
-
-### Default settings and configuration
-
-During $[prodname] installation, each node starts a pod named, `compliance-benchmarker`. A preconfigured Kubernetes CIS benchmark report is generated every hour. You can view the report in **Compliance**, **Compliance Reports**, download it to .csv format.
-
-To schedule the CIS benchmark report or change settings, use the **global report** resource. Global reports are configured as YAML files and are applied using `kubectl`.
-
-### Best practices
-
-We recommend that you review the CIS benchmark best practices for securing cluster component configurations here: [CIS benchmarks downloads](https://learn.cisecurity.org/benchmarks).
-
-## Before you begin
-
-**Required**
-
-* You [Enabled compliance reports](../compliance/enable-compliance)
-
-**Limitations**
-
-CIS benchmarks runs only on nodes where $[prodname] is running. This limitation may exclude control plane nodes in some managed cloud platforms (AKS, EKS, GKE). Because the user has limited control over installation of control plane nodes in managed cloud platforms, these reports may have limited use for cloud users.
-
-## How to
-
-- [Configure and schedule CIS benchmark reports](#configure-and-schedule-cis-benchmark-reports)
-- [View report generation status](#view-report-generation-status)
-- [Review and address CIS benchmark results](#review-and-address-cis-benchmark-results)
-- [Manually run reports](#manually-run-reports)
-- [Troubleshooting](#troubleshooting)
-
-### Configure and schedule CIS benchmark reports
-
-Verify that the `compliance-benchmarker` is running and the `cis-benchmark` report type is installed.
-
-```bash
-kubectl get -n tigera-compliance daemonset compliance-benchmarker
-kubectl get globalreporttype cis-benchmark
-```
-
-In the following example, we use a **GlobalReport** with CIS benchmark fields to schedule and filter results. The report is scheduled to run at midnight of the next day (in UTC), and the benchmark items 1.1.4 and 1.2.5 will be omitted from the results.
-
-| **Fields** | **Description** |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| schedule | The start and end time of the report using [crontab format](https://en.wikipedia.org/wiki/Cron). To allow for archiving, reports are generated approximately 30 minutes after the end time. A single report is limited to a maximum of two per hour. |
-| highThreshold | **Optional**. Integer percentage value that determines the lower limit of passing tests to consider a node as healthy. Default: 100 |
-| medThreshold | **Optional**. Integer percentage value that determines the lower limit of passing tests to consider a node as unhealthy. Default: 50 |
-| includeUnscoredTests | **Optional**. Boolean value that when false, applies a filter to exclude tests that are marked as “Unscored” by the CIS benchmark standard. If true, the tests will be included in the report. Default: true |
-| numFailedTests | **Optional**. Integer value that sets the number of tests to display in the Top-failed Tests section of the CIS benchmark report. Default: 5 |
-| resultsFilter | **Optional**. An include or exclude filter to apply on the test results that will appear on the report. |
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalReport
-metadata:
- name: daily-cis-results
- labels:
- deployment: production
-spec:
- reportType: cis-benchmark
- schedule: 0 0 * * *
- cis:
- highThreshold: 100
- medThreshold: 50
- includeUnscoredTests: true
- numFailedTests: 5
- resultsFilters:
- - benchmarkSelection: { kubernetesVersion: '1.13' }
- exclude: ['1.1.4', '1.2.5']
-```
-
-### View report generation status
-
-To view the status of a report, you must use the `kubectl` command. For example:
-
-```bash
-kubectl get globalreports.projectcalico.org daily-cis-results -o yaml
-```
-
-In a report, the job status types are:
-
-- **lastScheduledReportJob**:
- The most recently scheduled job for generating the report. Because reports are scheduled in order, the “end time” of
- this report will be the “start time” of the next scheduled report.
-- **activeReportJobs**:
- Default = allows up to 5 concurrent report generation jobs.
-- **lastFailedReportJobs**:
- Default = keeps the 3 most recent failed jobs and deletes older ones. A single report generation job will be retried
- up to 6 times (by default) before it is marked as failed.
-- **lastSuccessfulReportJobs**:
- Default = keeps the 2 most recent successful jobs and deletes older ones.
-
-#### Change the default report generation time
-
-By default, reports are generated 30 minutes after the end of the report, to ensure all of the audit data is archived.
-(However, this gap does not affect the data collected “start/end time” for a report.)
-
-You can adjust the time for audit data for cases like initial report testing, to demo a report, or when manually
-creating a report that is not counted in global report status.
-
-To change the delay, go to the installation manifest, and uncomment and set the environment variable
-`TIGERA_COMPLIANCE_JOB_START_DELAY`. Specify value as a [Duration string][parse-duration].
-
-### Review and address CIS benchmark results
-
-We recommend the following approach to CIS benchmark reports results:
-
-1. Download the Kubernetes CIS benchmarks and export your full CIS benchmark results in .csv format.
-1. In the compliance dashboard, review the "Top-Failed Tests" section to identify which tests are the most problematic.
-1. Cross-reference the top-failed tests to identify which nodes are failing that test.
-1. Look up those tests in the [Kubernetes benchmark document](https://downloads.cisecurity.org/#/) and follow the remediation steps to resolve the failure.
-1. Discuss with your infrastructure and security team if this remediation is viable within your organization.
-1. If so, update your nodes with the fix and ensure that the test passes on the next generation of the report.
-1. If the fix is not viable but is an acceptable risk to take within the organization, configure the report specification to exclude that test index so that it no longer appears in the report.
-1. If the fix is not viable and not an acceptable risk to take on, keep the failing test within the report so that your team is reminded to address the issue as soon as possible.
-
-### Manually run reports
-
-You can manually run reports at any time. For example, run a manual report:
-
-- To specify a different start/end time
-- If a scheduled report fails
-
-$[prodname] GlobalReport schedules Kubernetes Jobs which create a single-run pod to generate a report and store it in Elasticsearch. Because you need to run manual reports as a pod, you need higher permissions: allow `create` access for pods in namespace `tigera-compliance` using the `tigera-compliance-reporter` service account.
-
-To manually run a report:
-
-1. Download the pod template corresponding to your installation method.
- **Operator**
-
- For management and standalone clusters:
-
- ```bash
- curl -O $[filesUrl]/manifests/compliance-reporter-pod.yaml
- ```
-
- For managed clusters:
-
- ```bash
- curl $[filesUrl]/manifests/compliance-reporter-pod-managed.yaml -o compliance-reporter-pod.yaml
- ```
-
-1. Edit the template as follows:
-
- - Edit the pod name if required.
- - If you are using your own docker repository, update the container image name with your repo and image tag.
- - Set the following environments according to the instructions in the downloaded manifest:
- - `TIGERA_COMPLIANCE_REPORT_NAME`
- - `TIGERA_COMPLIANCE_REPORT_START_TIME`
- - `TIGERA_COMPLIANCE_REPORT_END_TIME`
-
-1. Apply the updated manifest, and query the status of the pod to ensure it completes.
- Upon completion, the report is available in the web console.
-
- ```bash
- # Apply the compliance report pod
- kubectl apply -f compliance-reporter-pod.yaml
- # Query the status of the pod
- kubectl get pod -n=tigera-compliance
- ```
-
-:::note
-
-Manually-generated reports do not appear in GlobalReport status.
-
-:::
-
-### Troubleshooting
-
-**Problem**: Compliance reports can fail to generate if the `compliance-benchmarker` component cannot find the required `kubelet` or `kubectl` binaries to determine the Kubernetes version running on the cluster.
-
-**Solution or workaround**: If a node is running within a container (not running `kubelet` as a binary), make sure the `kubectl` binary is available in the `/usr/bin` directory.
-
-## Additional resources
-
-- For details on configuring and scheduling reports, see [Global reports](../reference/resources/globalreport.mdx)
-- For other predefined compliance reports, see [Compliance reports](../reference/resources/compliance-reports/index.mdx)
-
-[parse-duration]: https://golang.org/pkg/time/#ParseDuration
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/configure-http-proxy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/configure-http-proxy.mdx
deleted file mode 100644
index 3422f61c6c..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/configure-http-proxy.mdx
+++ /dev/null
@@ -1,56 +0,0 @@
----
-description: Route outbound Calico Enterprise container traffic through an HTTP proxy by configuring the Installation custom resource managed by the Tigera Operator.
----
-
-# Configure an outbound HTTP proxy
-
-$[prodname] supports the use of HTTP proxies for connections that leave the cluster and originate from $[prodname] containers.
-
-`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables can be set on $[prodname] containers by using a mutating admission webhook, or by configuration through the Installation CR if preferred. In the latter case, the Tigera Operator will be responsible for setting proxy environment variables on $[prodname] containers that egress out of the cluster.
-
-With either environment variable configuration method, the Tigera Operator will detect the proxy environment variables that are set on $[prodname] containers that egress out of the cluster and ensure that network policy in the allow-tigera tier allows these connections.
-
-This page will outline how to configure an HTTP proxy using the Installation CR.
-
-:::caution
-
-$[prodname] assumes that you have exempted in-cluster destinations (including the Kubernetes API server) from proxying via the `NO_PROXY` variable.
-
-:::
-
-## Configuration via Helm
-
-If you wish to manually configure $[prodname] via Helm to set proxy environment variables on $[prodname] containers (rather than using a mutating admission webhook), you must [customize the values.yaml](../getting-started/install-on-clusters/kubernetes/helm#prepare-the-installation-configuration) of the $[prodname] Helm chart.
-
-You’ll need to set the proxy configuration in the values.yaml using the `installation.proxy` path, e.g.:
-
-```yaml
-installation:
- enabled: true
- proxy:
- httpProxy:
- httpsProxy:
- noProxy:
-```
-
-## Configuration via Manifest
-If you wish to manually configure $[prodname] via manifests to set proxy environment variables on $[prodname] containers (rather than using a mutating admission webhook), you’ll need to edit the installation manifests provided by Tigera.
-
-Specifically, if you are installing $[prodname], you’ll need to edit the custom-resources.yaml. The Installation CR should be updated to set the `spec.proxy` field, e.g.
-
-```yaml
-apiVersion: operator.tigera.io/v1
-kind: Installation
-metadata:
- name: default
-spec:
- variant: TigeraSecureEnterprise
- imagePullSecrets:
- - name: tigera-pull-secret
- proxy:
- httpProxy:
- httpsProxy:
- noProxy:
-```
-
-If you have already installed $[prodname], then you can patch your previously applied Installation CR for the new proxy settings.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/enable-compliance.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/enable-compliance.mdx
deleted file mode 100644
index 8c60a2c317..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/enable-compliance.mdx
+++ /dev/null
@@ -1,49 +0,0 @@
----
-description: Turn on the in-cluster compliance reporter, controller, snapshotter, and server components that produce Calico Enterprise compliance reports and CIS benchmarks.
----
-
-# Enable compliance reports
-
-:::info[deprecation notice]
-
-The compliance features described on this page are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
-
-:::
-
-## Big picture
-
-Enabling compliance reports improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security.
-
-## Value
-
-The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting:
-
- - `compliance-snapshotter` : Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes.
- - `compliance-reporter` : Generates reports by analyzing configuration history, determining configuration evolution and identifying "worst-case outliers."
- - `compliance-controller` : Manages the creation, deletion, and monitoring of report generation jobs.
- - `compliance-server` : Offers API for report management and enforces RBAC.
- - `compliance-benchmarker` : Runs CIS Kubernetes Benchmark checks on each node to ensure secure deployment.
-
-**Required**
-
-* For managed clusters, ensure that compliance reporting is enabled in the management cluster.
-
-### Enable compliance reports using kubectl
-
-* Create a compliance custom resource, named `tigera-secure`, in the cluster.
-
-```bash
-kubectl apply -f - <
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/encrypt-cluster-pod-traffic.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/encrypt-cluster-pod-traffic.mdx
deleted file mode 100644
index 07e52a5005..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/encrypt-cluster-pod-traffic.mdx
+++ /dev/null
@@ -1,251 +0,0 @@
----
-description: Turn on WireGuard in your Calico Enterprise cluster to encrypt inter-node pod and host-network traffic, with IPv4 and IPv6 support via FelixConfiguration.
----
-
-# Encrypt data in transit
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-## Big picture
-
-Enable WireGuard to secure on the wire in-cluster pod traffic in a $[prodname] cluster.
-
-## Value
-
-When this feature is enabled, $[prodname] automatically creates and manages WireGuard tunnels between nodes providing transport-level security for inter-node, in-cluster pod traffic. WireGuard provides [formally verified](https://www.wireguard.com/formal-verification/) secure and [performant tunnels](https://www.wireguard.com/performance/) without any specialized hardware. For a deep dive in to WireGuard implementation, see this [white paper](https://www.wireguard.com/papers/wireguard.pdf).
-
-## Concepts
-
-### About WireGuard
-
-$[prodname] supports encryption for both inter-node pod traffic, and inter-node, host-network traffic. Because $[prodname] is not implemented using a sidecar, traffic is not encrypted for the full journey from one pod to another; traffic is only encrypted on the host-to-host portion of the journey. Though there is unencrypted traffic between the host-to-pod portion of the journey, attackers cannot easily intercept this traffic. To intercept the unencrypted traffic, they would need root access to the node.
-
-$[prodname] supports WireGuard encryption for both IPv4 and IPv6 traffic. You can enable traffic independently using parameters in the FelixConfiguration resource:
-
-- `wireguardEnabled` - enables encrypting IPv4 traffic over an IPv4 underlay network
-- `wireguardEnabledV6` - enables encrypting IPv6 traffic over an IPv6 underlay network
-
-## Before you begin
-
-**Terminology**
-
- - Inter-node pod traffic: Traffic leaving a pod from one node destined to a pod on another node
- - Inter-node, host-network traffic: traffic generated by the node itself or a host-networked-pod destined to another node or host-networked-pod
- - Same-node pod traffic: Traffic between pods on the same node
-
-**Supported encryption**
-
-- Inter-node pod traffic: IPv4 only
-- Inter-node, host-network traffic, IPv4/IPv6: supported only on managed clusters deployed on EKS and AKS
-
-**Unsupported**
-
-- Encrypted same-node pod traffic
-- GKE
-- Using your own custom keys to encrypt traffic
-
-**Required**
-
-- On all nodes in the cluster that you want to participate in $[prodname] encryption, verify that the operating system(s) on the nodes are [installed with WireGuard](https://www.wireguard.com/install/).
-
- :::note
-
- Some node operating systems do not support WireGuard, or do not have it installed by default. Enabling $[prodname] WireGuard encryption does not require all nodes to be installed with WireGuard. However, traffic to or from a node that does not have WireGuard installed, will not be encrypted.
-
- :::
-
-- IP addresses for every node in the cluster. This is required to establish secure tunnels between the nodes. $[prodname] can automatically do this using [IP autodetection methods](../networking/ipam/ip-autodetection.mdx).
-
-## How to
-
-- [Install WireGuard](#install-wireguard)
-- [Enable WireGuard for a cluster](#enable-wireguard-for-a-cluster)
-- [Verify encryption is enabled](#verify-encryption-is-enabled)
-- [Enable WireGuard statistics](#enable-wireguard-statistics)
-- [View WireGuard statistics](#view-wireguard-statistics)
-- [Disable WireGuard for an individual node](#disable-wireguard-for-an-individual-node)
-- [Disable WireGuard for a cluster](#disable-wireguard-for-a-cluster)
-
-### Install WireGuard
-
-WireGuard is included in Linux 5.6+ kernels, and has been backported to earlier Linux kernels in some Linux distributions.
-
-Install WireGuard on cluster nodes using [instructions for your operating system](https://www.wireguard.com/install/). Note that you may need to reboot your nodes after installing WireGuard to make the kernel modules available on your system.
-
-Use the following instructions for these platforms that are not listed on the WireGuard installation page, before proceeding to [enabling WireGuard](#enable-wireguard-for-a-cluster).
-
-
-
-
-To install WireGuard on the default Amazon Machine Image (AMI):
-
-```bash
-sudo yum install kernel-devel-`uname -r` -y
-sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
-sudo curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
-sudo yum install wireguard-dkms wireguard-tools -y
-```
-
-
-
-
-AKS cluster nodes run Ubuntu with a kernel that has WireGuard installed already, so there is no manual installation required.
-
-
-
-
-To install WireGuard for OpenShift:
-
-1. Install requirements:
-
- - [CoreOS Butane](https://coreos.github.io/butane/getting-started/)
- - [OpenShift CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html)
-
-1. Download and configure the tools needed for kmods.
-
-```bash
-FAKEROOT=$(mktemp -d)
-git clone https://github.com/tigera/kmods-via-containers
-cd kmods-via-containers
-make install FAKEROOT=${FAKEROOT}
-cd ..
-git clone https://github.com/tigera/kvc-wireguard-kmod
-cd kvc-wireguard-kmod
-make install FAKEROOT=${FAKEROOT}
-cd ..
-```
-
-1. Configure/edit `${FAKEROOT}/root/etc/kvc/wireguard-kmod.conf`.
-
- a. You must then set the URLs for the `KERNEL_CORE_RPM`, `KERNEL_DEVEL_RPM` and `KERNEL_MODULES_RPM` packages in the conf file `$FAKEROOT/etc/kvc/wireguard-kmod.conf`. Obtain copies for `kernel-core`, `kernel-devel`, and `kernel-modules` rpms from [RedHat Access](https://access.redhat.com/downloads/content/package-browser) and host it in an http file server that is reachable by your OCP workers.
-
- b. For help configuring `kvc-wireguard-kmod/wireguard-kmod.conf` and WireGuard version to kernel version compatibility, see the [kvc-wireguard-kmod README file](https://github.com/tigera/kvc-wireguard-kmod#quick-config-variables-guide).
-
-1. Get RHEL Entitlement data from your own RHEL8 system from a host in your cluster.
-
- ```bash
- tar -czf subs.tar.gz /etc/pki/entitlement/ /etc/rhsm/ /etc/yum.repos.d/redhat.repo
- ```
-
-1. Copy the `subs.tar.gz` file to your workspace and then extract the contents using the following command.
-
- ```bash
- tar -x -C ${FAKEROOT}/root -f subs.tar.gz
- ```
-
-1. Transpile your machine config using [CoreOS Butane](https://coreos.github.io/butane/getting-started/).
-
- ```bash
- cd kvc-wireguard-kmod
- make ignition FAKEROOT=${FAKEROOT} > mc-wg.yaml
- ```
-
-1. With the KUBECONFIG set for your cluster, run the following command to apply the MachineConfig which will install WireGuard across your cluster.
- ```bash
- oc create -f mc-wg.yaml
- ```
-
-
-
-
-### Enable WireGuard for a cluster
-
-Enable IPv4 WireGuard encryption across all the nodes using the following command.
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'
-```
-
-Enable IPv6 WireGuard encryption across all the nodes using the following command.
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabledV6":true}}'
-```
-
-To enable both IPv4 and IPv6 WireGuard encryption across all the nodes, use the following command.
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
-```
-
-For OpenShift, add the Felix configuration with WireGuard enabled [under custom resources](../getting-started/install-on-clusters/openshift/installation.mdx#provide-additional-configuration).
-
-:::note
-
-The above command can be used to change other WireGuard attributes. For a list of other WireGuard parameters and configuration evaluation, see the [Felix configuration](../reference/resources/felixconfig.mdx#felix-configuration-definition).
-
-:::
-
-We recommend that you review and modify the MTU used by $[prodname] networking when WireGuard is enabled to increase network performance. Follow the instructions in the [Configure MTU to maximize network performance](../networking/configuring/mtu.mdx) guide to set the MTU to a value appropriate for your network.
-
-### Verify encryption is enabled
-
-To verify that the nodes are configured for WireGuard encryption, check the node status set by Felix using `kubectl`. For example:
-
-```bash
-kubectl get node -o yaml
-...
-kind: Node
-metadata:
- annotations:
- projectcalico.org/WireguardPublicKey: jlkVyQYooZYzI2wFfNhSZez5eWh44yfq1wKVjLvSXgY=
-...
-```
-
-### Enable WireGuard statistics
-
-Since v3.11.1, WireGuard statistics are now automatically enabled with the enable WireGuard setting(s) mentioned above.
-
-### View WireGuard statistics
-
-To view WireGuard statistics in the web console, you must enable them. From the left navbar, click **Dashboard**, and the Layout Settings icon.
-
-
-
-#### WireGuard Dashboard toggle
-
-When viewing WireGuard statistics, you might wonder why the charts in the web console Dashboard show more ingress traffic than egress if all the traffic goes within the cluster. The chart might show a 1% difference between traffic for the following reasons:
-
-- Sampling time. The statistics are generated a few microseconds apart.
-- Packet loss. If a node resends a lost packet, then the node counts the packet twice where the receiver counts it only once.
-- Averaging/smoothing. The statistics are smoothed out over a few seconds.
-
-### Disable WireGuard for an individual node
-
-To disable WireGuard on a specific node with WireGuard installed, modify the node-specific Felix configuration. e.g., to turn off encryption for pod traffic on node `my-node`, use the following command. This command disables WireGuard for both IPv4 and IPv6, modify it accordingly if disabling only either IP version:
-
-```bash
-cat <
-
-
-
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/istio/about-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/istio/about-istio-ambient.mdx
deleted file mode 100644
index 5cc7f92bda..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/istio/about-istio-ambient.mdx
+++ /dev/null
@@ -1,14 +0,0 @@
----
-description: Overview of the bundled Istio Ambient Mode service mesh in Calico Enterprise, with node-level zTunnel proxies and mTLS encryption managed by the Tigera Operator.
----
-
-# Istio Ambient Mode
-
-:::important
-
-Istio Ambient Mode is not available in this early preview version of Calico Enterprise (3.23.0-1.0).
-It will be included in the next early preview release.
-
-For more information about Istio Ambient Mode, see [Istio Ambient Mode](/calico-enterprise/latest/compliance/istio/about-istio-ambient) in the documentation for Calico Enterprise 3.22
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/istio/deploy-istio-ambient.mdx
deleted file mode 100644
index db95368fbe..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/istio/deploy-istio-ambient.mdx
+++ /dev/null
@@ -1,14 +0,0 @@
----
-description: Deploy the bundled Istio Ambient Mode service mesh in your Calico Enterprise cluster by applying the Istio custom resource, with prerequisites and limitations.
----
-
-# Deploy Istio Ambient Mode on your cluster
-
-:::important
-
-Istio Ambient Mode is not available in this early preview version of Calico Enterprise (3.23.0-1.0).
-It will be included in the next early preview release.
-
-For more information about deploying Istio Ambient Mode, see [Deploy Istio Ambient Mode on your cluster](/calico-enterprise/latest/compliance/istio/deploy-istio-ambient) in the documentation for Calico Enterprise 3.22
-
-:::
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/compliance/overview.mdx b/calico-enterprise_versioned_docs/version-3.23-1/compliance/overview.mdx
deleted file mode 100644
index 1e4ac16448..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/compliance/overview.mdx
+++ /dev/null
@@ -1,382 +0,0 @@
----
-description: Schedule and run Calico Enterprise compliance reports against Kubernetes workloads using archived flow logs and audit logs stored in Elasticsearch.
----
-
-# Schedule and run compliance reports
-
-:::info[deprecation notice]
-
-The compliance features described on this page are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
-
-:::
-
-## Big picture
-
-Schedule and run compliance reports to assess Kubernetes workloads and environments for regulatory compliance.
-
-## Value
-
-Compliance tools that rely on periodic snapshots, do not provide accurate assessments of Kubernetes workloads against your compliance standards. $[prodname] compliance dashboard and reports provide a complete inventory of regulated workloads, along with evidence of enforcement of network controls for these workloads. Additionally, audit reports are available to see changes to any network security controls.
-
-## Concepts
-
-### Compliance reports at a glance
-
-Compliance report are based on archived flow logs and audit logs for all of your $[prodname] resources, plus any audit logs you've configured for Kubernetes resources in the Kubernetes API server:
-
-- Pods
-- Host endpoints
-- Service accounts
-- Namespaces
-- Kubernetes service endpoints
-- Global network sets
-- Calico and Kubernetes network policies
-- Global network policies
-
-Compliance reports provide the following high-level information:
-
-- **Protection**
-
- - Endpoints explicitly protected using ingress or egress policy
- - Endpoints with Envoy enabled
-
-- **Policies and services**
-
- - Policies and services associated with endpoints
- - Policy audit logs
-
-- **Traffic**
- - Allowed ingress/egress traffic to/from namespaces
- - Allowed ingress/egress traffic to/from the internet
-
-
-
-## Before you begin
-
-**Unsupported**
-
-- AKS
-- GKE
-- OpenShift
-- TKG
-
-**Required**
-
-* You [Enabled compliance reports](../compliance/enable-compliance)
-
-- Ensure that all nodes in your Kubernetes clusters are time-synchronized using NTP or similar (for accurate audit log timestamps)
-
-- [Configure audit logs for Kubernetes resources](../observability/elastic/audit-overview.mdx)
-
- You must configure audit logs for Kubernetes resources through the Kubernetes API to get a complete view of all resources.
-
-## How to
-
-- [Configure report permissions](#configure-report-permissions)
-- [Configure and schedule reports](#configure-and-schedule-reports)
-- [View report generation status](#view-report-generation-status)
-- [Run reports](#run-reports)
-
-### Configure report permissions
-
-Report permissions are granted using the standard Kubernetes RBAC based on ClusterRole and ClusterRoleBindings. The following table outlines the required RBAC verbs for each resource type for a specific user actions.
-
-| **Action** | **globalreporttypes** | **globalreports** | **globalreports/status** |
-| ------------------------------------------------------- | ------------------------------- | --------------------------------- | ------------------------ |
-| Manage reports (create/modify/delete) | | \* | get |
-| View status of report generation through kubectl | | get | get |
-| List the generated reports and summary status in the UI | | list + get (for required reports) | |
-| Export the generated reports from the UI | get (for the particular report) | get (for required reports) | |
-
-The following sample manifest creates RBAC for three users: Paul, Candice and David.
-
-- Paul has permissions to create/modify/delete the report schedules and configuration, but does not have permission to export generated reports from the UI.
-- Candice has permissions to list and export generated reports from the UI, but cannot modify the report schedule or configuration.
-- David has permissions to list and export generated `dev-inventory` reports from the UI, but cannot list or download other reports, nor modify the report
- schedule or configuration.
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-compliance-manage-report-config
-rules:
- - apiGroups: ['projectcalico.org']
- resources: ['globalreports']
- verbs: ['*']
- - apiGroups: ['projectcalico.org']
- resources: ['globalreports/status']
- verbs: ['get', 'list', 'watch']
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-compliance-manage-report-config
-subjects:
- - kind: User
- name: paul
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-compliance-manage-report-config
- apiGroup: rbac.authorization.k8s.io
-
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-compliance-list-download-all-reports
-rules:
- - apiGroups: ['projectcalico.org']
- resources: ['globalreports']
- verbs: ['get', 'list']
- - apiGroups: ['projectcalico.org']
- resources: ['globalreporttypes']
- verbs: ['get']
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-compliance-list-download-all-reports
-subjects:
- - kind: User
- name: candice
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-compliance-list-download-all-reports
- apiGroup: rbac.authorization.k8s.io
-
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-compliance-list-download-dev-inventory
-rules:
- - apiGroups: ['projectcalico.org']
- resources: ['globalreports']
- verbs: ['list']
- - apiGroups: ['projectcalico.org']
- resources: ['globalreports']
- verbs: ['get']
- resourceNames: ['dev-inventory']
- - apiGroups: ['projectcalico.org']
- resources: ['globalreporttypes']
- verbs: ['get']
- resourceNames: ['dev-inventory']
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-compliance-list-download-dev-inventory
-subjects:
- - kind: User
- name: david
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-compliance-list-download-dev-inventory
- apiGroup: rbac.authorization.k8s.io
-```
-
-### Configure and schedule reports
-
-To configure and schedule a compliance report, create a [GlobalReport](../reference/resources/globalreport.mdx) with the following information.
-
-| **Fields** | **Description** |
-| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| name | Unique name for your report. |
-| reportType | One of the following predefined report types: `inventory`, `network-access`, `policy-audit`. |
-| schedule | The start and end time of the report using [crontab format](https://en.wikipedia.org/wiki/Cron). To allow for archiving, reports are generated approximately 30 minutes after the end time. A single report is limited to a maximum of two per hour. |
-| endpoints | **Optional**. For inventory and network-access reports, specifies the endpoints to include in the report. For the policy-audit report, restricts audit logs to include only policies that apply to the selected endpoints. If not specified, the report includes all endpoints and audit logs. |
-| jobNodeSelector | **Optional**. Limits report generation jobs to specific nodes. |
-| suspend | **Optional**. Suspends report generation. All in-flight reports will complete, and future scheduled reports are suspended. |
-
-:::note
-
-GlobalReports can only be configured using kubectl (not calicoctl); and they cannot be edited in the Tigera
-Secure EE the web console.
-
-:::
-
-The following sections provide sample schedules for the predefined reports.
-
-### Weekly reports, all endpoints
-
-The following report schedules weekly inventory reports for _all_ endpoints. The jobs that create the reports will run
-on the infrastructure nodes (e.g. nodetype == 'infrastructure').
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalReport
-metadata:
- name: weekly-full-inventory
-spec:
- reportType: inventory
- schedule: 0 0 * * 0
- jobNodeSelector:
- nodetype: infrastructure
-```
-
-### Daily reports, selected endpoints
-
-The following report schedules daily inventory reports for production endpoints (e.g. deployment == ‘production’).
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalReport
-metadata:
- name: daily-production-inventory
-spec:
- reportType: inventory
- endpoints:
- selector: deployment == 'production'
- schedule: 0 0 * * *
-```
-
-### Hourly reports, endpoints in named namespaces
-
-The following report schedules hourly network-access reports for the accounts department endpoints, that are
-specified using the namespace names: **payable**, **collections** and **payroll**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalReport
-metadata:
- name: hourly-accounts-networkaccess
-spec:
- reportType: network-access
- endpoints:
- namespaces:
- names: ['payable', 'collections', 'payroll']
- schedule: 0 * * * *
-```
-
-### Daily reports, endpoints in selected namespaces
-
-The following report schedules daily network-access reports for the accounts department with endpoints specified using
-a namespace selector.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalReport
-metadata:
- name: daily-accounts-networkaccess
-spec:
- reportType: network-access
- endpoints:
- namespaces:
- selector: department == 'accounts'
- schedule: 0 0 * * *
-```
-
-### Monthly reports, endpoints for named service accounts in named namespaces
-
-The following schedules monthly audit reports. The audited policy is restricted to policy that applies to
-widgets/controller endpoints specified by the namespace **widgets** and service account **controller**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalReport
-metadata:
- name: monthly-widgets-controller-tigera-policy-audit
-spec:
- reportType: policy-audit
- schedule: 0 0 1 * *
- endpoints:
- serviceAccounts:
- names: ['controller']
- namespaces:
- names: ['widgets']
-```
-
-### View report generation status
-
-To view the status of a report, you must use the `kubectl` command. For example:
-
-```bash
-kubectl get globalreports.projectcalico.org daily-inventory.p -o yaml
-```
-
-In a report, the job status types are:
-
-- **lastScheduledReportJob**:
- The most recently scheduled job for generating the report. Because reports are scheduled in order, the “end time” of
- this report will be the “start time” of the next scheduled report.
-- **activeReportJobs**:
- Default = allows up to 5 concurrent report generation jobs.
-- **lastFailedReportJobs**:
- Default = keeps the 3 most recent failed jobs and deletes older ones. A single report generation job will be retried
- up to 6 times (by default) before it is marked as failed.
-- **lastSuccessfulReportJobs**:
- Default = keeps the 2 most recent successful jobs and deletes older ones.
-
-### Change the default report generation time
-
-By default, reports are generated 30 minutes after the end of the report, to ensure all of the audit data is archived.
-(However, this gap does not affect the data collected “start/end time” for a report.)
-
-You can adjust the time for audit data for cases like initial report testing, to demo a report, or when manually
-creating a report that is not counted in global report status.
-
-To change the delay, go to the installation manifest, and uncomment and set the environment
-`TIGERA_COMPLIANCE_JOB_START_DELAY`. Specify value as a [Duration string][parse-duration].
-
-### Run reports
-
-You can run reports at any time to specify a different start/end time, and if a scheduled report fails.
-
-$[prodname] GlobalReport schedules Kubernetes Jobs, which create a single-run pod to generate a report and store it
-in Elasticsearch. Because you need to run reports as a pod, you need higher permissions: allow `create` access for pods in namespace `tigera-compliance` using the `tigera-compliance-reporter` service account.
-
-To run a report on demand:
-
-1. Download the pod template corresponding to your installation method.
-
- For management and standalone clusters:
-
- ```bash
- curl -O $[filesUrl]/manifests/compliance-reporter-pod.yaml
- ```
-
- For managed clusters:
-
- ```bash
- curl $[filesUrl]/manifests/compliance-reporter-pod-managed.yaml -o compliance-reporter-pod.yaml
- ```
-
-1. Edit the template as follows:
- - Edit the pod name if required.
- - If you are using your own docker repository, update the container image name with your repo and image tag.
- - Set the following environments according to the instructions in the downloaded manifest:
- - `TIGERA_COMPLIANCE_REPORT_NAME`
- - `TIGERA_COMPLIANCE_REPORT_START_TIME`
- - `TIGERA_COMPLIANCE_REPORT_END_TIME`
-1. Apply the updated manifest, and query the status of the pod to ensure it completes.
- Upon completion, the report is available in the $[prodname] web console.
-
- ```bash
- # Apply the compliance report pod
- kubectl apply -f compliance-reporter-pod.yaml
-
- # Query the status of the pod
- kubectl get pod -n tigera-compliance
- ```
-
-:::note
-
-Manually-generated reports do not appear in GlobalReport status.
-
-:::
-
-## Additional resources
-
-- For details on configuring and scheduling reports, see [Global reports](../reference/resources/globalreport.mdx)
-- For report field descriptions, see [Compliance reports](../reference/resources/compliance-reports/index.mdx)
-- [CIS benchmarks](compliance-reports-cis.mdx)
-
-[parse-duration]: https://golang.org/pkg/time/#ParseDuration
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/about.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/about.mdx
deleted file mode 100644
index 7c567ca33d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/about.mdx
+++ /dev/null
@@ -1,179 +0,0 @@
----
-description: Install Calico Enterprise on non-cluster hosts and VMs to apply Calico network policy and capture flow logs for workloads running outside Kubernetes.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Install Calico on non-cluster hosts and VMs
-
-## Big picture
-
-Secure hosts and virtual machines (VMs) running outside of Kubernetes by installing $[prodname].
-
-## Value
-
-Calico Enterprise can also be used to protect hosts and VMs running outside of a Kubernetes cluster.
-In many cases, these are applications and workloads that cannot be easily containerized.
-$[prodname] lets you protect and gain visibility into these **non-cluster hosts** and use the same robust Calico network policy that you use for pods.
-
-## Concepts
-
-### Non-cluster hosts and host endpoints
-
-A non-cluster host or VM is a computer that is running an application that is _not part of a Kubernetes cluster_.
-$[prodname] enables you to protect these hosts and VMs using the same Calico network policy that you use for workloads running inside a Kubernetes cluster.
-It also generates flow logs that provide visibility into the communication that host or VM is having with other endpoints in your environment.
-
-In the following diagram, a Kubernetes cluster is running $[prodname] with networking (for pod-to-pod communication) and network policy; the non-cluster host uses Calico network policy for host protection and to generate flow logs for observability.
-
-
-
-For non-cluster hosts and VMs, you can secure host interfaces using **host endpoints**.
-Host endpoints can have labels that work the same as labels on pods/workload endpoints in Kubernetes.
-The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two).
-For example, you can easily write a global policy that applies to every host, VM, or pod that is running Calico.
-
-To learn how to restrict traffic to/from hosts and VMs using Calico network policy, see [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
-
-## Before you begin
-
-**Required**
-
-- Kubernetes API datastore is up and running and is accessible from the host
-
- If $[prodname] is installed on a cluster, you already have a datastore.
-
-- Node requirements for non-cluster hosts and VMs:
- - x86-64 v3 microarchitecture.
- You can check this via the program interpreter on the node:
- ```bash
- /lib64/ld-linux-x86-64.so.2 --help
- ```
- If you see a line that says `x86-64-v3 (supported, searched)`, your processor supports the required microarchitecture.
- - The following host operating systems are supported:
- - RHEL 8 and RHEL 9
- - Ubuntu 22.04 and 24.04
- - Debian 12 and Debian 13
- - Your operating system includes the `ipset` and `conntrack` kernel dependencies.
-- For everything else, your non-cluster host or VM meets $[prodname] [system requirements](../install-on-clusters/requirements.mdx)
-
-## How to
-
-### Set up your Kubernetes cluster to work with a non-cluster host or VM
-
-1. Create a `NonClusterHost` custom resource.
-
- This resource enables the cluster-side ingestion endpoint to receive logs from non-cluster hosts.
- It also provides a dedicated Typha deployment to manage communication between the non-cluster host agent and Typha.
- To ensure proper operation, verify that the non-cluster hosts or VMs have network connectivity to your Kubernetes cluster.
-
- ```bash
- kubectl create -f - <
- typhaEndpoint:
- EOF
- ```
-
- | Field | Description | Accepted Values | Schema |
- | ------------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------ | ------ |
- | endpoint | Required. Location of the log ingestion point for non-cluster hosts. | Any HTTPS URL with a domain name and a port number | string |
- | typhaEndpoint | Required. Location of the Typha endpoint for non-cluster host agent and Typha communication. If you are using an ingress controller or an external load balancer, ensure it is configured to allow TCP Layer 4 passthrough. This is required for non-cluster host agent to establish a mutual TLS (mTLS) connection to the cluster. | Any IP address or domain name with a port number | string |
-
- Wait until the Tigera Manager and non-cluster Typha deployments reach the Available status before proceeding to the next step.
-
-1. Create a `kubeconfig` file for your non-cluster host or VM:
-
- ```bash
- calicoctl nonclusterhost generate-config [--namespace=] [--serviceaccount=] [--certfile=] > kubeconfig
- ```
-
- | Parameter | Description | Default Values |
- | -------------- | -------------------------------------------------------------------------------------------------------- | ---------------------- |
- | namespace | Optional. The namespace where the service account for non-cluster hosts resides. | calico-system |
- | serviceaccount | Optional. The service account used by non-cluster hosts to authenticate and securely access the cluster. | tigera-noncluster-host |
- | certfile | Optional. Path to the file containing the PEM-encoded authority certificates. Use this option if you are providing your own [TLS certificates for Calico Enterprise Manager](../../operations/comms/manager-tls.mdx). If not specified, the Tigera root CA certificate will be used by default. | |
-
-1. Create a [`HostEndpoint` resource](../../reference/host-endpoints/overview.mdx) for each non-cluster host or VM.
- The `node` and `expectedIPs` fields are required to match the hostname and the expected interface IP addresses.
-
-### Set up your non-cluster host or VM
-
-1. Download the Calico Enterprise repository to work with your Linux distro.
-
-
- ```bash
- curl -sfL $[rhelPkgUrl]/calico_enterprise.repo -o /etc/yum.repos.d/calico-enterprise.repo
- ```
-
-
- 1. Download the appropriate sources file for your operating system:
- ```bash
- curl -fsSL -o calico-enterprise.sources $[debPkgUrl]/$(lsb_release -cs).sources
- ```
- 1. Copy the file into your apt sources directory:
- ```bash
- sudo cp calico-enterprise.sources /etc/apt/sources.list.d/
- ```
- 1. Retrieve the updated package index:
- ```bash
- sudo apt-get update
- ```
-
-
-1. Install Calico node and fluent-bit log forwarder packages.
-
-
- ```bash
- dnf install calico-node calico-fluent-bit
- ```
-
-
- ```bash
- sudo apt install calico-node calico-fluent-bit
- ```
-
-
-
-1. Copy the `kubeconfig` created in cluster setup step 2 to host folder `/etc/calico/kubeconfig`.
-
-1. Start Calico node and log forwarder.
-
- ```bash
- systemctl enable --now calico-node.service
- systemctl enable --now calico-fluent-bit.service
- ```
-
- You can configure the Calico node by tuning the environment variables defined in the `/etc/calico/calico-node/calico-node.env` file.
- For more information, see the [Felix configuration reference](../../reference/resources/felixconfig.mdx).
-
-### Configure high availability mode
-
-High availability (HA) mode helps protect workloads running on hosts and VMs by providing an automated disaster recovery setup.
-It operates with two Kubernetes clusters: an active cluster and a passive cluster that remains synchronized and ready to take over if the active cluster becomes unavailable.
-
-For HA mode to function correctly, a correctly configured load balancer (LB) is required to switch traffic between clusters during failover and failback events.
-The LB must detect failures, redirect traffic to the passive cluster, and restore traffic to the active cluster once it is healthy.
-Without a proper configuration, HA mode will not work as expected.
-
-
-Your hosts or VMs are inherently HA-ready once you completed the setup steps.
-They automatically connect to the appropriate cluster.
-
-To enable HA mode, system administrators must perform the following steps:
-
-- Deploy and maintain both clusters: Provision and manage both the active and passive Kubernetes clusters.
-- Synchronize resources: Keep all relevant resources (such as network policies, configurations, and non-cluster host resources) synchronized from the active cluster to the passive cluster.
-- Configure domain names: Use domain names (not static IP addresses) for log ingestion and Typha endpoints in the `NonClusterHost` resource.
-- Replicate secrets: Copy the `tigera-ca-private` secret from the active cluster to the passive cluster under the `tigera-operator` namespace.
- After copying, verify that all Calico components in the passive cluster are running and healthy.
-
-## Additional resources
-
-- [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx)
-- [Use custom certificates for Node and Typha](typha-node-tls.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/index.mdx
deleted file mode 100644
index 9690f75925..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Install Calico Enterprise on bare-metal hosts and VMs to extend zero-trust policy enforcement beyond a Kubernetes cluster.
-hide_table_of_contents: true
----
-
-# Non-cluster hosts
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/troubleshoot.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/troubleshoot.mdx
deleted file mode 100644
index 1c0452ff8b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/troubleshoot.mdx
+++ /dev/null
@@ -1,111 +0,0 @@
----
-description: Troubleshooting guide for Calico Enterprise on non-cluster hosts and VMs — connectivity, agent registration, and policy issues.
----
-
-# Troubleshoot non-cluster hosts and VMs setup
-
-This document provides guidance for troubleshooting Calico running on hosts and VMs outside of a cluster.
-
-## Useful commands
-
-These commands can help you collect logs and monitor system activities during troubleshooting.
-
-### On non-cluster hosts or VMs
-
-```bash
-journalctl -xue calico-node.service -f
-journalctl -xue calico-fluent-bit.service -f
-```
-
-### On the cluster side
-
-```bash
-kubectl logs -n calico-system -l k8s-app=calico-typha-noncluster-host
-kubectl logs -n tigera-manager -l k8s-app=tigera-manager -c tigera-voltron
-```
-
-You can monitor CertificateSigningRequests (CSR) by running:
-
-```bash
-kubectl get certificatesigningrequest -w
-```
-
-Monitoring CSRs is useful for debugging certificates used for Calico Node and Typha mutual TLS (mTLS) communication. The automatic CSR approval and signing flow can fail in several ways. For example:
-
-- The CSR request might not be created or submitted correctly.
-- The Tigera Operator CSR controller might not process it.
-- The Tigera Operator signer might reject the request due to invalid fields or missing permission.
-
-When such failure occur, the CSR status object contains detailed condition and error messages that help identify the root cause.
-
-## Common problems
-
-### No internet connection after installing the Calico Node package
-
-By default, $[prodname] blocks all traffic to and from host interfaces. You can use a profile with host endpoints to modify default behavior. Apply the built-in profile `projectcalico-default-allow`, which allows all ingress and egress traffic. Host endpoints that use this profile will have *allow-all* behavior instead of *deny-all* when no network policy is applied.
-
-Example `HostEndpoint` with the `projectcalico-default-allow` profile:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: HostEndpoint
-metadata:
- name:
-spec:
- interfaceName:
- node:
- expectedIPs: [""]
- profiles:
- - projectcalico-default-allow
-```
-
-### Certificate signed by unknown authority
-
-If the certificate presented by the Kubernetes API server or Tigera Manager endpoint is not signed by a trusted Certificate Authority (CA), add the correct CA certificate to the system trust store. Alternatively, for the Calico fluent-bit log forwarder, you can temporarily disable TLS verifications by setting:
-
-```conf
-[OUTPUT]
- ...
- tls.verify Off
- ...
-```
-
-in the configuration file `/etc/calico/calico-fluent-bit/calico-fluent-bit.conf`.
-
-:::note
-
-Disabling TLS verification should only be used for testing or troubleshooting.
-
-:::
-
-### No object can be associated with CSR error
-
-If a CSR is denied with the following error:
-
-```text
-invalid: no object can be associated with CSR node-certs-noncluster-host:
-```
-
-verify the following:
-
-* A corresponding host endpoint resource exists for the non-cluster host or VM.
-* The `spec.node` field in the host endpoint resource matches the non-cluster host name exactly.
-
-### Peer certificate does not have required CN
-
-If the non-cluster host fails to connect to the dedicated Typha deployment, check that the certificate Common Name (CN) values are consistent on both sides.
-
-On the non-cluster host or VM under the `/etc/calico/calico-node` folder:
-
-* In `calico-node.conf`, verify the `TyphaCN` value matches the remote Typha server certificate CN, or
-* In `calico-node.env`, verify the `FELIX_TYPHACN` value matches the remote Typha server certificate CN.
-
-On the cluster side (`calico-system/calico-typha-noncluster-host` deployment):
-
-* The `TYPHA_CLIENTCN` environment variable must match the CN used in the non-cluster node certificate.
-
-### Certificate is not renewed or updated
-
-The `calico-noncluster-host-init` process runs before the main `calico-node` service is responsible for renewing certificates that are expired or near expiry. Certificates are renewed automatically within 90 days of expiry.
-
-If you need to force immediate renewal, manually delete the existing certificate (`calico-node.crt`) and private key (`calico-node.key`) under the `/etc/calico/calico-node` folder and restart the service.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/typha-node-tls.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/typha-node-tls.mdx
deleted file mode 100644
index 184fb2dcdd..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/bare-metal/typha-node-tls.mdx
+++ /dev/null
@@ -1,64 +0,0 @@
----
-description: Configure custom TLS certificates between non-cluster Calico Enterprise nodes and Typha for clusters with strict PKI requirements.
----
-
-# Use custom certificates for Node and Typha
-
-## Big picture
-
-Provide custom TLS certificates that allow mutual TLS authentication between non-cluster Calico Node and Typha.
-
-## Value
-
-By default, non-cluster Calico Node and Typha use a self-signed Certificate Authority (CA) and automatically generated certificates for mTLS authentication. You can optionally provide your own CA and certificates (BYO certificates) for enhanced security or compliance requirements.
-
-## Before you begin
-
-Get the Certificate Authority certificate and signed certificate and key pairs for Calico Node and Typha.
-
-## How to
-
-### Create the resource file
-
-1. Package your CA certificates into a ConfigMap.
-
- Run the following command to create a ConfigMap containing your CA certificates. If you have already created the `typha-ca` ConfigMap following the steps in [Provide TLS certificates for Typha and Node](../../operations/comms/typha-node-tls.mdx), and your BYO certificates are signed by the same CA included in that ConfigMap, you can skip this step.
-
- ```bash
- kubectl create configmap typha-ca -n tigera-operator --from-file=caBundle=
- ```
-
- :::tip
-
- The `caBundle` can contain a single CA or multiple PEM blocks. It must include the CAs trusted by both Node and Typha.
-
- :::
-
-2. Create the Node TLS Secret for non-cluster hosts or VMs.
-
- This secret stores the Calico Node TLS certificate and private key, and can be accessed by hosts or VMs outside of the cluster.
-
- ```bash
- kubectl create secret tls node-certs-noncluster-host \
- -n tigera-operator \
- --cert= --key=
- ```
-
-3. Replace the Typha TLS Secret for the non-cluster Typha deployment.
-
- Update the secret used by the non-cluster Typha deployment with the appropriate TLS certificate and key.
-
- ```bash
- kubectl create secret generic typha-certs-noncluster-host \
- -n tigera-operator \
- --from-file=tls.crt= \
- --from-file=tls.key= \
- --dry-run=client -o yaml | kubectl apply -f -
- ```
-
-### Restart Calico Node service on non-cluster host or VM
-
-On each non-cluster host or VM:
-
-1. Remove any existing certificates and private keys from `/etc/calico/calico-node`.
-2. Restart the Calico Node service. The service will automatically retrieve and install the BYO certificates and private keys from the cluster.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/compatibility.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/compatibility.mdx
deleted file mode 100644
index 4e0f501d31..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/compatibility.mdx
+++ /dev/null
@@ -1,139 +0,0 @@
----
-description: Supported combinations of Calico Enterprise, Kubernetes, OpenShift, and host platforms for each Calico Enterprise release.
----
-
-# Support and compatibility
-
-## Supported platforms
-
-The following list shows the platforms supported in this release. If you're working with a version older than these, consult the [documentation archive](https://docs.tigera.io/archive) or contact Support.
-
-- [AKS](#aks)
-- [EKS](#eks)
-- [GKE](#gke)
-- [kOps on AWS](#kops-on-aws)
-- [Kubernetes-kubeadm](#kubernetes-kubeadm)
-- [MKE 4k](#mke-4k)
-- [MKE](#mke)
-- [OpenShift](#openshift)
-- [RKE](#rke)
-- [RKE2](#rke2)
-- [TKG](#tkg)
-- [Charmed Kubernetes](#charmed-kubernetes)
-
-### Supported $[prodname] features
-
-If your platform is listed below, the features in this release will work for your platform unless an individual feature topic explicitly calls out a vendor or $[prodname] limitation.
-
-Note that all Windows feature limitations are described in [Windows limitations](install-on-clusters/windows-calico/limitations.mdx), and are not called out in individual Linux topics.
-
-## AKS
-
-Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
-
-| $[prodname] version | $[prodname] support |
-| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| 3.21 to current release | - $[prodname] CNI with network policy - Azure CNI with $[prodname] network policy - Azure CNI with $[prodname] network policy |
-
-## EKS
-
-Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
-
-| $[prodname] version | $[prodname] support |
-| ----------------------- | -------------------------------------------------------------------------------------- |
-| 3.21 to current release | - $[prodname] CNI with network policy - AWS CNI with $[prodname] network policy |
-
-## GKE
-
-Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
-
-| $[prodname] version | $[prodname] support |
-| ----------------------- | ------------------------------------------ |
-| 3.21 to current release | - GKE CNI with $[prodname] network policy |
-
-## kOps on AWS
-
-| $[prodname] version | kOps and Kubernetes versions | $[prodname] support |
-| -------------------- | ---------------------------- | -------------------------------------------------------------------------------------- |
-| 3.23 | 1.33 - 1.34 | - $[prodname] CNI with network policy - AWS CNI with $[prodname] network policy |
-| 3.22 | 1.31 - 1.34 | - $[prodname] CNI with network policy - AWS CNI with $[prodname] network policy |
-| 3.21 | 1.31 - 1.32 | - $[prodname] CNI with network policy - AWS CNI with $[prodname] network policy |
-| 3.20 | 1.29 - 1.30 | - $[prodname] CNI with network policy - AWS CNI with $[prodname] network policy |
-
-## Kubernetes-kubeadm
-
-| $[prodname] version | Kubernetes/kubeadm versions | $[prodname] support |
-| -------------------- | --------------------------- | ------------------------------------ |
-| 3.23 | 1.33 - 1.35 | $[prodname] CNI with network policy |
-| 3.22 | 1.31 - 1.34 | $[prodname] CNI with network policy |
-| 3.21 | 1.31 - 1.33 | $[prodname] CNI with network policy |
-| 3.20 | 1.29 - 1.31 | $[prodname] CNI with network policy |
-
-## MKE 4k
-
-| $[prodname] version | MKE 4k version | $[prodname] support | Kubernetes versions |
-| -------------------- | ----------- | ------------------------------------ | ------------------- |
-| 3.23 | MKE 4k 4.1.2 | $[prodname] CNI with network policy | 1.32 |
-| 3.22 | MKE 4k 4.1.2 | $[prodname] CNI with network policy | 1.32 |
-
-## MKE
-
-| $[prodname] version | MKE version | $[prodname] support | Kubernetes versions |
-| -------------------- | ----------- | ------------------------------------ | ------------------- |
-| 3.23 | MKE 3.8 | $[prodname] CNI with network policy | 1.31 |
-| 3.22 | MKE 3.9 | $[prodname] CNI with network policy | 1.34 |
-| 3.22 | MKE 3.8 | $[prodname] CNI with network policy | 1.31 |
-| 3.21 | MKE 3.8 | $[prodname] CNI with network policy | 1.31 |
-| 3.20 | MKE 3.8 | $[prodname] CNI with network policy | 1.31 |
-
-## OpenShift
-
-| $[prodname] version | OpenShift versions for Kubernetes | $[prodname] support |
-| -------------------- | --------------------------------- | ------------------------------------ |
-| 3.23 | 4.18 - 4.20 | $[prodname] CNI with network policy |
-| 3.22 | 4.17 - 4.20 | $[prodname] CNI with network policy |
-| 3.21 | 4.16 - 4.18 | $[prodname] CNI with network policy |
-| 3.20 | 4.15 - 4.17 | $[prodname] CNI with network policy |
-
-## RKE
-
-| $[prodname] version | RKE version | $[prodname] support | Kubernetes versions |
-| -------------------- | ----------- | ------------------------------------ | ------------------- |
-| 3.23 | 1.8 | $[prodname] CNI with network policy | 1.32 |
-| 3.22 | 1.8 | $[prodname] CNI with network policy | 1.32 |
-| 3.21 | 1.8 | $[prodname] CNI with network policy | 1.32 |
-| 3.20 | 1.7 | $[prodname] CNI with network policy | 1.31 |
-
-## RKE2
-
-| $[prodname] version | $[prodname] support | Kubernetes versions |
-| -------------------- | ------------------------------------ | ------------------- |
-| 3.23 | $[prodname] CNI with network policy | 1.33 - 1.34 |
-| 3.22 | $[prodname] CNI with network policy | 1.31 - 1.34 |
-| 3.21 | $[prodname] CNI with network policy | 1.31 - 1.33 |
-| 3.20 | $[prodname] CNI with network policy | 1.29 - 1.31 |
-
-## TKG
-
-| $[prodname] version | TKG version | $[prodname] support | Kubernetes versions |
-| -------------------- | ----------- | ------------------------------------ | ------------------- |
-| 3.23 | 2.4 | $[prodname] CNI with network policy | 1.27 |
-| 3.22 | 2.4 | $[prodname] CNI with network policy | 1.27 |
-| 3.21 | 2.4 | $[prodname] CNI with network policy | 1.27 |
-| 3.20 | 2.4 | $[prodname] CNI with network policy | 1.27 |
-
-## Charmed Kubernetes
-
-Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
-
-| $[prodname] version | $[prodname] support |
-| ----------------------- | ----------------------------------------------------------------------------------------- |
-| 3.21 to current release | - $[prodname] CNI with network policy |
-
-## Supported browsers
-
-The following list shows the browsers supported by $[prodname] in this release.
-
-- Chrome
-- Safari
-- Firefox
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/index.mdx
deleted file mode 100644
index 2dac1e095e..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/index.mdx
+++ /dev/null
@@ -1,77 +0,0 @@
----
-description: Install Calico Enterprise on Kubernetes, OpenShift, or bare-metal hosts. Includes guidance on installing the calicoctl command-line tool.
----
-
-import { DocCardLink, DocCardLinkLayout } from '/src/___new___/components';
-
-# Install Calico Enterprise
-
-Requirements and guides for installing Calico Enterprise on Kubernetes clusters and non-cluster hosts..
-
-## Getting started
-
-
-
-
-
-
-## Installing
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Installing from a private registry
-
-
-
-
-
-
-## Installing on Windows
-
-
-
-
-
-
-
-
-
-
-
-
-## Upgrading
-
-
-
-
-
-
-
-
-
-
-
-## Non-cluster hosts
-
-
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/aks.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/aks.mdx
deleted file mode 100644
index a7a78d92a8..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/aks.mdx
+++ /dev/null
@@ -1,87 +0,0 @@
----
-description: Install Calico Enterprise on an Azure Kubernetes Service (AKS) cluster, including the steps that differ from a self-managed install.
----
-
-import InstallAKS from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallAKS';
-
-# Microsoft Azure Kubernetes Service (AKS)
-
-## Big picture
-
-Install $[prodname] on an AKS managed Kubernetes cluster.
-
-## Before you begin
-
-**CNI support**
-
-- Calico CNI for networking with $[prodname] network policy
-
- The geeky details of what you get:
-
-
-
-- Azure CNI networking with $[prodname] network policy
-
- The geeky details of what you get:
-
-
-
-- Azure CNI with overlay networking with $[prodname] network policy
-
- The geeky details of what you get:
-
-
-
-**Recommended**
-
-- Set suggested value for maximum number of pods per node
-
- It is recommended to set the maximum pods per node to be at least 60 for use with Calico Enterprise. The default value in AKS is 30. If you need to increase the number of pods per node, see [Configure maximum pods per node](https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#configure-maximum-pods-per-node).
-
-**Required**
-
-- A [compatible AKS cluster](../compatibility.mdx#aks)
-
- - To use the Calico CNI, you must configure the AKS cluster with [Bring your own CNI](https://docs.microsoft.com/en-us/azure/aks/use-byo-cni?tabs=azure-cli)
- - To use the Azure CNI, see [Azure CNI networking](https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni)
- - To use the Azure CNI with overlay networking, see [Azure CNI with Overlay](https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay)
-
-- Cluster is not using a Kubernetes reconciler
-
- If your cluster has an existing version of $[prodname] installed, verify that the cluster is not managed by any kind of Kubernetes reconciler. For example, if addon-manager exists, there will be an annotation called, `addonmanager.kubernetes.io/mode` on either of the following resources (if the resources exist):
-
- - `tigera-operator` deployment in the `tigera-operator` namespace
- - `calico-node` daemonset in the `kube-system` namespace
-
-- User account has IAM permissions
-
- Verify your user account has IAM permissions to create Kubernetes ClusterRoles, ClusterRoleBindings, Deployments, Service Accounts, and Custom Resource Definitions. The easiest way to grant permissions is to assign the "Kubernetes Service Cluster Admin Role” to your user account. For help, see [AKS access control](https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access).
-
-- Cluster meets [system requirements](requirements.mdx)
-
-- A [Tigera license key and credentials](calico-enterprise.mdx)
-
-- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-
-1. [Option A: Install with Azure CNI networking](#install-with-azure-cni-networking)
-1. [Option B: Install with Calico networking](#install-with-calico-enterprise-networking)
-1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-
-
-## Next steps
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-- [Video: Everything you need to know about Kubernetes networking on Azure](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-networking-on-azure/)
-- [Get started with Kubernetes network policy](../../network-policy/get-started/kubernetes-network-policy.mdx)
-- [Get started with $[prodname] network policy](../../network-policy/beginners/calico-network-policy.mdx)
-- [Enable default deny for Kubernetes pods](../../network-policy/beginners/kubernetes-default-deny.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/aws.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/aws.mdx
deleted file mode 100644
index 3849a49c85..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/aws.mdx
+++ /dev/null
@@ -1,155 +0,0 @@
----
-description: Install Calico Enterprise on a self-managed Kubernetes cluster provisioned with kOps on Amazon Web Services.
----
-
-# kOps on AWS
-
-## Big picture
-
-Install $[prodname] with a self-managed Kubernetes cluster using Kubernetes Operations (kOps) on AWS. kOps is a cluster management tool that provisions cluster VMs and installs Kubernetes. It is a good default choice for most because it gives you access to all $[prodname] [flexible and powerful networking features](../../networking/index.mdx). However, other options may work better for your environment.
-
-## Before you begin
-
-**CNI support**
-
-- Calico CNI for networking with $[prodname] network policy
-
- The geeky details of what you get:
-
- {' '}
-
-- AWS VPC CNI for networking with $[prodname] network policy
-
- The geeky details of what you get:
-
-
-
-**Required**
-
-- A [compatible kOps cluster](../compatibility.mdx#kops-on-aws)
-- A [Tigera license key and credentials](calico-enterprise.mdx)
-- Cluster meets [system requirements](requirements.mdx)
-- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-- [Install AWS CLI tools](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
-
-## How to
-
-Select one of the following installation paths:
-
-- [Install Calico Enterprise networking and network policy](#install-calico-enterprise-networking-and-network-policy)
-- [Install Amazon VPC networking with Calico Enterprise network policy](#install-amazon-vpc-networking-with-calico-enterprise-network-policy)
-
-### Install Calico Enterprise networking and network policy
-
-To use kOps to create a cluster with $[prodname] networking and network policy:
-
-1. [Install kOps](https://kops.sigs.k8s.io/install/) on your workstation.
-1. [Set up your environment for AWS](https://kops.sigs.k8s.io/getting_started/aws/) .
-1. Be sure to [set up an S3 state store](https://kops.sigs.k8s.io/getting_started/aws/#cluster-state-storage) and export its name:
-
- ```bash
- export KOPS_STATE_STORE=s3://
- ```
-
-1. Configure kOps to use $[prodname] for networking.
- Create a cluster with kOps using the `--networking cni` flag. For example:
-
- ```
- kops create cluster \
- --zones us-west-2a \
- --networking cni \
-
- ```
-
- :::note
-
- The name of the cluster must be chosen as a valid DNS name belonging to the root user. It can either be a subdomain of an existing domain name or a subdomain which can be configured on AWS Route 53 service.
-
- :::
-
- Or, you can add `cni` to your cluster config. Run `kops update cluster --name=` and set the following networking configuration.
-
- ```yaml
- networking:
- cni: {}
- ```
-
- :::note
-
- Setting the `--networking cni` flag delegates the installation of the CNI to the user for a later stage.
-
- :::
-
-1. The provisioned kOps cluster will assign its own set of pod network CIDR in the kube-proxy instance different than the one $[prodname] expects. To set the cluster cidr for the kube-proxy to match the one expected by $[prodname] edit the cluster config `kops edit cluster ` and add the `kubeProxy` config with the `clusterCIDR` expected by the default $[prodname] installation.
-
- ```yaml noValidation
- spec:
- ...
- kubeProxy:
- clusterCIDR: 192.168.0.0/16
- ```
-
- :::note
-
- For more advanced pod networking CIDR configuration, the requirement is to have `ipPools` CIDR set by the $[prodname] installation to match cluster CIDR set in kube-proxy. Calico's `ipPools` setting is obtainable in the Installation resource `kubectl get installation -o yaml` and can be configured by editing the operator manifest found in the [install instructions for $[prodname]](kubernetes/generic-install.mdx).
-
- :::
-
-1. The default size of the provisioned instance groups for the cluster might not be sufficient for the full installation of kubernetes and $[prodname]. To increase the size of the instance groups run `kops edit ig --name ` and edit the following fields accordingly.
-
- ```yaml noValidation
- spec:
- ...
- machineType: t3.medium
- maxSize: 1
- minSize: 1
- ```
-
- The name of the instance groups can be obtained from `kops get instancegroups --name `.
-
-1. Once your cluster has been configured run `kops update cluster --name=` to preview the changes. Then the same command with `--yes` option (ie. `kops update cluster --name= --yes`) to commit the changes to AWS to create the cluster. It may take 10 to 15 minutes for the cluster to be fully created.
-
- :::note
-
- Once the cluster has been created, the `kubectl` command should be pointing to the newly created cluster. By default `kops>=1.19` does not update `kubeconfig` to include the cluster certificates, accesses to the cluster through `kubectl` must be configured.
-
- :::
-
-1. Validate that nodes are created.
-
- ```bash
- kubectl get nodes
- ```
-
- The above should return the status of the nodes in the `Not Ready` state.
-
-1. kOps does not install any CNI when the flag `--networking cni` or `spec.networking: cni {}` is used. In this case the user is expected to install the CNI separately.
- To Install $[prodname] follow the [install instructions for $[prodname]](kubernetes/generic-install.mdx).
-
-1. Finally, to delete your cluster once finished, run `kops delete cluster --yes`.
-
-You can further customize the $[prodname] install with [options listed in the kOps documentation](https://kops.sigs.k8s.io/networking/#calico-example-for-cni-and-network-policy).
-
-### Install Amazon VPC networking with Calico Enterprise network policy
-
-You can use Amazon’s VPC CNI plugin for networking, and $[prodname] for network policy. The advantage of this approach is that pods are assigned IP addresses associated with Elastic Network Interfaces on worker nodes. The IPs come from the VPC network pool, and therefore do not require NAT to access resources outside the Kubernetes cluster.
-
-Set your kOps cluster configuration to:
-
-```yaml
-networking:
- amazonvpc: {}
-```
-
-After the cluster is up and ready, [Install $[prodname]](kubernetes/generic-install.mdx).
-
-## Next steps
-
-- [Video: Everything you need to know about Kubernetes pod networking on AWS](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-pod-networking-on-aws/)
-- [Try out $[prodname] network policy](../../network-policy/beginners/calico-network-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/calico-enterprise.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/calico-enterprise.mdx
deleted file mode 100644
index 00ad94b21f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/calico-enterprise.mdx
+++ /dev/null
@@ -1,42 +0,0 @@
----
-description: How to obtain a Calico Enterprise license file before starting an installation.
----
-
-# Get a license
-
-## Get private registry credentials and license key
-
-Contact your Tigera support representative and get the following files:
-
-**Private registry credentials**
-
-Get the Docker configuration file, (`config.json`) that contains a robot account token to retrieve the $[prodname] images from the private Tigera repository. For example:
-
-```json
-{
- "auths": {
- "quay.io": {
- "auth": "",
- "email": ""
- }
- }
-}
-```
-
-**License key**
-
-Get a license key file, `-license.yaml`. For example:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: LicenseKey
-metadata:
- creationTimestamp: null
- name: default
-spec:
- certificate: |
- -----BEGIN CERTIFICATE-----
- MII...n5
- -----END CERTIFICATE-----
- token: eyJ...zaQ
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/charmed-k8s.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/charmed-k8s.mdx
deleted file mode 100644
index a3a46f6fff..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/charmed-k8s.mdx
+++ /dev/null
@@ -1,383 +0,0 @@
----
-description: Install Calico Enterprise on a Canonical Charmed Kubernetes cluster.
-title: Charmed Kubernetes
----
-
-import InstallGeneric from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric';
-import Admonition from '@theme/Admonition';
-
-# Install $[prodname] on a Charmed Kubernetes cluster
-
-This guide describes how to install $[prodname] on a Charmed Kubernetes cluster.
-
-## Before you begin
-
-**CNI support**
-
-- Calico CNI for networking with $[prodname] network policy
-
- The geeky details of what you get by default:
-
-
-
-**Required**
-
-- Your cluster meets the [system requirements](requirements.mdx)
-- A [compatible Charmed Kubernetes cluster](../compatibility.mdx#charmed-kubernetes)
-- A [compatible Charmed Kubernetes bundle](https://github.com/charmed-kubernetes/bundle/tree/main/releases) configured without a CNI
-- A [Tigera license key and credentials](calico-enterprise.mdx)
-- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your workstation
-- [Install juju](https://documentation.ubuntu.com/juju/latest/howto/manage-juju/) on your workstation (if managing the cluster directly)
-
-## Prepare a compatible cluster for $[prodname] using a modified bundle file
-
-For the best results, you should create a new Charmed Kubernetes cluster without a CNI, and then install $[prodname] on that cluster.
-This ensures proper configuration and compatibility for a smooth installation process.
-
-By default, Charmed Kubernetes clusters include a managed version of Calico Open Source.
-Migrating from this managed version of Calico Open Source to Calico Enterprise is not supported.
-
-To create a Charmed Kubernetes cluster without a CNI, you can customize your deployment by using a bundle overlay file.
-See the [Charmed Kubernetes documentation](https://ubuntu.com/kubernetes/charmed-k8s/docs/install-manual#editing-a-bundle) for more information on this installation method.
-
-1. Copy one of the default bundle files located in [Charmed Kubernetes GitHub Releases](https://github.com/charmed-kubernetes/bundle/tree/main/releases).
-
- For example, to get the default bundle for the v1.33 charmed kubernetes release:
-
- ```bash
- curl -o charmed-kubernetes-bundle.yaml -L https://raw.githubusercontent.com/charmed-kubernetes/bundle/refs/heads/main/releases/1.33/bundle.yaml
- ```
-
-
-
- Example of default Charmed Kubernetes bundle file
-
- An example of a default bundle file with the `calico` charm:
- ```yaml
- description: A highly-available, production-grade Kubernetes cluster.
- docs: https://discourse.charmhub.io/t/charmed-kubernetes-bundle/14447
- issues: https://bugs.launchpad.net/charmed-kubernetes-bundles
- series: noble
- source: https://github.com/charmed-kubernetes/bundle
- website: https://ubuntu.com/kubernetes/charmed-k8s
- name: charmed-kubernetes
- applications:
- // highlight-start
- calico:
- annotations:
- gui-x: '475'
- gui-y: '605'
- channel: 1.33/stable
- charm: calico
- options:
- vxlan: Always
- // highlight-end
- containerd:
- annotations:
- gui-x: '475'
- gui-y: '800'
- channel: 1.33/stable
- charm: containerd
- easyrsa:
- annotations:
- gui-x: '90'
- gui-y: '420'
- channel: 1.33/stable
- charm: easyrsa
- constraints: cores=1 mem=4G root-disk=16G
- num_units: 1
- etcd:
- annotations:
- gui-x: '800'
- gui-y: '420'
- channel: 1.33/stable
- charm: etcd
- constraints: cores=2 mem=8G root-disk=16G
- num_units: 3
- options:
- channel: 3.4/stable
- kubeapi-load-balancer:
- annotations:
- gui-x: '450'
- gui-y: '250'
- channel: 1.33/stable
- charm: kubeapi-load-balancer
- constraints: cores=1 mem=4G root-disk=16G
- expose: true
- num_units: 1
- kubernetes-control-plane:
- annotations:
- gui-x: '800'
- gui-y: '850'
- channel: 1.33/stable
- charm: kubernetes-control-plane
- constraints: cores=2 mem=8G root-disk=16G
- num_units: 2
- options:
- channel: 1.33/stable
- kubernetes-worker:
- annotations:
- gui-x: '90'
- gui-y: '850'
- channel: 1.33/stable
- charm: kubernetes-worker
- constraints: cores=2 mem=8G root-disk=16G
- expose: true
- num_units: 3
- options:
- channel: 1.33/stable
- relations:
- - - kubernetes-control-plane:loadbalancer-external
- - kubeapi-load-balancer:lb-consumers
- - - kubernetes-control-plane:loadbalancer-internal
- - kubeapi-load-balancer:lb-consumers
- - - kubernetes-control-plane:kube-control
- - kubernetes-worker:kube-control
- - - kubernetes-control-plane:certificates
- - easyrsa:client
- - - etcd:certificates
- - easyrsa:client
- - - kubernetes-control-plane:etcd
- - etcd:db
- - - kubernetes-worker:certificates
- - easyrsa:client
- - - kubeapi-load-balancer:certificates
- - easyrsa:client
- // highlight-start
- - - calico:etcd
- - etcd:db
- - - calico:cni
- - kubernetes-control-plane:cni
- - - calico:cni
- - kubernetes-worker:cni
- // highlight-end
- - - containerd:containerd
- - kubernetes-worker:container-runtime
- - - containerd:containerd
- - kubernetes-control-plane:container-runtime
- ```
-
-
-
-1. Remove all references to the `calico` charm from the bundle file:
-
- 1. Remove the calico application from the `applications` section.
- ```yaml title="Default text to be removed"
- calico:
- annotations:
- gui-x: '475'
- gui-y: '605'
- channel: 1.33/stable
- charm: calico
- options:
- vxlan: Always
- ```
- 1. Remove all calico relations from the `relations` section.
- ```yaml title="Default text to be removed"
- - - calico:etcd
- - etcd:db
- - - calico:cni
- - kubernetes-control-plane:cni
- - - calico:cni
- - kubernetes-worker:cni
- ```
-
- Your default bundle file should now look like this:
-
-
-
- Example of modified Charmed Kubernetes bundle (no CNI)
-
- An example of a default bundle file with the `calico` charm:
- ```yaml
- description: A highly-available, production-grade Kubernetes cluster.
- docs: https://discourse.charmhub.io/t/charmed-kubernetes-bundle/14447
- issues: https://bugs.launchpad.net/charmed-kubernetes-bundles
- series: noble
- source: https://github.com/charmed-kubernetes/bundle
- website: https://ubuntu.com/kubernetes/charmed-k8s
- name: charmed-kubernetes
- applications:
- containerd:
- annotations:
- gui-x: '475'
- gui-y: '800'
- channel: 1.33/stable
- charm: containerd
- easyrsa:
- annotations:
- gui-x: '90'
- gui-y: '420'
- channel: 1.33/stable
- charm: easyrsa
- constraints: cores=1 mem=4G root-disk=16G
- num_units: 1
- etcd:
- annotations:
- gui-x: '800'
- gui-y: '420'
- channel: 1.33/stable
- charm: etcd
- constraints: cores=2 mem=8G root-disk=16G
- num_units: 3
- options:
- channel: 3.4/stable
- kubeapi-load-balancer:
- annotations:
- gui-x: '450'
- gui-y: '250'
- channel: 1.33/stable
- charm: kubeapi-load-balancer
- constraints: cores=1 mem=4G root-disk=16G
- expose: true
- num_units: 1
- kubernetes-control-plane:
- annotations:
- gui-x: '800'
- gui-y: '850'
- channel: 1.33/stable
- charm: kubernetes-control-plane
- constraints: cores=2 mem=8G root-disk=16G
- num_units: 2
- options:
- channel: 1.33/stable
- kubernetes-worker:
- annotations:
- gui-x: '90'
- gui-y: '850'
- channel: 1.33/stable
- charm: kubernetes-worker
- constraints: cores=2 mem=8G root-disk=16G
- expose: true
- num_units: 3
- options:
- channel: 1.33/stable
- relations:
- - - kubernetes-control-plane:loadbalancer-external
- - kubeapi-load-balancer:lb-consumers
- - - kubernetes-control-plane:loadbalancer-internal
- - kubeapi-load-balancer:lb-consumers
- - - kubernetes-control-plane:kube-control
- - kubernetes-worker:kube-control
- - - kubernetes-control-plane:certificates
- - easyrsa:client
- - - etcd:certificates
- - easyrsa:client
- - - kubernetes-control-plane:etcd
- - etcd:db
- - - kubernetes-worker:certificates
- - easyrsa:client
- - - kubeapi-load-balancer:certificates
- - easyrsa:client
- - - calico:etcd
- - etcd:db
- - - containerd:containerd
- - kubernetes-worker:container-runtime
- - - containerd:containerd
- - kubernetes-control-plane:container-runtime
- ```
-
-
-## Set up Juju and deploy a cluster without a CNI
-
-1. Configure juju with a default credential by adding a new credential or using an existing credential:
- ```
- juju add-credential
- ```
-
-1. Create the controller with a unique name and use the credential created in Step 1:
- ```
- juju bootstrap --credential
- ```
-
-1. Create the model with a unique name:
- ```
- juju add-model
- ```
-
-1. Create the Charmed Kubernetes cluster by specifying the modified bundle file::
- ```
- juju deploy ./charmed-kubernetes-bundle.yaml
- ```
-
-1. If you notice that the `kubernetes-control-plane` and `kubernetes-worker` are in waiting status due to missing CNI, this can be prevented by setting `ignore-missing-cni=true` in the `kubernetes-control-plane` and `kubernetes-worker` charms by running:
- ```bash
- juju config kubernetes-control-plane ignore-missing-cni=true
- juju config kubernetes-worker ignore-missing-cni=true
- ```
-
- :::note
- The `ignore-missing-cni=true` configuration allows the `kubernetes-control-plane` and `kubernetes-worker` charms to be ready without waiting for a CNI plugin to be installed since $[prodname] will provide its own.
- :::
-
-1. To allow setup of the CNI to be taken care of by $[prodname], the `kubernetes-control-plane` charm also needs to allow privileged pods by running:
- ```bash
- juju config kubernetes-control-plane allow-privileged=true
- ```
-
- :::note
- The `allow-privileged=true` configuration enables privileged containers which are required to let $[prodname] setup the CNI by deploying its own calico-node daemonset.
- :::
-
-1. Ensure the applications and units are active in the model by running:
- ```bash
- juju status
- ```
- The charmed kubernetes cluster should be healthy within an hour.
-
- :::note
- It is expected that the `kubernetes-control-plane` application should be in waiting status because it is waiting for kube-system pods to start. All other statuses should be active before proceeding to install $[prodname]. Example status:
- ```
- App Version Status Scale Charm Channel Rev Exposed Message
- containerd 1.6.38 active 5 containerd 1.33/stable 90 no Container runtime available
- easyrsa v3.0.9 active 1 easyrsa 1.33/stable 74 no Certificate Authority connected.
- etcd 3.4.37 active 3 etcd 1.33/stable 788 no Healthy with 3 known peers
- kubeapi-load-balancer 1.18.0 active 1 kubeapi-load-balancer 1.33/stable 196 yes Ready
- kubernetes-control-plane 1.33.x waiting 2 kubernetes-control-plane 1.33/stable 652 no Waiting for 3 kube-system pods to start
- kubernetes-worker 1.33.x active 3 kubernetes-worker 1.33/stable 369 yes Ready
- ```
- :::
-
-1. Ensure the Charmed Kubernetes model and its applications are stable by running:
- ```bash
- juju wait-for model --query='life=="alive" && status=="available"'
- ```
-
-1. Ensure the Charmed Kubernetes applications are stable by running:
- ```bash
- applications=("easyrsa" "containerd" "etcd" "kubernetes-worker" "kubeapi-load-balancer")
- for i in "${!applications[@]}"; do
- app="${applications[$i]}";
- juju wait-for application $app;
- done
- ```
-
-1. Get the kubeconfig from the `kubernetes-control-plane` application by running:
- ```bash
- juju scp kubernetes-control-plane/0:config kubeconfig
- ```
-
-## Install $[prodname]
-
-:::caution
-For Charmed Kubernetes clusters, you cannot use AWS EBS storage classes. You must configure an alternative storage solution such as local storage or another compatible storage provider.
-:::
-
-
-
-## Next steps
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-- [Get started with Kubernetes network policy](../../network-policy/get-started/kubernetes-network-policy.mdx)
-- [Get started with $[prodname] network policy](../../network-policy/beginners/calico-network-policy.mdx)
-- [Enable default deny for Kubernetes pods](../../network-policy/beginners/kubernetes-default-deny.mdx)
-
-**Additional resources**
-
-- [Charmed Kubernetes documentation](https://ubuntu.com/kubernetes/charmed-k8s/docs/install-manual)
-- [Charmed Kubernetes quickstart](https://ubuntu.com/kubernetes/charmed-k8s/docs/quickstart)
-- [Juju documentation](https://juju.is/docs)
-- [Canonical Kubernetes operations](https://ubuntu.com/kubernetes/docs)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/docker-enterprise.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/docker-enterprise.mdx
deleted file mode 100644
index 3d381e1f9a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/docker-enterprise.mdx
+++ /dev/null
@@ -1,143 +0,0 @@
----
-description: Install Calico Enterprise on a Mirantis Kubernetes Engine (MKE) 3 cluster.
----
-
-# Mirantis Kubernetes Engine (MKE 3)
-
-## Big picture
-
-Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).
-
-## Before you begin
-
-**CNI support**
-
-Calico CNI for networking with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with:
-
- - A minimum of three nodes for non-production deployments
- - CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin
-
- For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html)
-
-- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands.
- For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html).
-- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster.
- This can be done by executing the following command.
- Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.
-
- ```bash
- curl -k -H "Authorization: Bearer " -X PUT https:///collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
- ```
- Replace the following:
- * ``: The value of bearer admin token.
- * ``: The public IP for any manager node in the cluster.
-
-- Cluster meets [system requirements](requirements.mdx)
-
-- A [Tigera license key and credentials](calico-enterprise.mdx)
-
-- Install [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-
-## How to
-
-- [Install $[prodname]](#install-calico-enterprise)
-- [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-### Install $[prodname]
-
-1. [Configure a storage class for $[prodname]](../../operations/logstorage/create-storage.mdx).
-
-1. Configure Tigera Operator and Calico CNI plugin role bindings for Docker EE.
-
- ```bash
- kubectl create clusterrolebinding tigera-operator-cluster-admin -n tigera-operator \
- --clusterrole cluster-admin --serviceaccount tigera-operator:tigera-operator
- kubectl create clusterrolebinding calico-cni-plugin-cluster-admin -n calico-system \
- --clusterrole cluster-admin --serviceaccount calico-system:calico-cni-plugin
- ```
-
-1. Install the Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/tigera-operator.yaml
- ```
-
-1. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor $[prodname] metrics.
-
- :::note
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with $[prodname], your Prometheus operator must be v0.40.0 or higher.
-
- :::
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/tigera-prometheus-operator.yaml
- ```
-
-1. Install your pull secret.
-
- If pulling images directly from `quay.io/tigera`, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.
-
- ```bash
- kubectl create secret generic tigera-pull-secret \
- --type=kubernetes.io/dockerconfigjson -n tigera-operator \
- --from-file=.dockerconfigjson=
- ```
-
-1. Install any extra [$[prodname] resources](../../reference/resources/index.mdx) needed at cluster start using [calicoctl](../../reference/clis/calicoctl/overview.mdx).
-
-1. Install the Tigera custom resources. For more information on configuration options available in this manifest, see [the installation reference](../../reference/installation/api.mdx).
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/custom-resources.yaml
- ```
-
- Monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
- Wait until the `apiserver` shows a status of `Available`, then proceed to the next section.
-
-### Install the $[prodname] license
-
-To use $[prodname], you must install the license provided to you by Tigera.
-
-```bash
-kubectl create -f
-```
-
-Monitor progress with the following command:
-
-```bash
-watch kubectl get tigerastatus
-```
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../operations/cnx/authentication-quickstart.mdx)
-- [Configure an external identity provider](../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP-in-IP with BGP routing. For all networking options, see [Determine best networking option](../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/eks.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/eks.mdx
deleted file mode 100644
index bf62ed23e8..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/eks.mdx
+++ /dev/null
@@ -1,59 +0,0 @@
----
-description: Install the full Calico Enterprise stack — including observability, threat defense, and tiered policy — on an Amazon EKS cluster.
----
-
-import InstallEKS from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallEKS';
-
-# Amazon Elastic Kubernetes Service (EKS)
-
-## Big picture
-
-Install $[prodname] on an EKS managed Kubernetes cluster.
-
-## Before you begin
-
-**CNI support**
-
-- Calico CNI for networking with $[prodname] network policy
-
- The geeky details of what you get by default:
-
-
-
-- AWS CNI networking with $[prodname] network policy
-
- The geeky details of what you get by default:
-
-
-
-**Required**
-
-* You have a [compatible EKS cluster](../compatibility.mdx#eks).
-* Your cluster meets the [system requirements](requirements.mdx).
-* You [disabled network policy for the AWS VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/network-policy-disable.html).
-* You have a [Tigera license key and credentials](calico-enterprise.mdx).
-* You [installed kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your workstation.
-
-## How to
-
-1. [Option A: Install with Amazon VPC networking](#install-eks-with-amazon-vpc-networking)
-1. [Option B: Install with Calico CNI networking](#install-eks-with-calico-networking)
-1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-
-
-## Next steps
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-
-**Recommended**
-
-- [Video: Everything you need to know about Kubernetes pod networking on AWS](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-pod-networking-on-aws/)
-- [Get started with $[prodname] network policy](../../network-policy/beginners/calico-network-policy.mdx)
-- [Enable default deny for Kubernetes pods](../../network-policy/beginners/kubernetes-default-deny.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/gke.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/gke.mdx
deleted file mode 100644
index 30009147f2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/gke.mdx
+++ /dev/null
@@ -1,69 +0,0 @@
----
-description: Install the full Calico Enterprise stack — including observability, threat defense, and tiered policy — on a Google Kubernetes Engine (GKE) cluster.
----
-
-import InstallGKE from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGKE';
-
-# Google Kubernetes Engine (GKE)
-
-## Big picture
-
-Install $[prodname] on a GKE managed Kubernetes cluster.
-
-{/* CE supports only GKE CNI, even though OS/Calico supports Calico CNI. Verified with Shaun, Casey, and Sujeet in 3.15. So docs will continue to be misaligned so be careful during merges. Note that OS support of Calico CNI is only in v1 of the data plane; in v2, Cilium is the supported CNI. Another misalignment is that CE install docs list all platforms supported; OS/Calico lists of supported CNIs based on an opinionated view. */}
-
-## Before you begin
-
-**CNI support**
-
-GKE CNI with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-- A [compatible GKE cluster](../compatibility.mdx#gke)
-
-- Cluster has these Networking settings:
-
- - Intranode visibility is enabled
- - Network policy is disabled
- - Dataplane V2 is disabled
- - GKE control plane access to TCP ports 5443, 8080 and 9090
- The GKE control plane must be able to access the $[prodname] API server which runs with pod networking on TCP ports 5443 and 8080, and the $[prodname] Prometheus server which runs with pod networking on TCP port 9090. For multi-zone clusters and clusters with the "master IP range" configured, you will need to add a GCP firewall rule to allow access to those ports from the control plane nodes.
-
-- User account has IAM permissions
-
- Verify your user account has IAM permissions to create Kubernetes ClusterRoles, ClusterRoleBindings, Deployments, Service Accounts, and Custom Resource Definitions. The easiest way to grant permissions is to assign the "Kubernetes Service Cluster Admin Role” to your user account. For help, see [GKE access control](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).
-
- :::note
-
- By default, GCP users often have permissions to create basic Kubernetes resources (such as Pods and Services) but lack the permissions to create ClusterRoles and other admin resources. Even if you can create basic resources, it's worth verifying that you can create admin resources before continuing.
-
- :::
-
-- Cluster meets [system requirements](requirements.mdx)
-
-- A [Tigera license key and credentials](calico-enterprise.mdx#get-private-registry-credentials-and-license-key)
-
-- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-
-## How to
-
-1. [Install $[prodname]](#install-calico-enterprise)
-1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-
-
-## Next steps
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-- [Video: Everything you need to know about Kubernetes networking on Google cloud](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-networking-on-google-cloud/)
-- [Get started with Kubernetes network policy](../../network-policy/get-started/kubernetes-network-policy.mdx)
-- [Get started with $[prodname] network policy](../../network-policy/beginners/calico-network-policy.mdx)
-- [Enable default deny for Kubernetes pods](../../network-policy/beginners/kubernetes-default-deny.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/index.mdx
deleted file mode 100644
index 9bc11efdcd..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Pick an installation path for Calico Enterprise on a Kubernetes or OpenShift cluster — covers managed cloud, self-managed, and air-gapped scenarios.
-hide_table_of_contents: true
----
-
-# Install on clusters
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/generic-install.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/generic-install.mdx
deleted file mode 100644
index da0fcbfb49..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/generic-install.mdx
+++ /dev/null
@@ -1,53 +0,0 @@
----
-description: Install Calico Enterprise on a kubeadm-provisioned Kubernetes cluster running on-premises hardware or VMs.
----
-
-import InstallGeneric from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric';
-
-# Standard
-
-## Big picture
-
-Install $[prodname] on a deployed Kubernetes/kubeadm cluster for on-premises deployments.
-
-## Before you begin
-
-**CNI support**
-
-Calico CNI for networking with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-- A [compatible Kubernetes cluster](../../compatibility.mdx#kubernetes-kubeadm)
-- Cluster meets [system requirements](../requirements.mdx)
-- A [Tigera license key and credentials](../calico-enterprise.mdx)
-
-## How to
-
-- [Install $[prodname]](#install-calico-enterprise)
-- [Install $[prodname] license](#install-calico-enterprise-license)
-
-
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/helm.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/helm.mdx
deleted file mode 100644
index b292e3aeb9..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/helm.mdx
+++ /dev/null
@@ -1,139 +0,0 @@
----
-description: Install Calico Enterprise on a Kubernetes cluster using the Helm 3 package manager.
----
-
-# Helm
-
-import CodeBlock from '@theme/CodeBlock';
-
-## Big picture
-
-Install $[prodname] on a Kubernetes cluster using Helm 3.
-
-## Value
-
-Helm charts are a way to package up an application for Kubernetes (similar to `apt` or `yum` for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.
-
-## Before you begin
-
-**Required**
-
-- Install Helm 3
-- `kubeconfig` is configured to work with your cluster (check by running `kubectl get nodes`)
-- [Credentials for the Tigera private registry and a license key](../calico-enterprise.mdx)
-
-## Concepts
-
-### Operator based installation
-
-In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera Operator provides lifecycle management for $[prodname] exposed via the Kubernetes API defined as a custom resource definition.
-
-## How to
-
-### Download the Helm chart
-
-```bash
-helm repo add tigera-ee https://downloads.tigera.io/ee/charts
-helm repo update
-helm pull tigera-ee/tigera-operator --version $[releaseTitle]
-```
-
-### Prepare the Installation Configuration
-
-You **must** provide the desired configuration for your cluster via the `values.yaml`, otherwise installation will use the default settings based on the auto-detected provider.
-The configurations you need to provide depends on your cluster's settings and your desired state.
-
-Some important configurations you might need to provide to the installer (via `values.yaml`) includes (but not limited to): _kubernetesProvider_, _cni type_, or if you need to customize _TLS certificates_.
-
-Here are some examples for updating `values.yaml` with your configurations:
-
-Example 1. Providing `kubernetesProvider`: if you are installing on a cluster installed by EKS, set the `kubernetesProvider` as described in the [Installation reference](../../../reference/installation/api.mdx#provider)
-
- ```bash
- echo '{ installation: {kubernetesProvider: EKS }}' > values.yaml
- ```
-
-Example 2. Providing custom settings in `values.yaml` for Azure AKS cluster with no Kubernetes CNI pre-installed:
-
- ```bash
- cat > values.yaml <
- {'$[version]' === 'master'
- ? (
- `helm show values ./tigera-operator-v0.0.tgz >values.yaml`
- )
- : (
- `helm show values ./tigera-operator-$[chart_version_name].tgz >values.yaml`
- )
- }
-
-
-1. Install the Tigera Operator and custom resource definitions using the Helm 3 chart:
-
- ```bash
- helm install $[prodnamedash] tigera-operator-$[chart_version_name].tgz \
- --set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \
- --set-file licenseKeyContent= \
- --namespace tigera-operator --create-namespace
- ```
-
- or if you created a `values.yaml` above:
-
- ```bash
- helm install $[prodnamedash] tigera-operator-$[chart_version_name].tgz -f values.yaml \
- --set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \
- --set-file licenseKeyContent= \
- --namespace tigera-operator --create-namespace
- ```
-1. You can now monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
- Congratulations! You have now installed $[prodname] using the Helm 3 chart.
-
-## Next steps
-
-**Multicluster Management**
-
-- [Create a $[prodname] management cluster](../../../multicluster/set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx)
-- [Create a $[prodname] managed cluster](../../../multicluster/set-up-multi-cluster-management/standard-install/create-a-managed-cluster.mdx)
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking is IP in IP encapsulation using BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/index.mdx
deleted file mode 100644
index 4794780ae6..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Pick a Kubernetes installation path for Calico Enterprise — covers Helm, kubeadm, and the API-driven Installation resource.
-hide_table_of_contents: true
----
-
-# Kubernetes
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/options-install.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/options-install.mdx
deleted file mode 100644
index f012dafcb2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/options-install.mdx
+++ /dev/null
@@ -1,124 +0,0 @@
----
-description: Customize a Calico Enterprise installation by editing the Installation resource — IP pools, MTU, registries, BGP, and operator behavior.
----
-
-# Options for installing Calico Enterprise
-
-import DefaultInstall from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/content/_default-install.mdx';
-
-## Big picture
-
-Understand the options for installing $[prodname].
-
-## Value
-
-Determine the right install method for your deployment, how to customize your installation configuration, and explains concepts important for integrating $[prodname] into your configuration management.
-
-## Concepts
-
-### API-driven installation
-
-The Tigera Operator APIs (**operator.tigera.io**), let you define a $[prodname] cluster using declarative states. The APIs in the operator.tigera.io group define the desired state for your installation, and provide status reporting and visibility into the health of $[prodname]. The Tigera Operator makes sure the cluster’s state matches your desired state. These APIs can be configured at install-time, and can also be modified on a running cluster to adjust configuration.
-
-### Available APIs
-
-Each API in the operator.tigera.io API group configures the installation of a different $[prodname] subsystem. The resources that you deploy and the settings you choose for each, depends on your cluster(s). For a detailed look at the available APIs, see the [installation API reference](../../../reference/installation/api.mdx).
-
-| **Resource** | **Description** |
-| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| **Installation** | The foundation of every deployment is the **Installation** resource. It deploys core networking and network policy enforcement features to the cluster, and is required for all other resources to function. |
-| **APIServer** | Installs the Tigera API server, which enables access to the full set of [$[prodname] APIs](../../../reference/installation/api.mdx). |
-| **LogStorage** | Configures installation of storage for $[prodname] flow and DNS logs. |
-| **LogCollector** | Configures collection of those logs from the cluster, including optional configuration to backup logs in additional stores. |
-| **IntrusionDetection** | Configures the $[prodname] intrusion detection feature. |
-| **Manager** | Installs the $[prodname] web console. |
-| **ManagementClusterConnection** | Configures a connection to the management cluster for managed clusters. |
-| **TigeraStatus** | Displays conditions for a component (available, progressing, or degraded). |
-| **Compliance** | Configures the $[prodname] compliance reporting feature (Optional). For managed clusters, ensure compliance reporting is enabled first on the management cluster. |
-| **PacketCaptureAPI** | Configures the $[prodname] packet capture feature (Optional). |
-
-### Additional configuration
-
-In addition to the above APIs, some product features are configured through additional Kubernetes Secrets and Kubernetes ConfigMaps. For details, see the relevant documentation for each feature.
-
-### Customize over time
-
-The out-of-the-box $[prodname] installation gives you a working cluster with reasonable defaults with minimal post-installation tasks.
-
-
-
-You do not have to customize everything during initial install. As you progress through each stage of implementing $[prodname] leading to production (following diagram), you will gradually customize $[prodname] resources and automate cluster deployment. For example, when you move to **2 - Pre-production**, you may switch from standalone clusters (default) to multi-cluster management for centralization and scaling.
-
-
-
-### API-driven installation options
-
-For most users, we recommend the standard installation, which uses a Kubernetes operator to guide and manage the installation.
-For exceptional circumstances, $[prodname] components can be installed using the following methods:
-
-**Install directly on non-cluster hosts**
-
-Although $[prodname] requires a Kubernetes control plane to function, you may want to install the node components on [non-cluster hosts](../../bare-metal/index.mdx) to consistently secure all of your infrastructure.
-
-**Install on Kubernetes using Helm**
-
-If your deployment requires Helm charts, we provide a Helm chart that installs $[prodname] using the Tigera Operator. The Helm `values.yaml` includes sections that correspond directly to the operator.tigera.io APIs for installing the product. In the following example, the installation value is piped into the **spec** field of the **installation API**.
-
-**values.yaml**
-
-```yaml
-installation:
- variant: TigeraSecureEnterprise
- registry: gcr.io/mycorp
-```
-
-**installation.yaml**
-
-```yaml
-apiVersion: operator.tigera.io/v1
-kind: Installation
-metadata:
- name: default
-spec:
- variant: TigeraSecureEnterprise
- registry: gcr.io/mycorp
-```
-
-### Installation steps
-
-The following table shows the conceptual stages of a $[prodname] install.
-
-:::note
-
-Details in the following steps will vary for platforms; for example, OpenShift automatically orchestrates the execution of the steps through tooling.
-
-:::
-
-| **Steps** | **Resources/files/APIs** |
-| --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| 1 - Install the necessary APIs using CustomResourceDefinitions, and install the necessary operators | This step installs CustomResourceDefinitions (CRDs) into the cluster to enable the necessary API endpoints in the Kubernetes API server. It also installs the Tigera Operator and the Prometheus operator which implements those APIs.
**Tip**: For most platforms, this step is accomplished by installing `tigera-operator.yaml`. However, note that OpenShift requires all resources to be in their own file, and so `tigera-operator.yaml` is split among many files for OpenShift installs. |
-| 2 - Install any required $[prodname] resources | Depending on your cluster, you may want to configure certain features of $[prodname] at install-time. For example, you may require cluster-specific BGP configurations. You can create any install-time configuration using `calicoctl`.
**Tip**: On OpenShift clusters, this is done automatically by placing configuration in a Kubernetes ConfigMap. |
-| 3 - Install $[prodname] | Install $[prodname] by creating instances of the **operator.tigera.io** resources discussed above. The Tigera Operator reads this configuration and installs the necessary components, verifying that everything is working along the way. |
-
-## Frequently asked questions
-
-**Are new $[prodname] features always delivered in major or minor release of the Tigera Operator?**
-
-Usually, but not always. Sometimes new features are delivered in a patch version of the Tigera Operator.
-
-**How do I find the version of the Tigera Operator for troubleshooting?**
-
-```bash
-kubectl exec -n tigera-operator -l name=tigera-operator -- operator --version
-```
-
-**Which CLI do I use to customize and configure $[prodname]?**
-
-You can use `kubectl` for all resources in the operator.tigera.io/v1 API group.
-
-For projectcalico.org/v3 APIs, you can use `kubectl` as long as the Tigera API server is running. Before the Tigera API server is running (for example, during product installation), you must use `calicoctl` to configure these APIs.
-
-## Next steps
-
-- To get started with installation, see [Install on clusters](../../install-on-clusters/index.mdx)
-- To upgrade from a non-operator installation method, see [Upgrade](../../upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/operator.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/quickstart.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/quickstart.mdx
deleted file mode 100644
index 07094257fa..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/kubernetes/quickstart.mdx
+++ /dev/null
@@ -1,192 +0,0 @@
----
-description: Stand up Calico Enterprise on a single-host Kubernetes cluster in about an hour for testing, demos, or development — not intended for production.
----
-
-# Quickstart for Calico Enterprise on Kubernetes
-
-## Big picture
-
-Install $[prodname] on a single-host Kubernetes cluster in approximately 15 minutes.
-
-To deploy a cluster suitable for production, see [$[prodname] on Kubernetes](../kubernetes/index.mdx).
-
-## Before you begin
-
-**CNI support**
-
-Calico CNI for networking with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-A Linux host that meets the following requirements.
-
-- x86-64
-- 2CPU
-- 12GB RAM
-- 50GB free disk space
-- Ubuntu Server 18.04
-- Internet access
-- [Sufficient virtual memory](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
-
-## How to
-
-- [Install Kubernetes](#install-kubernetes)
-- [Install $[prodname]](#install-calico-enterprise)
-- [Install the $[prodname] license](#install-the-calico-enterprise-license)
-- [Log in to the $[prodname] web console](#log-in-to-calico-enterprise-manager)
-
-### Install Kubernetes
-
-1. [Follow the Kubernetes instructions to install kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/). For a compatible version for this release, see [Support and compatibility](../../compatibility.mdx#kubernetes-kubeadm).
-
- :::note
-
- After installing kubeadm, do not power down or restart
- the host. Instead, continue directly to the next step.
-
- :::
-
-1. As a regular user with sudo privileges, open a terminal on the host that you installed kubeadm on.
-
-1. Initialize the control plane using the following command.
-
- ```bash
- sudo kubeadm init --pod-network-cidr=192.168.0.0/16 \
- --apiserver-cert-extra-sans=127.0.0.1
- ```
-
- :::note
-
- If 192.168.0.0/16 is already in use within your network you must select a different pod network
- CIDR, replacing 192.168.0.0/16 in the above command.
-
- :::
-
-1. Execute the following commands to configure kubectl (also returned by `kubeadm init`).
-
- ```bash
- mkdir -p $HOME/.kube
- sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
- sudo chown $(id -u):$(id -g) $HOME/.kube/config
- ```
-
-1. Remove the taint from the control plane to allow Kubernetes to schedule pods on the control plane node.
-
- ```bash
- kubectl taint nodes --all node-role.kubernetes.io/control-plane-
- ```
-
-### Install $[prodname]
-
-1. [Configure a storage class for $[prodname].](../../../operations/logstorage/create-storage.mdx)
-
-1. Install the Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/tigera-operator.yaml
- ```
-
-1. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor $[prodname] metrics.
-
- :::note
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with $[prodname], your Prometheus operator must be v0.40.0 or higher.
-
- :::
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/tigera-prometheus-operator.yaml
- ```
-
-1. Install your pull secret.
-
- If pulling images directly from `quay.io/tigera`, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.
-
- ```bash
- kubectl create secret generic tigera-pull-secret \
- --type=kubernetes.io/dockerconfigjson -n tigera-operator \
- --from-file=.dockerconfigjson=
- ```
-
-1. Optional: Compliance and packet capture features are optional. To enable these features during installation, download and review the custom-resources.yaml file. Uncomment the necessary CRs and use this custom-resources.yaml for installation.
-
- ```bash
- curl -O -L $[filesUrl]/manifests/custom-resources.yaml
- ```
-
-1. Install the Tigera custom resources. For more information on configuration options available in this manifest, see [the installation reference](../../../reference/installation/api.mdx).
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/custom-resources.yaml
- ```
-
- Monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
- Wait until the `apiserver` shows a status of `Available`, then proceed to the next section.
-
-### Install the $[prodname] license
-
-To use $[prodname], you must install the license provided to you by Tigera.
-
-```bash
-kubectl create -f
-```
-
-Monitor progress with the following command:
-
-```bash
-watch kubectl get tigerastatus
-```
-
-When all components show a status of `Available`, proceed to the next section.
-
-### Log in to the $[prodname] web console
-
-1. Create network admin user "Jane".
-
- ```bash
- kubectl create sa jane -n default
- kubectl create clusterrolebinding jane-access --clusterrole tigera-network-admin --serviceaccount default:jane
- ```
-
-1. Create a login token for use with the $[prodname] UI.
-
- ```
- kubectl create token jane --duration=24h
- ```
-
- Copy the `token` from the above command to your clipboard for use in the next step.
-
- :::note
-
- The token created above will expire after 24 hours.
-
- :::
-
-1. Set up a channel from your local computer to the $[prodname] UI.
-
- ```bash
- kubectl port-forward -n calico-system svc/calico-manager 9443
- ```
-
- Visit https://localhost:9443/ to log in to the $[prodname] UI. Use the `token` from the previous step to authenticate.
-
-Congratulations! You now have a single-host Kubernetes cluster with $[prodname].
-
-## Next steps
-
-- By default, your cluster networking uses IP in IP encapsulation with BGP routing. To review other networking options,
- see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/hostedcontrolplanes.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/hostedcontrolplanes.mdx
deleted file mode 100644
index 247f8bf717..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/hostedcontrolplanes.mdx
+++ /dev/null
@@ -1,215 +0,0 @@
----
-description: Install Calico Enterprise on an OpenShift Hosted Control Planes (HCP) cluster, where the control plane is managed and the data plane runs on user-owned nodes.
----
-
-# Install Calico Enterprise on an OpenShift HCP cluster
-
-import DownloadOpenShiftManifests from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/DownloadOpenShiftManifests.js';
-import InstallOpenShiftHCPResources from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShiftHCPResources.js';
-
-## Big picture
-
-Install $[prodname] on an OpenShift Hosted Control Planes (HCP) cluster.
-
-## Value
-
-Provides steps to install $[prodname] in [OpenShift Hosted Control Planes (HCP)](https://docs.openshift.com/container-platform/latest/hosted_control_planes/index.html) clusters using the [HyperShift](https://github.com/openshift/hypershift) middleware, augmenting the steps in the [HyperShift documentation](https://hypershift-docs.netlify.app) where appropriate.
-
-## Before you begin
-
-- Ensure that your environment meets the $[prodname] [system requirements](requirements.mdx).
-
-- Ensure that you have a [RedHat account](https://cloud.redhat.com/). A RedHat account is required to get the pull secret necessary to provision an OpenShift cluster. Note that the OpenShift installer supports a subset of AWS regions.
-
-- If installing on AWS, ensure that you have:
-
- - Configured an AWS account appropriate for OpenShift 4
- - [Set up your AWS credentials](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html)
- - Generated a local SSH private key and added it to your ssh-agent
-
-- Install the HyperShift CLI and fulfill all the other [Prerequisites from the HyperShift documentation](https://hypershift-docs.netlify.app/getting-started/#prerequisites).
-
-## How to
-
-### Create the hosting cluster
-
-Deploy an [OpenShift cluster](./installation.mdx) with $[prodname]. This will be the hosting cluster with control-plane nodes for all hosted clusters you deploy with the steps below. Set up your `KUBECONFIG` environment variable to your hosting cluster's kubeconfig file:
-
-```
-export KUBECONFIG=/path/to/kubeconfig
-```
-
-### Install the HyperShift operator in the hosting cluster
-
-Follow the steps from the HyperShift documentation to [Install the HyperShift Operator](https://hypershift-docs.netlify.app/getting-started/#install-hypershift-operator).
-
-### Create a hosted cluster
-
-Create a hosted cluster with $[prodname] by going through the following steps (slightly modified from the [HyperShift docs](https://hypershift-docs.netlify.app/how-to/aws/other-sdn-providers/#calico)).
-
-1. Create a HostedCluster and set its HostedCluster.spec.networking.networkType to Other:
-
-
-:::note
-Make sure to adjust the variables for the command below to the correct values for your cluster, credentials and environment.
-:::
-
-```
-HOSTED_CLUSTER_NAME=my-os-hosted-cluster
-REGION=us-west-2
-BASE_DOMAIN=www.example.com
-AWS_CREDS="$HOME/.aws/credentials"
-PULL_SECRET="$HOME/.secrets/redhat-pull-secret.txt"
-
-hypershift create cluster aws \
- --name $HOSTED_CLUSTER_NAME \
- --node-pool-replicas=3 \
- --base-domain $BASE_DOMAIN \
- --pull-secret $PULL_SECRET \
- --aws-creds $AWS_CREDS \
- --region $REGION \
- --generate-ssh \
- --network-type Other
-```
-
-:::note
-If your hosted cluster is having authorization problems with your Red Hat pull secret (`unauthorized: authentication required` in the HyperShift operator pod logs), make sure it is using a stable release image for the OpenShift Container Platform (OCP).
-You can find them in [https://amd64.ocp.releases.ci.openshift.org], for example `--release-image quay.io/openshift-release-dev/ocp-release:4.16.4-x86_64`
-:::
-
-:::note
-If you face an [issue](https://github.com/openshift/hypershift/issues/3927) with the HyperShift middleware that results in the hosted cluster installation not progressing due to a missing `OVNSbDb` service, patch the hosted cluster resource in order to add it:
-```
-HOSTED_CLUSTER_NAME=my-os-hosted-cluster
-CLUSTER_NS="clusters"
-oc patch -n ${CLUSTER_NS} hostedcluster ${HOSTED_CLUSTER_NAME} --type='json' -p '[{"op": "add", "path": "/spec/services/-", "value": {"service":"OVNSbDb","servicePublishingStrategy": {"type": "Route"}}}]'
-```
-:::
-
-Once the hosted cluster is up, use the `hypershift` CLI tool to generate the `kubeconfig` file. We strongly recommend you create a separate directory for the hosted cluster, it is very important to not mix up configuration and manifests from the hosting and hosted clusters:
-
-```
-mkdir my_hosted_cluster && cd my_hosted_cluster
-hypershift create kubeconfig > hosted_kubeconfig && export KUBECONFIG=$(pwd)/hosted_kubeconfig
-```
-
-Then, copy the `aws-creds` secret from the hosting cluster to the hosted cluster. Run this using the hosting cluster kubeconfig to extract the secret to a `yaml` file:
-
-```
-oc get secrets --kubeconfig /path/to/hosting/kubeconfig -n kube-system aws-creds -o yaml > aws-creds.yaml
-```
-
-Then import it in the hosted cluster:
-
-```
-oc apply --kubeconfig /path/to/hosted/kubeconfig -f aws-creds.yaml
-```
-
-:::note
-There is no need to specify the `--kubeconfig` CLI argument if the hosted cluster's kubeconfig file is configured as the `KUBECONFIG` environment variable in your shell.
-:::
-
-### Create a storage class
-
-$[prodname] requires storage for logs and reports. Before finishing the installation, you must [create a StorageClass for $[prodname]](../../../operations/logstorage/create-storage).
-
-### Download the $[prodname] install manifests
-
-Now download and apply the $[prodname] manifests according to the [HyperShift docs](https://hypershift-docs.netlify.app/how-to/aws/other-sdn-providers/#calico).
-
-
-
-### Add an image pull secret
-
-Update the contents of the secret with the image pull secret provided to you by a Tigera support representative.
-
-For example, if the secret is located at ~/.docker/config.json, run the following commands.
-
-```
-SECRET=$(cat ~/.docker/config.json | tr -d '\n\r\t ' | base64 -w 0)
-sed -i "s/SECRET/${SECRET}/" calico/02-pull-secret.yaml
-```
-
-### Optionally provide additional configuration
-
-You may want to provide Calico with additional configuration at install-time. For example, BGP configuration or peers.
-You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation.
-If you do not need to provide additional configuration, you can skip this section.
-
-To include [Calico resources](../../../reference/resources/index.mdx) during installation, edit `calico_hosted/02-configmap-calico-resources.yaml` to add your own configuration.
-
-:::note
-If you have a directory with the Calico resources, you can create the file with the command:
-
-```
-oc create configmap -n tigera-operator calico-resources \
---from-file= --dry-run -o yaml \
-calico/02-configmap-calico-resources.yaml
-```
-
-With recent versions of oc it is necessary to have a kubeconfig configured or add `--server='127.0.0.1:443'`
-even though it is not used.
-:::
-
-:::note
-If you have provided a `calico-resources` configmap and the tigera-operator pod fails to come up with `Init:CrashLoopBackOff`,
-check the output of the init-container with `oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources`.
-:::
-
-### Apply the $[prodname] install manifests
-
-Apply the install manifests paying attention to the required order. First apply all necessary manifests to install the Tigera Operator:
-
-```
-cd calico/
-ls 00* | xargs -n1 oc apply -f
-ls 01* | xargs -n1 oc apply -f
-ls 02* | xargs -n1 oc apply -f
-```
-
-Then wait until the Tigera Operator creates the necessary CustomResourceDefinitions (CRDs) before applying the CustomResources to install $[prodname] on your cluster:
-
-```
-timeout --foreground 600 bash -c "while ! kubectl get crd installations.operator.tigera.io; do sleep 5; done" # wait until CRDs are created by the operator
-ls 03* | xargs -n1 oc apply -f
-```
-
-:::note
-You can safely ignore any `ls: cannot access '0X*': No such file or directory` errors if there's no yaml files with that prefix to be applied.
-:::
-
-### Install the $[prodname] license
-
-In order to use $[prodname], you must install the license provided to you by Tigera support representative. Before applying the license, wait until the Tigera API server is ready with the following command:
-
-```
-watch oc get tigerastatus
-```
-
-Wait until the `apiserver` shows a status of `Available`.
-
-After the Tigera API server is ready, apply the license:
-
-```
-oc create -f
-```
-
-### Install $[prodname] resources
-
-
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/index.mdx
deleted file mode 100644
index bd88a3a077..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/index.mdx
+++ /dev/null
@@ -1,12 +0,0 @@
----
-description: Install Calico Enterprise on OpenShift 4 — covers requirements, the operator-based install path, and ROSA and Hosted Control Planes variants.
-
-hide_table_of_contents: true
----
-
-# OpenShift
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/installation.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/installation.mdx
deleted file mode 100644
index e44b4d6714..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/installation.mdx
+++ /dev/null
@@ -1,47 +0,0 @@
----
-description: Install Calico Enterprise on a self-managed OpenShift 4 cluster using the Tigera Operator.
----
-
-import InstallOpenShift from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShift';
-import InstallOpenshiftBeforeYouBegin from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenshiftBeforeYouBegin';
-
-# Install Calico Enterprise on OpenShift
-
-## Big picture
-
-Install an OpenShift 4 cluster with $[prodname].
-
-This guide augments the applicable steps in the [OpenShift documentation](https://docs.redhat.com/en/documentation/openshift_container_platform/) to install $[prodname].
-
-## Before you begin
-
-
-
-## How to
-
-1. [Create a configuration file for the OpenShift installer](#create-a-configuration-file-for-the-openshift-installer)
-1. [Update the configuration file to use $[prodname]](#update-the-configuration-file-to-use-calico-enterprise)
-1. [Generate the install manifests](#generate-the-install-manifests)
-1. [Add an image pull secret](#add-an-image-pull-secret)
-1. [Provide additional configuration](#provide-additional-configuration)
-1. [Create the cluster](#create-the-cluster)
-1. [Create a storage class](#create-a-storage-class)
-1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/requirements.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/requirements.mdx
deleted file mode 100644
index 461ed09db2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/requirements.mdx
+++ /dev/null
@@ -1,16 +0,0 @@
----
-description: Cluster, OpenShift, and host OS requirements you must meet before installing Calico Enterprise on an OpenShift 4 cluster.
----
-
-import ReqsSys from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsSys';
-import ReqsKernel from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsKernel';
-
-# System requirements
-
-## OpenShift requirements
-
-See [OpenShift Container Platform](https://docs.openshift.com/container-platform/4.15/welcome/index.html).
-
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/rosa.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/rosa.mdx
deleted file mode 100644
index 7b1e7637bd..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/openshift/rosa.mdx
+++ /dev/null
@@ -1,174 +0,0 @@
----
-description: Install Calico Enterprise on a Red Hat OpenShift Service on AWS (ROSA) cluster.
----
-
-# Install Calico Enterprise on a Red Hat OpenShift on AWS (ROSA) cluster
-
-import DownloadOpenShiftManifests from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/DownloadOpenShiftManifests.js';
-import InstallOpenShiftHCPResources from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShiftHCPResources.js';
-
-## Big picture
-
-Install $[prodname] on a Red Hat OpenShift on AWS (ROSA) cluster. Classic ROSA does not support installations with custom CNI plugin. ROSA with HCP clusters allows installing $[prodname].
-
-## Value
-
-Provides steps to install $[prodname] in [Red Hat OpenShift on AWS (ROSA)](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/introduction_to_rosa/index) with HCP clusters.
-
-## Before you begin
-
-- Ensure that your environment meets the $[prodname] [system requirements](requirements.mdx).
-
-- Ensure that you have a [RedHat account](https://cloud.redhat.com/). A RedHat account is required to get the pull secret necessary to provision a ROSA cluster.
-
-- Ensure that you have:
-
- - Configured an AWS account appropriate for OpenShift 4
- - [Set up your AWS credentials](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html)
- - Enabled ROSA with HCP and HCP classic on AWS.
- - Ensured you have met the resource quota requirements for ROSA on AWS.
- - Linked AWS and Red Hat accounts.
- - Generated a local SSH private key and added it to your ssh-agent
-
-- Install the ROSA CLI and fulfill all the other [prerequisites from the ROSA documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html-single/prepare_your_environment/index)
-
-- Create a [Virtual Private Cloud (VPC) for your ROSA cluster](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_clusters/rosa-hcp-sts-creating-a-cluster-quickly#rosa-hcp-creating-vpc) following the documentation.
-
-## How to
-
-### Create roles, policies
-
-- Create the account wide STS roles and policies needed to create a ROSA with HCP cluster by following the [Red Hat documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_clusters/rosa-hcp-cluster-no-cni#rosa-hcp-sts-creating-a-cluster-cli_rosa-hcp-cluster-no-cni-no-cni).
-
-- Create the [OpenID Connect (OIDC) configuration](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_clusters/rosa-hcp-cluster-no-cni#rosa-sts-byo-oidc_rosa-hcp-cluster-no-cni) prior to creating the ROSA with HCP cluster.
-
-- Create [Operator IAM roles and policies](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_clusters/rosa-hcp-cluster-no-cni#rosa-operator-config_rosa-hcp-cluster-no-cni) needed for ROSA with HCP clusters.
-
-### Create ROSA cluster with HCP and no CNI plugin
-
-Follow the steps from the Red Hat OpenShift on AWS documentation to [create a ROSA cluster with HCP and no CNI plugin](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/install_clusters/rosa-hcp-cluster-no-cni#rosa-hcp-sts-creating-a-cluster-cli_rosa-hcp-cluster-no-cni-no-cni).
-
-### Create a storage class
-
-$[prodname] requires storage for logs and reports. Before finishing the installation, you must [create a StorageClass for $[prodname]](../../../operations/logstorage/create-storage).
-
-### Download the $[prodname] install manifests
-
-:::note
-
-For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic.
-
-```
- Custom TCP traffic
- Port: 179
- Description: BGP (Calico)
-
- Custom TCP traffic
- Port: 5473
- Description: Typha (Calico)
-
- Custom protocol
- Protocol: 4
- Description: IP-in-IP (Calico)
-```
-
-:::
-
-Now download and apply the $[prodname] manifests.
-
-
-
-### Add an image pull secret
-
-Update the contents of the secret with the image pull secret provided to you by a Tigera support representative.
-
-For example, if the secret is located at ~/.docker/config.json, run the following commands.
-
-```
-SECRET=$(cat ~/.docker/config.json | tr -d '\n\r\t ' | base64 -w 0)
-sed -i "s/SECRET/${SECRET}/" calico/02-pull-secret.yaml
-```
-
-### Optionally provide additional configuration
-
-You may want to provide $[prodname] with additional configuration at install-time. For example, BGP configuration or peers.
-You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation.
-If you do not need to provide additional configuration, you can skip this section.
-
-To include [Calico resources](../../../reference/resources/index.mdx) during installation, edit `calico/02-configmap-calico-resources.yaml` to add your own configuration.
-
-:::note
-If you have a directory with the Calico resources, you can create the file with the command:
-
-```
-oc create configmap -n tigera-operator calico-resources \
---from-file= --dry-run -o yaml \
-calico/02-configmap-calico-resources.yaml
-```
-
-With recent versions of oc it is necessary to have a kubeconfig configured or add `--server='127.0.0.1:443'`
-even though it is not used.
-:::
-
-:::note
-If you have provided a `calico-resources` configmap and the tigera-operator pod fails to come up with `Init:CrashLoopBackOff`,
-check the output of the init-container with `oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources`.
-:::
-
-### Apply the $[prodname] install manifests
-
-Apply the install manifests paying attention to the required order. First apply all necessary manifests to install the Tigera Operator:
-
-```
-cd calico/
-ls 00* | xargs -n1 oc apply -f
-ls 01* | xargs -n1 oc apply -f
-ls 02* | xargs -n1 oc apply -f
-```
-
-Then wait until the Tigera Operator creates the necessary CustomResourceDefinitions (CRDs) before applying the CustomResources to install $[prodname] on your cluster:
-
-```
-timeout --foreground 600 bash -c "while ! kubectl get crd installations.operator.tigera.io; do sleep 5; done" # wait until CRDs are created by the operator
-ls 03* | xargs -n1 oc apply -f
-```
-
-:::note
-You can safely ignore any `ls: cannot access '0X*': No such file or directory` errors if there's no yaml files with that prefix to be applied.
-:::
-
-### Install the $[prodname] license
-
-In order to use $[prodname], you must install the license provided to you by Tigera support representative. Before applying the license, wait until the Tigera API server is ready with the following command:
-
-```
-watch oc get tigerastatus
-```
-
-Wait until the `apiserver` shows a status of `Available`.
-
-After the Tigera API server is ready, apply the license:
-
-```
-oc create -f
-```
-
-### Install $[prodname] resources
-
-
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/index.mdx
deleted file mode 100644
index a8f47bf179..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Install Calico Enterprise from a private container registry — for air-gapped clusters or environments that pull all images internally.
-hide_table_of_contents: true
----
-
-# Install from a private registry
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/private-registry-image-path.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/private-registry-image-path.mdx
deleted file mode 100644
index 390e152748..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/private-registry-image-path.mdx
+++ /dev/null
@@ -1,43 +0,0 @@
----
-description: Install Calico Enterprise from a private registry that uses a non-default image path or repository structure.
----
-
-import PrivateRegistryImagePath from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/PrivateRegistryImagePath';
-
-# Install from an image path in a private registry
-
-## Big picture
-
-Move Calico Enterprise container images to an image path in a private registry and configure $[prodname] to pull images from it.
-
-## Value
-
-Install Calico Enterprise in clusters where pulling from third party private repos is not an option, and all images are desired to be part of a single directory in the private registry.
-
-## Concepts
-
-A **container image registry** (often referred to as a **registry**) is a service where container images are pushed to, stored, and pulled from. A registry is said to be "private" if it requires users authenticate before accessing images.
-
-An **image path** is a directory in the private registry that contains images required to install $[prodname].
-
-An **image pull secret** is used in Kubernetes to deploy container images from a private container image registry.
-
-## Before you begin...
-
-- Configure pull access to your private registry
-- [Configure pull access to Tigera's private container registry](../calico-enterprise.mdx#get-private-registry-credentials-and-license-key).
-- Use the [Crane command](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md) to manage the $[prodnameWindows] images, as using `docker pull` commands for these images may not work depending on the operating system and version in which the commands are run.
-
-## How to
-
-- [Push $[prodname] images to your private registry](#push-calico-enterprise-images-to-your-private-registry-image-path)
-- [Run the operator using images from your private registry](#run-the-operator-using-images-from-your-private-registry-image-path)
-- [Configure the operator to use images from your private registry](#configure-the-operator-to-use-images-from-your-private-registry-image-path)
-
-
-
-:::note
-
-See [the Installation resource reference page](../../../reference/installation/api.mdx) for more information on the `imagePullSecrets`, `registry` and `imagePath` fields.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/private-registry-regular.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/private-registry-regular.mdx
deleted file mode 100644
index b2d4796ed2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/private-registry/private-registry-regular.mdx
+++ /dev/null
@@ -1,47 +0,0 @@
----
-description: Install Calico Enterprise from a private container registry using the standard image paths.
----
-
-import PrivateRegistryRegular from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/PrivateRegistryRegular';
-
-# Install from a private registry
-
-## Big picture
-
-Move Calico Enterprise container images to a private registry and configure $[prodname] to pull images from it.
-
-## Value
-
-Install Calico Enterprise in clusters where pulling from third party private repos is not an option, such as air-gapped clusters, or clusters with bandwidth constraints or security constraints.
-
-## Concepts
-
-A **container image registry** (often referred to as a **registry**) is a service where container images are pushed to, stored, and pulled from. A registry is said to be "private" if it requires users authenticate before accessing images.
-
-An **image pull secret** is used in Kubernetes to deploy container images from a private container image registry.
-
-## Before you begin...
-
-- Configure pull access to your private registry
-- [Configure pull access to Tigera's private container registry](../calico-enterprise.mdx#get-private-registry-credentials-and-license-key).
-- Use the [Crane command](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md) to manage the $[prodnameWindows] images, as using `docker pull` commands for these images may not work depending on the operating system and version in which the commands are run.
-
-## How to
-
-- [Push $[prodname] images to your private registry](#push-calico-enterprise-images-to-your-private-registry)
-- [Run the operator using images from your private registry](#run-the-operator-using-images-from-your-private-registry)
-- [Configure the operator to use images from your private registry](#configure-the-operator-to-use-images-from-your-private-registry)
-
-
-
-:::note
-
-See [Install from an image path in a private registry](private-registry-image-path.mdx#big-picture) page for more information on installing using a private registry image path.
-
-:::
-
-:::note
-
-See [the Installation resource reference page](../../../reference/installation/api.mdx) for more information on the `imagePullSecrets` and `registry` fields.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/rancher-ui.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/rancher-ui.mdx
deleted file mode 100644
index b5da05964f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/rancher-ui.mdx
+++ /dev/null
@@ -1,120 +0,0 @@
----
-description: Install Calico Enterprise on an RKE2 cluster from the Rancher UI rather than the command line.
----
-
-# Rancher UI
-
-## Big picture
-
-Install $[prodname] on RKE2 using the Rancher UI (Rancher Manager).
-
-## Before you begin
-
-:::note
-
-To install $[prodname] using Rancher UI, you must provision a base RKE2 cluster with Calico Open Source, then upgrade to $[prodname]. This is required because Rancher UI does not provide an option to set the RKE2 CNI value as `none`, which is required to install a non-default CNI like $[prodname].
-
-:::
-
-**CNI support**
-
-Calico CNI for networking with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-- A compatible cluster that can host the Rancher Manager with v2.6.5 or later
-
- For help, see [Rancher](https://ranchermanager.docs.rancher.com/).
-
-- A [Tigera license key and credentials](calico-enterprise.mdx).
-
-- Rancher's `kubectl` shell with access to provisioned cluster.
-
-## How to
-
-- [Prepare a Calico Open Source cluster](#prepare-a-calico-open-source-cluster)
-- [Upgrade to $[prodname]](#install-calico-enterprise)
-
-### Prepare a Calico Open Source cluster
-
-1. [Provision an RKE2 cluster using Calico as the CNI and default config options](https://ranchermanager.docs.rancher.com/pages-for-subheaders/launch-kubernetes-with-rancher).
-2. Validate that the RKE2 cluster is set up and running.
-3. In Rancher UI, open a `kubectl` shell for the cluster, and perform the next steps.
-4. Annotate the Calico Helm chart with `helmcharts.helm.cattle.io/unmanaged=true`. (This avoids Rancher resetting the CNI to Calico when the RKE2 cluster is shut down or upgraded.)
-
- ```bash
- kubectl annotate helmchart -n kube-system rke2-calico helmcharts.helm.cattle.io/unmanaged=true && \
- kubectl annotate helmchart -n kube-system rke2-calico-crd helmcharts.helm.cattle.io/unmanaged=true
- ```
-
-5. SSH to all the control plane nodes and rename `rke2-calico.yaml` in the `/var/lib/rancher/rke2/server/manifests/` directory to `rke2-calico.yaml.skip`.
-
- ```bash
- sudo mv /var/lib/rancher/rke2/server/manifests/rke2-calico.yaml /var/lib/rancher/rke2/server/manifests/rke2-calico.yaml.skip
- ```
-
-6. Patch the Calico `Installation` resource to remove the image path prefix.
-
- ```bash
- kubectl patch installation default --type='json' -p='[{"op": "remove", "path": "/spec/imagePath"},{"op": "remove", "path": "/spec/imagePrefix"}]'
- ```
-
-7. Create ClusterRole and ClusterRoleBinding to allow Tigera Operator to update Pod Security Admission.
-
- ```bash
- kubectl create -f - <
-
-**Required**
-
-- A [compatible RKE cluster](../compatibility.mdx#rke)
-
- For help, see [Rancher Kubernetes Engine cluster](https://rancher.com/docs/rke/latest/en/). Note that RKE2 is a different Kubernetes distribution and [documented separately](rke2.mdx).
-
-- Configure your cluster for $[prodname] CNI
-
- - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`.
-
- :::note
-
- You cannot use the Rancher UI to set the RKE CNI set to "none".
-
- :::
-
-- Cluster meets [system requirements](requirements.mdx)
-
-- A [Tigera license key and credentials](calico-enterprise.mdx).
-
-- A `kubectl` environment with access to your cluster
- - Use [Rancher kubectl Shell](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters/access-clusters/use-kubectl-and-kubeconfig#accessing-clusters-with-kubectl-shell-in-the-rancher-ui) for access
- - Ensure you have the [kubeconfig file that was generated when you created the cluster](https://rancher.com/docs/rke/latest/en/installation/#save-your-files).
-- If using a kubeconfig file locally, [install and set up the Kubectl CLI tool](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
-
-## How to
-
-- [Install $[prodname]](#install-calico-enterprise)
-- [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-### Install $[prodname]
-
-1. [Configure a storage class for $[prodname].](../../operations/logstorage/create-storage.mdx).
-
-1. Install the Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/tigera-operator.yaml
- ```
-
-1. Install the Prometheus operator and related custom resource definitions. The Prometheus operator is used to deploy Prometheus server and Alertmanager to monitor $[prodname] metrics.
-
- :::note
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with $[prodname], your Prometheus operator must be v0.40.0 or higher.
-
- :::
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/tigera-prometheus-operator.yaml
- ```
-
-1. Install your pull secret.
-
- If pulling images directly from `quay.io/tigera`, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.
-
- ```bash
- kubectl create secret generic tigera-pull-secret \
- --type=kubernetes.io/dockerconfigjson -n tigera-operator \
- --from-file=.dockerconfigjson=
- ```
-
-1. Install any extra [$[prodname] resources](../../reference/resources/index.mdx) needed at cluster start using [calicoctl](../../reference/clis/calicoctl/overview.mdx).
-
-1. Install the Tigera custom resources. For more information on configuration options available in this manifest, see [the installation reference](../../reference/installation/api.mdx).
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/custom-resources.yaml
- ```
-
- Monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
- Wait until the `apiserver` shows a status of `Available`, then proceed to the next section.
-
-### Install the $[prodname] license
-
-```bash
-kubectl create -f
-```
-
-Monitor progress with the following command:
-
-```bash
-watch kubectl get tigerastatus
-```
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/requirements.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/requirements.mdx
deleted file mode 100644
index 6da8ac6160..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/requirements.mdx
+++ /dev/null
@@ -1,40 +0,0 @@
----
-description: Cluster, host, and platform requirements you must meet before installing Calico Enterprise networking and network policy.
----
-
-import ReqsSys from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsSys';
-import ReqsKernel from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/ReqsKernel';
-
-# System requirements
-
-
-
-## CNI plug-in enabled
-
-$[prodname] must be installed as a CNI plugin in the container runtime.
-
-This installation must use the Kubernetes default CNI configuration directory (`/etc/cni/net.d`) and binary directory (`/opt/cni/bin`).
-
-## Other network providers
-
-Generally, you cannot use $[prodname] together with another network provider.
-
-Notable exceptions include certain platform-specific CNIs, such as the [AWS VPC CNI](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md) and [Azure VNet CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) plugins.
-
-If you're working with a cluster that already uses another CNI, you cannot migrate to $[prodname].
-
-## Supported kube-proxy modes
-
-$[prodname] supports the following kube-proxy modes:
-
-- `iptables` (default)
-
-### IP pool configuration
-
-The IP range selected for pod IP addresses cannot overlap with any other
-IP ranges in your network, including:
-
-- The Kubernetes service cluster IP range
-- The range from which host IPs are allocated
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/rke2.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/rke2.mdx
deleted file mode 100644
index 86e4afd16a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/rke2.mdx
+++ /dev/null
@@ -1,126 +0,0 @@
----
-description: Install Calico Enterprise on an RKE2 cluster using the standard command-line installer.
----
-
-# RKE2
-
-## Big picture
-
-Install $[prodname] on RKE2 (RKE Government) clusters.
-
-## Before you begin
-
-**CNI support**
-
-Calico CNI for networking with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-- A [compatible RKE2 cluster](../compatibility.mdx#rke2) with 2.6.5 or later
-
- For help, see [Rancher Kubernetes Engine cluster](https://rancher.com/docs/rke/latest/en/).
-
-- [Configure cluster with no CNI plugin](https://docs.rke2.io/install/configuration) using any of these methods:
-
- - RKE2 CLI: `--cni none`
- - Install script: `RKE2_CNI=none`
- - [Configuration file](https://docs.rke2.io/install/configuration#configuration-file): `cni: none`
-
-- Cluster meets [system requirements](requirements.mdx)
-
-- A [Tigera license key and credentials](calico-enterprise.mdx).
-
-- A `kubectl` environment with access to your cluster
-
- Ensure you have the [kubeconfig file that was generated when you created the cluster](https://docs.rke2.io/cluster_access).
-
-- If using a kubeconfig file locally, [install and set up the Kubectl CLI tool](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
-
-## How to
-
-- [Install $[prodname]](#install-calico-enterprise)
-- [Install the $[prodname] license](#install-the-calico-enterprise-license)
-
-### Install $[prodname]
-
-1. [Configure a storage class for $[prodname].](../../operations/logstorage/create-storage.mdx).
-
-1. Install the Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/tigera-operator.yaml
- ```
-
-1. Install the Prometheus operator and related custom resource definitions. The Prometheus operator is used to deploy Prometheus server and Alertmanager to monitor $[prodname] metrics.
-
- :::note
-
- If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with $[prodname], your Prometheus operator must be v0.40.0 or higher.
-
- :::
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/tigera-prometheus-operator.yaml
- ```
-
-1. Install your pull secret.
-
- If pulling images directly from `quay.io/tigera`, you can use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.
-
- ```bash
- kubectl create secret generic tigera-pull-secret \
- --type=kubernetes.io/dockerconfigjson -n tigera-operator \
- --from-file=.dockerconfigjson=
- ```
-
-1. Install any extra [Calico resources](../../reference/resources/index.mdx) needed at cluster start using [calicoctl](../../reference/clis/calicoctl/overview.mdx).
-
-1. Install the Tigera custom resources. For more information on configuration options available, see [the installation reference](../../reference/installation/api.mdx).
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/rancher/custom-resources-rke2.yaml
- ```
-
- Monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
- Wait until the `apiserver` shows a status of `Available`, then proceed to the next section.
-
-### Install the $[prodname] license
-
-```bash
-kubectl create -f
-```
-
-Monitor progress with the following command:
-
-```bash
-watch kubectl get tigerastatus
-```
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses VXLAN encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/tkg.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/tkg.mdx
deleted file mode 100644
index b9514b2e27..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/tkg.mdx
+++ /dev/null
@@ -1,59 +0,0 @@
----
-description: Install Calico Enterprise on a VMware Tanzu Kubernetes Grid (TKG) cluster.
----
-
-import InstallGeneric from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric';
-
-# Tanzu Kubernetes Grid (TKG)
-
-## Big picture
-
-Install $[prodname] on a Tanzu Kubernetes Grid cluster.
-
-## Before you begin
-
-**CNI support**
-
-Calico CNI for networking with $[prodname] network policy:
-
-The geeky details of what you get:
-
-
-
-**Required**
-
-- A [compatible TKG cluster](../compatibility.mdx#tkg)
-- Configure your cluster for $[prodname] CNI
- The workload cluster must be configured with `CNI: none`. When the workload cluster is bootstrapped, the nodes will be in a `NotReady` state until $[prodname] is installed. For more information, see [Tanzu networking](https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/1.4/vmware-tanzu-kubernetes-grid-14/GUID-tanzu-k8s-clusters-networking.html) and [Tanzu configuration file reference](https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/1.4/vmware-tanzu-kubernetes-grid-14/GUID-tanzu-config-reference.html).
-
-- Cluster meets the [system requirements](requirements.mdx)
-- A [Tigera license key and credentials](calico-enterprise.mdx)
-- If using AWS, EC2 instances must be configured to belong to a separate SecurityGroup with ingress rules:
- - Calico (BGP) TCP 179
- - Calico (Typha) TCP 5473
- - Web console Prometheus metrics TCP 9081
- - Web console BGP metrics TCP 9900
-
-## How to
-
-- [Install $[prodname]](#install-calico-enterprise)
-- [Install $[prodname] license](#install-calico-enterprise-license)
-
-
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../operations/cnx/access-the-manager.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/demo.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/demo.mdx
deleted file mode 100644
index c7a8e98265..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/demo.mdx
+++ /dev/null
@@ -1,630 +0,0 @@
----
-description: Interactive demo that applies basic Calico Enterprise network policy to pods running on a Windows node.
----
-
-# Basic policy demo
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-This guide provides a simple demo to illustrate basic pod-to-pod connectivity and the application of network policy in a $[prodnameWindows] cluster. We will create client and server pods on Linux and Windows nodes, verify connectivity between the pods, and then we'll apply a basic network policy to isolate pod traffic.
-
-## Prerequisites
-
-To run this demo, you will need a [$[prodnameWindows] cluster](operator.mdx) with
-Windows Server 1809 (build 17763.1432 August 2020 update or newer). More recent versions of Windows Server can be used with a change to the demo manifests, namely the version tags of the Windows images, e.g.: `servercore:ltsc2022` instead of `servercore:1809`.
-
-:::note
-
-Windows Server 1809 (build older than 17763.1432) do not support [direct server return](https://techcommunity.microsoft.com/t5/networking-blog/direct-server-return-dsr-in-a-nutshell/ba-p/693710). This means that policy support is limited to only pod IP addresses.
-
-:::
-
-
-
-
-## Create pods on Linux nodes
-
-First, create a client (busybox) and server (nginx) pod on the Linux nodes:
-
-```bash
-kubectl apply -f - < 80
-```
-
-To combine both of the above steps:
-
-```bash
-kubectl exec -n calico-demo busybox -- nc -vz $(kubectl get po porter -n calico-demo -o 'jsonpath={.status.podIP}') 80
-```
-
-If the connection from the busybox pod to the porter pod succeeds, we will get output similar to the following:
-
-```
-192.168.40.166 (192.168.40.166:80) open
-```
-
-Now let's verify that the powershell pod can reach the nginx pod:
-
-```bash
-kubectl exec -n calico-demo pwsh -- powershell Invoke-WebRequest -Uri http://$(kubectl get po nginx -n calico-demo -o 'jsonpath={.status.podIP}') -UseBasicParsing -TimeoutSec 5
-```
-
-If the connection succeeds, we will get output similar to:
-
-```
-StatusCode : 200
-StatusDescription : OK
-Content :
-
-
- Welcome to nginx!
-
- <...
-...
-```
-
-Finally, let's verify that the powershell pod can reach the porter pod:
-
-```bash
-kubectl exec -n calico-demo pwsh -- powershell Invoke-WebRequest -Uri http://$(kubectl get po porter -n calico-demo -o 'jsonpath={.status.podIP}') -UseBasicParsing -TimeoutSec 5
-```
-
-If that succeeds, we will see something like:
-
-```
-StatusCode : 200
-StatusDescription : OK
-Content : This is a $[prodnameWindows] demo.
-RawContent : HTTP/1.1 200 OK
- Content-Length: 49
- Content-Type: text/plain; charset=utf-8
- Date: Fri, 21 Aug 2020 22:45:46 GMT
-
- This is a $[prodnameWindows] demo.
-Forms :
-Headers : {[Content-Length, 49], [Content-Type, text/plain;
- charset=utf-8], [Date, Fri, 21 Aug 2020 22:45:46 GMT]}
-Images : {}
-InputFields : {}
-Links : {}
-ParsedHtml :
-RawContentLength : 49
-```
-
-## Apply policy to the Windows client pod
-
-Now let's apply a basic network policy that allows only the busybox pod to reach the porter pod.
-
-```bash
-kubectl apply -f - <
-
-
-## Installing kubectl on Windows
-
-To run the commands in this demo you need the Windows version of kubectl installed and add it to the system path.
-[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/) and move the kubectl binary to **c:\k**.
-
-Add `c:\k` to the system path
-
-1. Open a PowerShell window as Administrator
-
- ```powershell
- $env:Path += ";C:\k"
- ```
-
-1. Close all PowerShell windows.
-
-## Create pods on Linux nodes
-
-First, create a client (busybox) and server (nginx) pod on the Linux nodes.
-
-### Create a YAML file policy-demo-linux.yaml using your favorite editor on Windows
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
- name: calico-demo
-
----
-apiVersion: v1
-kind: Pod
-metadata:
- labels:
- app: busybox
- name: busybox
- namespace: calico-demo
-spec:
- containers:
- - args:
- - /bin/sh
- - -c
- - sleep 360000
- image: busybox:1.28
- imagePullPolicy: Always
- name: busybox
- nodeSelector:
- kubernetes.io/os: linux
-
----
-apiVersion: v1
-kind: Pod
-metadata:
- labels:
- app: nginx
- name: nginx
- namespace: calico-demo
-spec:
- containers:
- - name: nginx
- image: nginx:1.8
- ports:
- - containerPort: 80
- nodeSelector:
- kubernetes.io/os: linux
-```
-
-### Apply the policy-demo-linux.yaml file to the Kubernetes cluster
-
-1. Open a PowerShell window.
-1. Use `kubectl` to apply the `policy-demo-linux.yaml` configuration.
-
-```powershell
-kubectl apply -f policy-demo-linux.yaml
-```
-
-## Create pods on Window nodes
-
-Next, we’ll create a client (pwsh) and server (porter) pod on the Windows nodes.
-:::note
-
-The pwsh and porter pod manifests below use images based on mcr.microsoft.com/windows/servercore:1809. If you are using a more recent Windows Server version, update the manifests to use a servercore image that matches your Windows Server version.
-
-:::
-
-### Create the policy-demo-windows.yaml using your favorite editor on Windows
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: pwsh
- namespace: calico-demo
- labels:
- app: pwsh
-spec:
- containers:
- - name: pwsh
- image: mcr.microsoft.com/windows/servercore:1809
- args:
- - powershell.exe
- - -Command
- - 'Start-Sleep 360000'
- imagePullPolicy: IfNotPresent
- nodeSelector:
- kubernetes.io/os: windows
----
-apiVersion: v1
-kind: Pod
-metadata:
- name: porter
- namespace: calico-demo
- labels:
- app: porter
-spec:
- containers:
- - name: porter
- image: calico/porter:1809
- ports:
- - containerPort: 80
- env:
- - name: SERVE_PORT_80
- value: This is a $[prodnameWindows] demo.
- imagePullPolicy: IfNotPresent
- nodeSelector:
- kubernetes.io/os: windows
-```
-
-### Apply the policy-demo-windows.yaml file to the Kubernetes cluster
-
-1. Open a PowerShell window.
-1. Use `kubectl` to apply the `policy-demo-windows.yaml` configuration
-
-```powershell
-kubectl apply -f policy-demo-windows.yaml
-```
-
-### Verify four pods have been created and are running
-
-:::note
-
-Launching the Windows pods is going to take some time depending on your network download speed.
-
-:::
-
-1. Open a powershell window.
-1. Using `kubectl` to list the pods in the `calico-demo` namespace.
-
-```powershell
-kubectl get pods --namespace calico-demo
-```
-
-You should see something like the below
-
-```output
-NAME READY STATUS RESTARTS AGE
-busybox 1/1 Running 0 4m14s
-nginx 1/1 Running 0 4m14s
-porter 0/1 ContainerCreating 0 74s
-pwsh 0/1 ContainerCreating 0 2m9s
-```
-
-Repeat the command every few minutes until the output shows all 4 pods in the Running state.
-
-```output
-NAME READY STATUS RESTARTS AGE
-busybox 1/1 Running 0 7m24s
-nginx 1/1 Running 0 7m24s
-porter 1/1 Running 0 4m24s
-pwsh 1/1 Running 0 5m19s
-```
-
-### Check connectivity between pods on Linux and Windows nodes
-
-Now that client and server pods are running on both Linux and Windows nodes, let’s verify that client pods on Linux nodes can reach server pods on Windows nodes.
-
-1. Open a PowerShell window.
-1. Using `kubectl` to determine the porter pod IP address:
-
- ```powershell
- kubectl get pod porter --namespace calico-demo -o 'jsonpath={.status.podIP}'
- ```
-
-1. Log into the busybox pod and try reaching the porter pod on port 80. Replace the `` tag with the IP address returned from the previous command.
-
- ```powershell
- kubectl exec --namespace calico-demo busybox -- nc -vz 80
- ```
-
- :::note
-
- You can also combine both of the above steps:
-
- :::
-
- ```powershell
- kubectl exec --namespace calico-demo busybox -- nc -vz $(kubectl get pod porter --namespace calico-demo -o 'jsonpath={.status.podIP}') 80
- ```
-
- If the connection from the busybox pod to the porter pod succeeds, you will get output similar to the following:
-
- ```powershell
- 192.168.40.166 (192.168.40.166:80) open
- ```
-
- :::note
-
- The IP addresses returned will vary depending on your environment setup.
-
- :::
-
-1. Now you can verify that the pwsh pod can reach the nginx pod:
-
- ```powershell
- kubectl exec --namespace calico-demo pwsh -- powershell Invoke-WebRequest -Uri http://$(kubectl get po nginx -n calico-demo -o 'jsonpath={.status.podIP}') -UseBasicParsing -TimeoutSec 5
- ```
-
- If the connection succeeds, you will see output similar to:
-
- ```
- StatusCode : 200
- StatusDescription : OK
- Content :
-
-
- Welcome to nginx!
-
- <...
- ```
-
-1. Verify that the pwsh pod can reach the porter pod:
-
- ```powershell
- kubectl exec --namespace calico-demo pwsh -- powershell Invoke-WebRequest -Uri http://$(kubectl get po porter -n calico-demo -o 'jsonpath={.status.podIP}') -UseBasicParsing -TimeoutSec 5
- ```
-
- If that succeeds, you will see something like:
-
- ```
- StatusCode : 200
- StatusDescription : OK
- Content : This is a Calico Enterprise for Windows demo.
- RawContent : HTTP/1.1 200 OK
- Content-Length: 49
- Content-Type: text/plain; charset=utf-8
- Date: Fri, 21 Aug 2020 22:45:46 GMT
-
- This is a Calico Enterprise for Windows demo.
- Forms :
- Headers : {[Content-Length, 49], [Content-Type, text/plain;
- charset=utf-8], [Date, Fri, 21 Aug 2020 22:45:46 GMT]}
- Images : {}
- InputFields : {}
- Links : {}
- ParsedHtml :
- RawContentLength : 49
-
- ```
-
-You have now verified that communication is possible between all pods in the application.
-
-## Apply policy to the Windows client pod
-
-In a real world deployment you would want to make sure only pods that are supposed to communicate with each other, are actually allowed to do so.
-
-To achieve this you will apply a basic network policy which allows only the busybox pod to reach the porter pod.
-
-### Create the network-policy.yaml file using your favorite editor on Windows
-
-```yaml
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: allow-busybox
- namespace: calico-demo
-spec:
- podSelector:
- matchLabels:
- app: porter
- policyTypes:
- - Ingress
- ingress:
- - from:
- - podSelector:
- matchLabels:
- app: busybox
- ports:
- - protocol: TCP
- port: 80
-```
-
-### Apply the network-policy.yaml file
-
-1. Open a PowerShell window.
-1. Use `kubectl` to apply the network-policy.yaml file.
-
-```powershell
-kubectl apply -f network-policy.yaml
-```
-
-### Verify the policy is in effect
-
-With the policy in place, the busybox pod should still be able to reach the porter pod:
-:::note
-
-We will be using the combined command line from earlier in this chapter.
-
-:::
-
-```powershell
-kubectl exec --namespace calico-demo busybox -- nc -vz $(kubectl get po porter -n calico-demo -o 'jsonpath={.status.podIP}') 80
-```
-
-However, the pwsh pod will not able to reach the porter pod:
-
-```powershell
-kubectl exec --namespace calico-demo pwsh -- powershell Invoke-WebRequest -Uri http://$(kubectl get po porter -n calico-demo -o 'jsonpath={.status.podIP}') -UseBasicParsing -TimeoutSec 5
-```
-
-The request times out with a message like the below:
-
-```powershell
-Invoke-WebRequest : The operation has timed out.
-At line:1 char:1
-+ Invoke-WebRequest -Uri http://192.168.40.166 -UseBasicParsing -Timeout ...
-+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:Htt
-pWebRequest) [Invoke-WebRequest], WebException
- + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
-command terminated with exit code 1
-```
-
-## Wrap up
-
-In this demo we’ve configured pods on Linux and Windows nodes, verified basic pod connectivity, and tried a basic network policy to isolate pod to pod traffic.
-As the final step you can clean up all of the demo resources:
-
-1. Open a PowerShell window.
-
-```powershell
-kubectl delete namespace calico-demo
-```
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/dnspolicy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/dnspolicy.mdx
deleted file mode 100644
index 1163462a49..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/dnspolicy.mdx
+++ /dev/null
@@ -1,45 +0,0 @@
----
-description: Configure DNS policy for Calico Enterprise for Windows workloads to control egress to external services by hostname.
----
-
-# Configure DNS policy for workloads
-
-:::note
-
-This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.
-
-:::
-
-## Big picture
-
-Configure $[prodnameWindows] domain based policy (DNS policy) for Windows workloads in Kubernetes clusters.
-
-## Value
-
-Using domain names in policies to identify services outside of the cluster is often operationally simpler and more robust than using IP
-addresses. In particular, they are useful when an external service does not map to a well known set of static IP addresses.
-
-## Before you begin
-
-**Limitations**
-
-$[prodname] supports DNS policy on Windows with these limitations:
-
-- It could take up to 5 seconds for the first TCP SYN packet to go through, for a connection to a DNS domain name. This is because DNS policies are dynamically programmed. The first TCP packet could be dropped since there is no policy to allow it until $[prodnameWindows] detects domain IPs from DNS response and programs DNS policy rules. The Windows TCPIP stack will send SYN again after TCP Retransmission timeout (RTO) if previous SYN has been dropped.
-- Some runtime libraries do not honour DNS TTL. Instead, they manage their own DNS cache which has a different TTL value for DNS entries. On .NET Framework, the value to control DNS TTL is ServicePointManager.DnsRefreshTimeout which has default value of 120 seconds - [DNS refresh timeout](https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.dnsrefreshtimeout). It is important that $[prodnameWindows] uses a longer TTL value than the one used by the application, so that DNS policy will be in place when the application is making outbound connections. The configuration item “WindowsDNSExtraTTL” should have a value bigger than the maximum value of DNS TTL used by the runtime libraries for your applications.
-- Due to the limitations of Windows container networking, a policy update could have an impact on performance. Programming DNS policy may result in more policy updates. Setting “WindowsDNSExtraTTL” to a bigger number will reduce the performance impact.
-
-## How to
-
-$[prodnameWindows] DNS policy is enabled by default and is configured the same way as [DNS policy for Linux](../../../network-policy/domain-based-policy.mdx). Use the following Windows-specific parameters for specifying the file to preserve learned DNS information and extra TTL in addition to DNS TTL.
-
-### Felix configurations
-
-| Field | Description | Accepted Values | Schema | Default |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ------ | --------------------------------------- |
-| WindowsDNSCacheFile | Specify the name of the file that $[prodnameWindows] uses to preserve learned DNS information when restarting. | string | string | `c:\\TigeraCalico\\felix-dns-cache.txt` |
-| WindowsDNSExtraTTL | Specify extra time in seconds to keep IPs and alias names that are learned from DNS, in addition to each name or IP's advertised TTL. | int | int | `120` |
-
-## Additional resources
-
-- [DNS policy](../../../network-policy/domain-based-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/flowlogs.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/flowlogs.mdx
deleted file mode 100644
index 84a4490f06..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/flowlogs.mdx
+++ /dev/null
@@ -1,47 +0,0 @@
----
-description: Configure flow logs for Calico Enterprise for Windows workloads so traffic activity is captured for observability and forensics.
----
-
-# Configure flow logs for workloads
-
-## Big picture
-
-Configure $[prodnameWindows] flow log data for visibility and troubleshooting Windows workloads in Kubernetes clusters.
-
-## Value
-
-$[prodnameWindows] includes a fully-integrated deployment of Elasticsearch to collect flow log data that drives
-key features like Flow Visualizer, metrics in the dashboard and Policy Board, policy automation and testing features, and security.
-
-## Before you begin
-
-**Limitations**
-
-$[prodnameWindows] provides the same support for flow logs as Linux, with these exceptions:
-
-- No packet/bytes stats for denied traffic
-- No DNS stats
-- No HTTP stats
-- No RuleTrace for tiers
-- No BGP logs
-- No support for syslog archiving
-
-## How to
-
-$[prodnameWindows] flow logs are enabled and configured the same way as [Flow logs for Linux](../../../observability/elastic/overview.mdx). Use the following Windows-specific parameters for specifying file directories and paths.
-
-### Felix configurations
-
-| Field | Description | Accepted Values | Schema | Default |
-| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ------ | ------------------------------------------- |
-| windowsFlowLogsFileDirectory | Set the directory where flow logs files are stored on Windows nodes. This parameter takes effect only when `flowLogsFileEnabled` is set to `true`. | string | string | `c:\\TigeraCalico\\flowlogs` |
-| windowsFlowLogsPositionFilePath | Specify the position of the external pipeline that reads flow logs on Windows nodes. This parameter takes effect only when `FlowLogsDynamicAggregationEnabled` is set to `true`. | string | string | `c:\\TigeraCalico\\flowlogs\\flows.log.pos` |
-| windowsStatsDumpFilePath | Specify the position of the file used for dumping flow log statistics on Windows nodes. Note this is an internal setting that you should not need to modify. | string | string | `c:\\TigeraCalico\\stats\\dump` |
-
-## Additional resources
-
-- [Configure RBAC for Elasticsearch logs](../../../observability/elastic/rbac-elasticsearch.mdx)
-- [Configure flow log aggregation](../../../observability/elastic/flow/aggregation.mdx)
-- [Log storage recommendations](../../../operations/logstorage/log-storage-recommendations.mdx)
-- [Archive logs](../../../observability/elastic/archive-storage.mdx)
-- [Log collection options](../../../reference/installation/api.mdx#logcollectorspec)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/index.mdx
deleted file mode 100644
index aa7e44564d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Install and configure Calico Enterprise for Windows — covers requirements, supported platforms, and Windows-node install paths.
-hide_table_of_contents: true
----
-
-# Calico Enterprise for Windows
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/limitations.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/limitations.mdx
deleted file mode 100644
index 3926708df7..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/limitations.mdx
+++ /dev/null
@@ -1,207 +0,0 @@
----
-description: Known limitations of Calico Enterprise for Windows that you should review before planning an installation.
----
-
-# Limitations and known issues
-
-## $[prodnameWindows] feature limitations
-
-| Feature | Unsupported in this release |
-| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Platforms | - TKG - GKE |
-| Install and upgrade | - Non-cluster hosts - Typha component for scaling (Linux-based feature) |
-| Networking | - Overlay mode with BGP peering - IP in IP overlay with BGP routing - Cross-subnet support and MTU setting for VXLAN - IPv6 and dual stack - Dual-ToR - Service advertisement - Multiple networks to pods |
-| Policy | - Staged network-policy - Firewall integrations - Policy for hosts (host endpoints, including automatic host endpoints) - Tiered policy: TKG, GKE, AKS - WAF integration - AWS firewall integration - Fortinet integration |
-| Visibility and troubleshooting | - Packet capture - DNS logs - iptable logs - L7 logs |
-| Multi-cluster management | - Multi-cluster management federated identity endpoints and services - Federated endpoint identity and services |
-| Compliance and security | - CIS benchmark and other reports - WireGuard encryption for pod-to-pod traffic and host-to-host traffic |
-| Data plane | - eBPF is a Linux-based feature |
-
-## $[prodname] BGP networking limitations
-
-If you are using $[prodname] with BGP, note these current limitations with Windows.
-
-| Feature | Limitation |
-| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| IP mobility/ borrowing | $[prodname] IPAM allocates IPs to host in blocks for aggregation purposes. If the IP pool is full, nodes can also "borrow" IPs from another node's block. In BGP terms, the borrower then advertises a more specific "/32" route for the borrowed IP and traffic for that IP is only routed to the borrowing host.
Windows nodes do not support this borrowing mechanism; they will not borrow IPs even if the IP pool is full and they mark their blocks so that Linux nodes will not borrow from them. |
-| IPs reserved for Windows | $[prodname] IPAM allocates IPs in CIDR blocks. Due to networking requirements on Windows, four IPs per Windows node-owned block must be reserved for internal purposes.
For example, with the default block size of /26, each block contains 64 IP addresses, 4 are reserved for Windows, leaving 60 for pod networking.
To reduce the impact of these reservations, a larger block size can be configured at the IP pool scope (before any pods are created). |
-| Single IP block per host | $[prodname] IPAM is designed to allocate blocks of IPs (default size /26) to hosts on demand. While the $[prodname] CNI plugin was written to do the same, kube-proxy for Windows currently only supports a single IP block per host.
To work around the default limit of one /26 per host there some options:
- Use $[prodname] BGP networking with the kubernetes datastore. In that mode, $[prodname] IPAM is not used and the CNI host-local IPAM plugin is used with the node's Pod CIDR.
To allow multiple IPAM blocks per host (at the expense of kube-proxy compatibility), set the `windows_use_single_network` flag to `false` in the `cni.conf.template` before installing $[prodname]. Changing that setting after pods are networked is not recommended because it may leak HNS endpoints. |
-| IP-in-IP overlay | $[prodname]'s IPIP overlay mode cannot be used in clusters that contain Windows nodes because Windows does not support IP-in-IP. |
-| NAT-outgoing | $[prodname] IP pools support a "NAT outgoing" setting with the following behaviour:
- Traffic between $[prodname] workloads (in any IP pools) is not NATted. - Traffic leaving the configured IP pools is NATted if the workload has an IP within an IP pool that has NAT outgoing enabled. $[prodnameWindows] honors the above setting but it is only applied at pod creation time. If the IP pool configuration is updated after a pod is created, the pod's traffic will continue to be NATted (or not) as before. NAT policy for newly-networked pods will honor the new configuration. $[prodnameWindows] automatically adds the host itself and its subnet to the NAT exclusion list. This behaviour can be disabled by setting flag `windows_disable_host_subnet_nat_exclusion` to `true` in `cni.conf.template` before running the install script. |
-| Service IP advertisement | This $[prodname] feature is not supported on Windows. |
-
-### Check your network configuration
-
-If you are using a networking type that requires layer 2 reachability (such as $[prodname] with a BGP mesh and no peering to your fabric), you can check that your network has layer 2 reachability as follows:
-
-On each of your nodes, check the IP network of the network adapter that you plan to use for pod networking. For example, on Linux, assuming your network adapter is eth0, you can run:
-
-```
-$ ip addr show eth0
- 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
-
- link/ether 00:0c:29:cb:c8:19 brd ff:ff:ff:ff:ff:ff
- inet 192.168.171.136/24 brd 192.168.171.255 scope
-
- global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::20c:29ff:fecb:c819/64 scope
- link
-
- valid_lft forever preferred_lft
- forever
-```
-
-In this case, the IPv4 is 192.168.171.136/24; which, after applying the /24 mask gives 192.168.171.0/24 for the IP network.
-
-Similarly, on Windows, you can run
-
-```
-PS C:\> ipconfig
-
-Windows IP Configuration
-
-Ethernet adapter vEthernet (Ethernet 2):
-
- Connection-specific DNS Suffix . :
- us-west-2.compute.internal Link-local IPv6 Address . . . .
- . : fe80::6d10:ccdd:bfbe:bce2%15 IPv4 Address. . . . . . .
- . . . . : 172.20.41.103 Subnet Mask . . . . . . . . . . .
- : 255.255.224.0 Default Gateway . . . . . . . . . :
- 172.20.32.1
-
-```
-
-In this case, the IPv4 address is 172.20.41.103 and the mask is represented as bytes 255.255.224.0 rather than CIDR notation. Applying the mask, we get a network address 172.20.32.0/19.
-
-Because the Linux node has network 192.168.171.136/24 and the Windows node has a different network, 172.20.32.0/19, they are unlikely to be on the same layer 2 network.
-
-## VXLAN networking limitations
-
-Because of differences between the Linux and Windows data plane feature sets, the following $[prodname] features are not supported on Windows.
-
-| Feature | Limitation |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| IPs reserved for Windows | $[prodname] IPAM allocates IPs in CIDR blocks. Due to networking requirements on Windows, four IPs per Windows node-owned block must be reserved for internal purposes.
For example, with the default block size of /26, each block contains 64 IP addresses, 4 are reserved for Windows, leaving 60 for pod networking.
To reduce the impact of these reservations, a larger block size can be configured at the IP pool scope (before any pods are created). |
-| Single IP block per host | $[prodname] IPAM is designed to allocate blocks of IPs (default size /26) to hosts on demand. While the $[prodname] CNI plugin was written to do the same, kube-proxy currently only supports a single IP block per host. To allow multiple IPAM blocks per host (at the expense of kube-proxy compatibility), set the `windows_use_single_network` flag to `false` in the `cni.conf.template` before installing $[prodname]. Changing that setting after pods are networked is not recommended because it may leak HNS endpoints. |
-
-## Routes are lost in cloud providers
-
-If you create a Windows host with a cloud provider (AWS for example), the creation of the vSwitch at $[prodname] install time can remove the cloud provider's metadata route. If your application relies on the metadata service, you may need to examine the routing table before and after installing $[prodname] to reinstate any lost routes.
-
-## VXLAN limitations
-
-**VXLAN support**
-
-- Windows 1903 build 18317 and above
-- Windows 1809 build 17763 and above
-
-**Configuration updates**
-
-Certain configuration changes will not be honored after the first pod is networked. This is because Windows does not currently support updating the VXLAN subnet parameters after the network is created so updating those parameters requires the node to be drained:
-
-One example is the VXLAN VNI setting. To change such parameters:
-
-- Drain the node of all pods
-- Delete the $[prodname] HNS network:
-
- ```powershell
- Import-Module -DisableNameChecking $[rootDirWindows]\libs\hns\hns.psm1
- Get-HNSNetwork | ? Name -EQ "$[prodname]" | Remove-HNSNetwork
- ```
-
-- Update the configuration in `config.ps1`, run `uninstall-calico.ps1` and then `install-calico.ps1` to regenerate the CNI configuration.
-
-## Pod-to-pod connections are dropped with TCP reset packets
-
-Restarting Felix or changes to policy (including changes to endpoints referred to in policy) can cause pod-to-pod connections to be dropped with TCP reset packets when one of the following occurs:
-
-- The policy that applies to a pod is updated
-- Some ingress or egress policy that applies to a pod contains selectors and the set of endpoints that those selectors match changes
-
-Felix must reprogram the HNS ACL policy attached to the pod. This reprogramming can cause TCP resets. Microsoft has confirmed this is a HNS issue, and they are investigating.
-
-## Service ClusterIPs incompatible with selectors on pod IPs in network policy
-
-**Windows 1809 prior to build 17763.1432**
-
-On Windows nodes, kube-proxy unconditionally applies source NAT to traffic from local pods to service ClusterIPs. This means that, at the destination pod, where policy is applied, the traffic appears to come from the source host rather than the source pod. In turn, this means that a network policy with a source selector matching the source pod will not match the expected traffic.
-
-## Network policy and using selectors
-
-Under certain conditions, relatively simple $[prodname] policies can require significant Windows data plane resources, that can cause significant CPU and memory usage, and large policy programming latency.
-
-We recommend avoiding policies that contain rules with both a source and destination selector. The following is an example of a policy that would be inefficient. The policy applies to all workloads, and it only allows traffic from workloads labeled as clients to workloads labeled as servers:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: calico-dest-selector
-spec:
- selector: all()
- order: 500
- ingress:
- - action: Allow
- destination:
- selector: role == "webserver"
- source:
- selector: role == "client"
-```
-
-Because the policy applies to all workloads, it will be rendered once per workload (even if the workload is not labeled as a server), and then the selectors will be expanded into many individual data plane rules to capture the allowed connectivity.
-
-Here is a much more efficient policy that still allows the same traffic:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: calico-dest-selector
-spec:
- selector: role == "webserver"
- order: 500
- ingress:
- - action: Allow
- source:
- selector: role == "client"
-```
-
-The destination selector is moved into the policy selector, so this policy is only rendered for workloads that have the `role: webserver` label. In addition, the rule is simplified so that it only matches on the source of the traffic. Depending on the number of webserver pods, this change can reduce the data plane resource usage by several orders of magnitude.
-
-## Network policy with tiers
-
-Because of the way the Windows data plane handles rules, the following limitations are required to avoid performance issues:
-
-- Tiers: maximum of 5
-- `pass` rules: maximum of 10 per tier
-- If each tier contains a large number of rules, and has pass rules, you may need to reduce the number of tiers further.
-
-## Flow log limitations
-
-$[prodname] supports flow logs with these limitations:
-
-- No packet/bytes stats for denied traffics
-- Inaccurate `num_flows_started` and `num_flows_completed` stats with VXLAN networking
-- No DNS stats
-- No HTTP stats
-- No RuleTrace for tiers
-- No BGP logs
-
-## DNS Policy limitations
-
-:::note
-
-DNS Policy is a tech preview feature. Tech preview features may be subject to significant changes before they become GA.
-
-:::
-
-$[prodname] supports DNS policy on Windows with these limitations:
-
-- It could take up to 5 seconds for the first TCP SYN packet to go through, for a connection to a DNS domain name. This is because DNS policies are dynamically programmed. The first TCP packet could be dropped since there is no policy to allow it until $[prodnameWindows] detects domain IPs from DNS response and programs DNS policy rules. The Windows TCPIP stack will send SYN again after TCP Retransmission timeout (RTO) if previous SYN has been dropped.
-- Some runtime libraries do not honour DNS TTL. Instead, they manage their own DNS cache which has a different TTL value for DNS entries. On .NET Framework, the value to control DNS TTL is ServicePointManager.DnsRefreshTimeout which has default value of 120 seconds - [DNS refresh timeout](https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.dnsrefreshtimeout). It is important that $[prodnameWindows] uses a longer TTL value than the one used by the application, so that DNS policy will be in place when the application is making outbound connections. The configuration item “WindowsDNSExtraTTL” should have a value bigger than the maximum value of DNS TTL used by the runtime libraries for your applications.
-- Due to the limitations of Windows container networking, a policy update could have an impact on performance. Programming DNS policy may result in more policy updates. Setting “WindowsDNSExtraTTL” to a bigger number will reduce the performance impact.
-
-## Next steps
-
-- [Install $[prodnameWindows] using operator](operator.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/operator.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/operator.mdx
deleted file mode 100644
index 40e3d41b0c..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/operator.mdx
+++ /dev/null
@@ -1,120 +0,0 @@
----
-description: Install Calico Enterprise for Windows on a Kubernetes cluster using the operator, for testing or development.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import CalicoWindowsInstall from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/CalicoWindowsInstall';
-
-# Install using Operator
-
-## Big picture
-
-Install $[prodnameWindows] on your Kubernetes cluster using the Tigera Operator.
-
-## Concepts
-
-$[prodnameWindows] is a hybrid implementation that requires a Linux cluster for $[prodname] components and Linux workloads, and Windows nodes for Windows workloads.
-
-## Before you begin
-
-Review the [Linux requirements](../requirements.mdx) and the [$[prodnameWindows] requirements](requirements.mdx).
-
-Before beginning, setup a $[prodname] cluster on Linux nodes and provision Windows machines.
-
-## How to
-
-- [Configure strict affinity for clusters using $[prodname] networking](#configure-strict-affinity-for-clusters-using-calico-networking)
-- [Install $[prodnameWindows] using the operator](#install-calico-enterprise-for-windows-using-the-operator)
-
-### Configure strict affinity for clusters using $[prodname] networking
-
-For Linux control nodes using $[prodname] networking, strict affinity must be set to `true`.
-This is required to prevent Linux nodes from borrowing IP addresses from Windows nodes:
-
-```bash
-kubectl patch ipamconfigurations default --type merge --patch='{"spec": {"strictAffinity": true}}'
-```
-
-### Install $[prodnameWindows] using the operator
-
-With Kubernetes v1.22, there is a new Windows container type called **HostProcess containers (HPC)** that can run directly on the host with access to the host network namespace,
-storage, and devices. With this feature, $[prodnameWindows] can now be installed and managed using Kubernetes resources such as Daemonsets and ConfigMaps,
-instead of needing to configure and install $[prodnameWindows] manually on each node. Using this installation method, the $[prodnameWindows]
-services are no longer registered on the host. Instead, the services are run directly within HostProcess containers.
-
-#### HPC requirements
-
-In addition to the [$[prodnameWindows] requirements](requirements.mdx),
-this installation method has [additional requirements](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/):
-
-- Kubernetes v1.22+
-- Enable HostProcess containers support. For Kubernetes v1.22, see [here](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/#before-you-begin). For Kubernetes v1.23+, HostProcess containers are enabled by default.
-- [containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) v1.6+
-- The Windows nodes have joined the cluster.
-
-To install containerd on the Windows node and configure the containerd service:
-
-```powershell
-Invoke-WebRequest $[windowsScriptsURL]/Install-Containerd.ps1 -OutFile c:\Install-Containerd.ps1
-c:\Install-Containerd.ps1 -ContainerDVersion 1.6.22 -skipHypervisorSupportCheck -CNIConfigPath "c:/etc/cni/net.d" -CNIBinPath "c:/opt/cni/bin"
-```
-
-If you have an existing $[prodnameWindows] installation using the manual method, your Windows nodes may have already joined the cluster.
-
-To join a Windows node to a cluster provisioned with kubeadm:
-
-- Install kubeadm and kubelet binaries and install the kubelet service
-
-```powershell
-Invoke-WebRequest $[windowsScriptsURL]/PrepareNode.ps1 -OutFile c:\PrepareNode.ps1
-c:\PrepareNode.ps1 -KubernetesVersion v1.26.6
-```
-
-- Run kubeadm on a control plane host and copy the join command
-
-```bash
-kubeadm token create --print-join-command
-```
-
-- Edit the join command by updating the kubeadm.exe path to `c:\k\kubeadm.exe`.
-- If using a Kubernetes version earlier than v1.25, also append `--cri-socket "npipe:////./pipe/containerd-containerd"` to the join command.
- An example join command:
-
-```
-c:\k\kubeadm.exe join 172.16.101.139:6443 --token v8w2jt.jmc45acn85dbll1e --discovery-token-ca-cert-hash sha256:d0b7040a704d8deb805ba1f29f56bbc7cea8af6aafa78137a9338a62831739b4 --cri-socket "npipe:////./pipe/containerd-containerd"
-```
-
-- Run the join command on the Windows node. Shortly after it completes successfully, the Windows node will appear in `kubectl get nodes`.
- The new node's status will be NotReady since the Calico CNI has not yet been installed.
-
-#### Migrate from $[prodnameWindows] manual installation to operator installation
-
-The HPC installation in this guide is operator-based and will automatically migrate your Windows nodes that have $[prodnameWindows] installed using the manual installation method. This installation process will uninstall any existing $[prodnameWindows] services and overwrite the $[prodnameWindows] installation files with those included in the `tigera/cni-windows` and `tigera/cnx-node-windows` images. If `kubelet` was installed using `$[rootDirWindows]\kubernetes\install-kube-services.ps1`, this service will remain installed. If the `kube-proxy` service was also installed using `$[rootDirWindows]\kubernetes\install-kube-services.ps1`, it will be stopped and uninstalled by the `calico-node-windows` HPC initContainers. It is recommended to run `kube-proxy-windows` as hostprocess container images using the [manifest provided in the kubernetes-sigs sig-windows-tools repository](https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hostprocess/calico/kube-proxy/kube-proxy.yml).
-
-:::note
-
-Before proceeding, take note of the configuration parameters in `$[rootDirWindows]\config.ps1`. These configuration parameters will be needed during the install.
-
-:::
-
-#### Operator installation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Congratulations! You now have a Kubernetes cluster with $[prodnameWindows] and a Linux control node.
-
-## Next steps
-
-You can now use the $[prodname] Linux-based docs site for your documentation. Before you continue, review the [Limitations and known issues](limitations.mdx) to understand the features (and sections of documentation) that do not apply to Windows.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/rancher.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/rancher.mdx
deleted file mode 100644
index b9c7cb8c7b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/rancher.mdx
+++ /dev/null
@@ -1,115 +0,0 @@
----
-description: Install Calico Enterprise for Windows on a Rancher Kubernetes Engine (RKE) cluster with Windows worker nodes.
----
-
-# Install Calico Enterprise for Windows on RKE
-
-## Big picture
-
-Install $[prodnameWindows] on Rancher Kubernetes Engine (RKE).
-
-## Before you begin
-
-**Supported networking**
-
-- BGP with no encapsulation
-- VXLAN
-
-**Required**
-
-- A [compatible RKE cluster](../../compatibility.mdx#rke)
-
-- An RKE cluster provisioned with [no network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins#disabling-deployment-of-a-network-plug-in)
-
-- One or more Windows nodes that meet the [requirements](requirements.mdx).
-
-## How to
-
-The following steps will outline the installation of $[prodname] networking on the RKE cluster, then the installation of $[prodnameWindows] on the Windows nodes.
-
-1. Install the Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl create -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/tigera-operator.yaml
- ```
-
-1. Download the necessary Installation custom resources.
-
- ```bash
- wget $[filesUrl]/manifests/custom-resources.yaml
- ```
-
-1. Update the `calicoNetwork` options, ensuring that the correct pod CIDR is set. (Rancher uses `10.42.0.0/16` by default.)
- Below are sample installations for VXLAN and BGP networking using the default Rancher pod CIDR:
-
- **VXLAN**
-
- ```yaml
- apiVersion: operator.tigera.io/v1
- kind: Installation
- metadata:
- name: default
- spec:
- # Configures Calico networking.
- calicoNetwork:
- bgp: Disabled
- ipPools:
- - blockSize: 26
- cidr: 10.42.0.0/16
- encapsulation: VXLAN
- natOutgoing: Enabled
- nodeSelector: all()
- ```
-
- **BGP**
-
- ```yaml
- apiVersion: operator.tigera.io/v1
- kind: Installation
- metadata:
- name: default
- spec:
- # Configures Calico networking.
- calicoNetwork:
- ipPools:
- - blockSize: 26
- cidr: 10.42.0.0/16
- encapsulation: None
- natOutgoing: Enabled
- nodeSelector: all()
- ```
-
- :::note
-
- For more information on configuration options available in this manifest, see [the installation reference](../../../reference/installation/api.mdx).
-
- :::
-
-1. Apply the updated custom resources:
-
- ```bash
- kubectl create -f custom-resources.yaml
- ```
-
-1. Configure strict affinity:
-
- ```bash
- kubectl patch ipamconfigurations default --type merge --patch='{"spec": {"strictAffinity": true}}'
- ```
-
-1. Finally, install $[prodnameWindows]. For an operator installation, follow the [operator guide](operator.mdx).
- For VXLAN clusters, follow the instructions under the "Kubernetes VXLAN" tab. For BGP clusters, follow the instructions under the "Kubernetes BGP" tab.
-
- :::note
-
- For Rancher default values for service CIDR and DNS cluster IP, see the [Rancher kube-api service options](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-api-server-options).
-
- :::
-
-1. Check the status of the nodes with `kubectl get nodes`. If you see that the Windows node has the status `Ready`, then you have a $[prodnameWindows] on RKE cluster ready for Linux and Windows workloads!
-
-## Next steps
-
-- [Try the basic policy demo](demo.mdx)
-- [Secure pods with $[prodname] network policy](../../../network-policy/beginners/calico-network-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/requirements.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/requirements.mdx
deleted file mode 100644
index f32f33764e..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/requirements.mdx
+++ /dev/null
@@ -1,127 +0,0 @@
----
-description: Cluster and Windows host requirements you must meet before installing Calico Enterprise for Windows.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Requirements
-
-## What's supported in this release
-
-✓ Install:
-
-- Operator install for Kubernetes clusters using hostprocess containers (HPC) on Windows nodes
-
-✓ Platforms: Kubernetes, OpenShift, RKE, EKS, AKS
-
-✓ Networking:
-
-- Kubernetes, on-premises: Calico CNI with BGP or VXLAN
-- OpenShift: Calico CNI with BGP or VXLAN
-- Rancher Kubernetes Engine: Calico CNI with BGP or VXLAN
-- EKS: VPC CNI
-- AKS: Azure CNI
-
-## Requirements
-
-Because the Kubernetes and $[prodname] control components do not run on Windows yet, a hybrid Linux/Windows cluster is required.
-
-### CNI and networking options
-
-The following table summarizes the networking options and considerations.
-
-| Networking | Components | **Value/Content** |
-| ------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| $[prodname] BGP | Windows CNI plugin:
calico.exe
Linux: $[prodname] for policy and networking | $[prodname]'s native networking approach, supports: - Auto-configured node-to-node BGP mesh over an L2 fabric - Peering with external routers for an L3 fabric - $[prodname] IPAM and IP aggregation (with some limitations) - Route reflectors **Note**: Windows node cannot act as route reflectors. - Kubernetes API datastore driver
**AWS users**: If running on AWS, you must disable the source/dest check on your EC2 instances so that hosts can forward traffic on behalf of pods. |
-| $[prodname] VXLAN | Windows CNI plugin: calico.exe
Linux: $[prodname] for policy and networking | $[prodname]'s VXLAN overlay, supports:
- VXLAN overlay, which can traverse most networks. - Auto-configured node-to-node routing - $[prodname] IPAM and IP aggregation (with some limitations) - Kubernetes API datastore driver **Note**: VXLAN runs on UDP port 4789 (this is the only port supported by Windows), remember to open that port between your $[prodname] hosts in any firewalls / security groups. |
-| Cloud provider | Windows CNI plugin: win-bridge.exe
Linux: $[prodname] policy-only | A useful fallback, particularly if you have a Kubernetes cloud provider that automatically installs inter-host routes. $[prodname] has been tested with the standard **win-bridge.exe** CNI plugin so it should work with any networking provider that ultimately uses win-bridge.exe to network the pod (such as the Azure CNI plugin and cloud provider). |
-
-:::note
-
-If Calico CNI with VXLAN is used, BGP must be disabled. See the [installation reference](../../../reference/installation/api.mdx#bgpoption).
-
-:::
-
-### Kubernetes version
-
-For Kubernetes versions for your platform, see [Support and compatibility](../../compatibility.mdx).
-
-When using Operator install and Windows hostprocess containers (HPC), see [here for the additional requirements](operator.mdx#hpc-requirements).
-
-### Linux platform requirements
-
-- At least four Linux Kubernetes worker nodes to run $[prodname]'s cluster-wide components that meets [Linux system requirements](../requirements.mdx), and is installed with $[prodname] v3.5.0+
-- Must not be running in eBPF mode
-- VXLAN or BGP without encapsulation is supported if using $[prodname] CNI. IPIP ($[prodname]'s default encapsulation mode) is not supported. Turn off IPIP on the default IP pool.
-
-
-
-
- For IP pools managed through the `Installation` resource, patch the `Installation` to update the encapsulation. The operator reconciles these `IPPool` resources from the `Installation`, so direct edits to the `IPPool` are silently reverted.
-
- ```bash
- kubectl patch installation default --type=json \
- -p '[{"op":"replace","path":"/spec/calicoNetwork/ipPools/0/encapsulation","value":"VXLAN"}]'
- ```
-
- If your cluster has additional operator-managed IP pools, repeat the command for each, replacing `0` in `/spec/calicoNetwork/ipPools/0` with the index of the pool. Use `"None"` instead of `"VXLAN"` for BGP without encapsulation.
-
-
-
-
- For `IPPool` resources created directly (not through the `Installation`), patch the `IPPool`:
-
- ```bash
- kubectl patch ippool default-ipv4-ippool -p '{"spec":{"ipipMode":"Never","vxlanMode":"Always"}}'
- ```
-
-
-
-
-- If using $[prodname] IPAM, strict affinity of IPAM configuration must be set to `true`.
-
- ```bash
- kubectl patch ipamconfigurations default --type merge --patch='{"spec": {"strictAffinity": true}}'
- ```
-
-:::note
-
-For operator-managed Linux $[prodname] clusters, three Linux worker nodes are required to meet high-availability requirements for Typha.
-
-:::
-
-### Windows platform requirements
-
-- Windows versions:
-
- - (deprecated) Windows Server 1809 (build 17763.1432 or later)
- - Windows Server 2022 (build 20348.169 or later)
-
- :::note
-
- Windows Server version support differs for each Kubernetes version. Review the [Windows OS Version Support](https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#windows-os-version-support) table for the Windows Server versions supported by each Kubernetes version.
-
- :::
-
-#### Operator install requirements
-
-- Kubernetes v1.22+
-- Enable HostProcess containers support. For Kubernetes v1.22, see [here](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/#before-you-begin). For Kubernetes v1.23+, HostProcess containers are enabled by default.
-- [containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) v1.6.0+
-- The Windows nodes have joined the cluster.
-- See [this section of the operator install guide for example commands](operator.mdx#hpc-requirements).
-
-### EKS requirements
-
-- The VPC controllers must be installed to run Windows pods.
-- An instance role on the Windows instance must have permissions to get `namespaces` and get `secrets` in the calico-system namespace (or kube-system namespace if you are using a non operator-managed $[prodname] installation.)
-
-### AKS requirements
-
-- $[prodnameWindows] can be enabled only on newly created clusters.
-- Non-HPC $[prodnameWindows] is available with Kubernetes version 1.20 or later
-
-## Next steps
-
-[Install Calico for Windows using operator](operator.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/troubleshoot.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/troubleshoot.mdx
deleted file mode 100644
index 6baf73e69f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/install-on-clusters/windows-calico/troubleshoot.mdx
+++ /dev/null
@@ -1,207 +0,0 @@
----
-description: Troubleshooting guide for Calico Enterprise for Windows clusters — common issues, diagnostic steps, and where to look for logs.
----
-
-# Troubleshoot Calico Enterprise for Windows
-
-## Useful troubleshooting commands
-
-**Examine the HNS network(s)**
-
-When using the $[prodname] CNI plugin, each $[prodname] IPAM block (or the single podCIDR in host-local IPAM mode), is represented as a HNS l2bridge network. Use the following command to inspect the networks.
-
-```powershell
-ipmo -DisableNameChecking $[rootDirWindows]\libs\hns\hns.psm1
-Get-HNSNetwork
-```
-
-**Examine pod endpoints**
-
-Use the following command to view the HNS endpoints on the system. There should be one HNS endpoint per pod networked with $[prodname]:
-
-```powershell
-ipmo -DisableNameChecking $[rootDirWindows]\libs\hns\hns.psm1
-Get-HNSEndpoint
-```
-
-## Troubleshoot
-
-### kubectl exec fails with timeout for Windows pods
-
-Ensure that the Windows firewall (and any network firewall or cloud security group) allows traffic to the host on port 10250.
-
-### kubelet fails to register, complains of node not found in logs
-
-This can be caused by a mismatch between a cloud provider (such as the AWS cloud provider) and the configuration of the node. For example, the AWS cloud provider requires that the node has a nodename matching its private domain name.
-
-### After initializing $[prodnameWindows], AWS metadata server is no longer reachable
-
-This is a known Windows issue that Microsoft is working on. The route to the metadata server is lost when the vSwitch is created. As a workaround, manually add the route back by running:
-
-```powershell
-New-NetRoute -DestinationPrefix 169.254.169.254/32 -InterfaceIndex
-```
-
-Where `` is the index of the "vEthernet (Ethernet 2)" device as shown by
-
-```powershell
-Get-NetAdapter
-```
-
-### Installation stalls at "Waiting for $[prodname] initialization to finish"
-
-This can be caused by Window's Execution protection feature. Exit the install using Ctrl-C, unblock the scripts, run `uninstall-calico.ps1`, followed by `install-calico.ps1`.
-
-### Windows Server 2019 insider preview: after rebooting a node, $[prodnameWindows] fails to start, the tigera-node.err.log file contains errors
-
-After rebooting the Windows node, pods fail to schedule, and the kubelet log has CNI errors like "timed out waiting for interface matching the management IP (169.254.57.5) of network" (where the IP address may vary but will always be a 169.254.x.x address). To workaround:
-
-- Stop and then start $[prodnameWindows] using the `stop-calico.ps1` and `start-calico.ps1` scripts
-- Sometimes the HNS network picks up a temporary self-assigned address at start-of-day and it does not get refreshed when the correct IP becomes known. Rebooting the node a second time often resolves the problem.
-
-### Invoke-Webrequest fails with TLS errors
-
-The error, "The request was aborted: Could not create SSL/TLS secure channel", often means that Windows does not support TLS v1.2 (which is required by many websites) by default. To enable TLS v1.2, run the following command:
-
-```powershell
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-```
-
-### Kubelet persistently fails to contact the API server
-
-If kubelet is already running when $[prodnameWindows] is installed, the creation of the container vSwitch can cause kubelet to lose its connection and then persistently fail to reconnect to the API server.
-To resolve this, restart kubelet after installing $[prodnameWindows].
-
-### No connectivity between pods on Linux and Windows nodes
-
-If using AWS, check that the source/dest check is disabled on the interfaces assigned to your nodes. This allows nodes to forward traffic on behalf of local pods.
-In AWS, the "Change Source/Dest. Check" option can be found on the Actions menu for a selected network interface.
-
-If using $[prodname] networking, check that the $[prodname] IP pool you are using has IPIP mode disabled (set to "Never). IPIP is not supported on Windows. To check the IP pool, you can use `calicoctl`:
-
-```bash
-calicoctl get ippool -o yaml
-```
-
-Example output of an IP pool with IPIP disabled:
-
-```yaml
-apiVersion: projectcalico.org/v3
-items:
- - apiVersion: projectcalico.org/v3
- kind: IPPool
- metadata:
- creationTimestamp: 2018-11-26T15:37:39Z
- name: default-ipv4-ippool
- resourceVersion: '172'
- uid: 34db7316-f191-11e8-ad7d-02850eebe6c4
- spec:
- blockSize: 26
- cidr: 192.168.0.0/16
- disabled: true
- ipipMode: Never
- natOutgoing: true
-```
-
-### Felix starts, but does not output logs
-
-By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/component-resources/node/felix/configuration.mdx#general-configuration) to "info" or "debug" level.
-
-### $[prodname] BGP mode: connectivity issues, Linux calico/node pods report unready
-
-Check the detailed health output that shows which health check failed:
-
-```
-kubectl describe pod -n calico-system
-```
-
-:::note
-
-Use namespace `kube-system` instead of `calico-system` if your Calico installation is non operator-managed.
-
-:::
-
-If the health check reports a BGP peer failure, check the IP address of the peer is either an
-expected IP of a node or an external BGP peer. If the IP of the failed peering is a Windows node:
-
-- Check that the node is up a reachable over IP
-- Check that the RemoteAccess service is installed and running:
-
- ```powershell
- Get-Service | ? Name -EQ RemoteAccess
- ```
-
-- Check the logs for the confd service in the configured log directory for errors
- (default $[rootDirWindows]\logs).
-
-**Examine BGP state on a Windows host**
-
-The Windows BGP router exposes its configuration and state as PowerShell commandlets.
-
-**To show BGP peers**:
-
-```powershell
-Get-BgpPeer
-```
-
-Example output:
-
-```
-PeerName LocalIPAddress PeerIPAddress PeerASN OperationMode ConnectivityStatus
--------- -------------- ------------- ------- ------------- ------------------
-Mesh_172_20_48_43 172.20.55.101 172.20.48.43 64512 Mixed Connected
-Mesh_172_20_51_170 172.20.55.101 172.20.51.170 64512 Mixed Connected
-Mesh_172_20_54_3 172.20.55.101 172.20.54.3 64512 Mixed Connected
-Mesh_172_20_58_252 172.20.55.101 172.20.58.252 64512 Mixed Connected
-For an established peering, the ConnectivityStatus column should be "Connected".
-```
-
-**To examine routes learned from other hosts**:
-
-```powershell
-Get-BgpRouteInformation -Type all
-```
-
-Example output:
-
-```
-DestinationNetwork NextHop LearnedFromPeer State LocalPref MED
------------------- ------- --------------- ----- --------- ---
-10.243.128.192/26 172.20.58.252 Mesh_172_20_58_252 Best 100
-10.244.115.128/26 172.20.48.43 Mesh_172_20_48_43 Best 100
-10.244.128.192/26 172.20.58.252 Mesh_172_20_58_252 Best 100
-```
-
-For active routes, the State should show as "Best". Routes with State equal to "Unresolved"
-indicate that the BGP router could not resolve a route to the peer and the route will not be
-used. This can occur if the networking state changes after the BGP router is started;
-restarting the BGP router may solve the problem:
-
-```powershell
-Restart-Service RemoteAccess
-```
-
-To see the routes being exported by this host:
-
-```powershell
-(Get-BgpCustomRoute).Network
-```
-
-Example output:
-
-```
-10.243.214.152/29
-10.243.214.160/29
-10.243.214.168/29
-10.244.42.0/26
-```
-
-### Nodeports on Linux do not pass connections on to Windows pods
-
-Check that your linux nodes are NOT running in eBPF mode. This can be checked by running:
-
-```
-kubectl get felixconfiguration default -o yaml
-```
-
-Check that `bpfEnabled=false` (or is not present at all in the felixconfiguration)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/manifest-archive.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/manifest-archive.mdx
deleted file mode 100644
index a252269932..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/manifest-archive.mdx
+++ /dev/null
@@ -1,109 +0,0 @@
----
-description: Install an older patch release of Calico Enterprise from the manifest archive when an upgrade to the latest is not yet possible.
----
-
-# Install a patch release
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import ReleaseArchiveTable from "../_includes/components/ReleaseArchiveTable";
-
-Installing the most recent patch version of $[prodname] $[version] ensures that you have the latest bug fixes and improvements.
-But you can always install, or downgrade to, a previous patch version.
-Installing an older patch can help if you encounter problems with the latest patch, or if you're required to install only a specific patch version.
-
-## Before you begin
-
-This feature is:
-
-- Available in 3.0 and later
-- Not available for Helm with operator
-
-## How to
-
-1. Download the release archive for your patch version from the following table:
-
-
-
-1. Untar the **release-vx.y.z-vx.y.z.tgz** to a local directory.
-
- ```bash
- tar xzvf release-vx.y.z-vx.y.z.tgz
- ```
-
-
-
-
-In the patch release archive, navigate to the `manifests` folder.
-
-1. Follow the [quickstart installation](install-on-clusters/kubernetes/quickstart.mdx), making the following changes:
-
- 1. Install Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl create -f /manifests/operator-crds.yaml
- kubectl create -f /manifests/tigera-operator.yaml
- ```
-
- 2. If you are not using an existing Prometheus operator, install it.
-
- ```bash
- kubectl create -f /manifests/tigera-prometheus-operator.yaml
- ```
-
- 3. Install Tigera custom resources.
-
- ```bash
- kubectl create -f /manifests/custom-resources.yaml
- ```
-
- :::note
-
- For platforms like AKS or EKS, you must modify the command to be platform specific.
- EKS example: `kubectl create -f /manifests/eks/custom-resources.yaml`
-
- :::
-
-
-
-
-In the patch release archive, navigate to the `ocp-manifests` folder which contains three folders `install-manifests`,
-`enterprise-resources`, and `upgrade-manifests`.
-
-- `install-manifests` contains all the manifests needed for minimal OCP cluster.
-- `enterprise-resources` contains the $[prodname] resources.
-- `upgrade-manifests` folder contains all the manifests needed for upgrading $[prodname].
-
-1. Create the cluster by following [the standard installation](install-on-clusters/openshift/installation.mdx), with the following caveat:
-
- 1. After the Kubernetes manifests directory is generated, copy the files from `install-manifests` instead of downloading the manifests.
-
- :::note
-
- Before creating the cluster, be sure to add an image pull secret in `install-manifests/02-pull-secret.yaml`
-
- :::
-
-1. Install $[prodname] resources:
-
- ```bash
- cd /ocp-manifests/enterprise-resources && oc create -f
- ```
-
-
-
-
-In the patch release archive, there are additional manifests relating to specific features.
-
-**Examples**
-
-To apply the patch release for threat defense features.
-
-```bash
-cd /manifests/threatdef && kubectl create -f ejr-vpn.yaml.yaml
-cd /manifests/threatdef && kubectl create -f tor-exit-feed.yaml
-```
-
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/index.mdx
deleted file mode 100644
index 51f84e6103..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Pick an upgrade path for Calico Enterprise — covers migrations from Calico Open Source and version-to-version Calico Enterprise upgrades.
-hide_table_of_contents: true
----
-
-# Upgrade
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/index.mdx
deleted file mode 100644
index 26ce804b4b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Upgrade from Calico Open Source to Calico Enterprise — covers the supported install methods and what changes during the migration.
-hide_table_of_contents: true
----
-
-# Upgrade from Calico to Calico Enterprise
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee-openshift.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee-openshift.mdx
deleted file mode 100644
index 54afae9b8c..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee-openshift.mdx
+++ /dev/null
@@ -1,113 +0,0 @@
----
-description: Upgrade from Calico Open Source to Calico Enterprise on an OpenShift 4 cluster.
----
-
-import InstallOpenShiftManifests from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShiftManifests';
-import OpenShiftPrometheusOperator from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPrometheusOperator';
-import OpenShiftPullSecret from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPullSecret';
-
-# Upgrade from Calico to Calico Enterprise on OpenShift
-
-## Prerequisites
-
-Ensure that your Kubernetes cluster is running with open source Calico on the latest release using an operator-based
-installation. If not, follow the [Calico upgrade documentation](/calico/latest/operations/upgrading/openshift-upgrade)
-before continuing.
-
-Ensure your Kubernetes cluster is using the Kubernetes datastore. If you are using an `etcdv3` datastore, or the cluster doesn't have a datastore, contact Tigera Support to upgrade the datastore.
-
-Your Kubernetes cluster must not be running in production. Operator-based upgrades from open source Calico are not recommended for production clusters due to limited testing. Also, upgrades are not tested with open source Calico prior to v3.15.
-
-If your cluster already has $[prodname] installed, follow the [Upgrading $[prodname] from an earlier release guide](../upgrading-enterprise/openshift-upgrade.mdx) instead.
-
-## Prepare your cluster for the upgrade
-
-Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
-
-### Deleting Goldmane and Whisker resources (for upgrades from Calico 3.30 or later)
-
-If you are upgrading from Calico 3.30 and have custom resources related to Goldmane and Whisker, you should delete these resources before the upgrade.
-
-```bash
-oc delete goldmanes,whiskers --all
-```
-
-If you receive error indicating the custom resource definitions or resource type does not exist, it means these resources were not present in your cluster. You can safely ignore the error and proceed.
-
-## Upgrade Calico to $[prodname]
-
-### Before you begin
-
-**Required**
-
-- [Configure a storage class for $[prodname].](../../../operations/logstorage/create-storage.mdx)
-
-### Install $[prodname]
-
-**Download the new manifests**
-
-Make the manifests directory.
-
-```bash
-mkdir manifests
-```
-
-
-
-**Add an image pull secret**
-
-
-
-> (Optional) If your cluster architecture requires any custom [$[prodname] resources](../../../reference/resources/index.mdx) to function at startup, install them now using [calicoctl](../../../reference/clis/calicoctl/overview.mdx).
-
-**Install $[prodname]**
-
-1. Apply the Tigera Operators and custom resource definitions.
-
- ```bash
- oc apply --server-side --force-conflicts -f manifests/
- ```
-
-2. Optional: If your cluster architecture requires any custom [Calico resources](../../../reference/resources/index.mdx) to function at startup, install them now using [calicoctl](../../../reference/clis/calicoctl/overview.mdx).
-
-3. Create the custom resources for $[prodname] features, see [the installation reference](../../../reference/installation/api.mdx).
-
- ```bash
- oc apply -f $[filesUrl]/manifests/ocp/tigera-enterprise-resources.yaml
- ```
-
-4. Patch installation.
-
- ```bash
- oc patch installations.operator.tigera.io default --type merge -p '{"spec":{"variant":"TigeraSecureEnterprise","imagePullSecrets":[{"name":"tigera-pull-secret"}]}}'
- ```
-
-5. You can now monitor the upgrade progress with the following command:
-
- ```bash
- watch oc get tigerastatus
- ```
-
-Wait until the `apiserver` shows a status of `Available`, then proceed to the next section.
-
-:::note
-
-To troubleshoot problems, use `oc get tigerastatus -o yaml`.
-
-:::
-
-### Install the $[prodname] license
-
-Install the $[prodname] license provided to you by Tigera.
-
-```
-oc create -f
-```
-
-
-
-You can now monitor progress with the following command:
-
-```
-watch oc get tigerastatus
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/helm.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/helm.mdx
deleted file mode 100644
index dbd5a2bfa6..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/helm.mdx
+++ /dev/null
@@ -1,100 +0,0 @@
----
-description: Upgrade from a Helm-installed Calico Open Source cluster to Calico Enterprise on Kubernetes.
----
-
-# Upgrade Calico to Calico Enterprise installed with Helm
-
-import CodeBlock from '@theme/CodeBlock';
-
-:::note
-
-All upgrades in $[prodname] are free with a valid license.
-
-:::
-
-## Prepare your cluster for the upgrade
-
-Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
-
-### Deleting Goldmane and Whisker resources (for upgrades from Calico 3.30 or later)
-
-If you are upgrading from Calico 3.30 and have custom resources related to Goldmane and Whisker, you should delete these resources before the upgrade.
-
-```bash
-kubectl delete goldmanes,whiskers --all
-```
-
-If you receive error indicating the custom resource definitions or resource type does not exist, it means these resources were not present in your cluster. You can safely ignore the error and proceed.
-
-## Upgrade from Calico to $[prodname]
-
-:::note
-
-The following steps assume the Calico deployment is installed on `tigera-operator` namespace. Replace with valid namespace otherwise.
-
-:::
-
-1. Get the Helm chart
-
-
- {'$[version]' === 'master'
- ? (`gsutil cp gs://tigera-helm-charts/tigera-operator-v0.0.tgz`)
- : (`curl -O -L $[downloadsurl]/ee/charts/tigera-operator-$[chart_version_name].tgz`)
- }
-
-
-1. Install the $[prodname] custom resource definitions.
-
- ```bash
- kubectl apply --server-side --force-conflicts -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/prometheus-operator-crds.yaml
- kubectl create -f $[filesUrl]/manifests/eck-operator-crds.yaml
- ```
-
-1. [Configure a storage class for $[prodname]](../../../../operations/logstorage/create-storage.mdx)
-
-1. Run the Helm upgrade command for `tigera-operator`:
-
-
- {'$[version]' === 'master'
- ? (
- `helm upgrade calico tigera-operator-v0.0.tgz \\
- --set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
- --namespace tigera-operator`
- )
- : (
- `helm upgrade calico tigera-operator-$[chart_version_name].tgz \\
- --set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
- --namespace tigera-operator`
- )
- }
-
-
-1. Wait until the `apiserver` shows a status of `Available`, then proceed to the next section. You can monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus/apiserver
- ```
-
-1. Install your $[prodname] license.
-
- ```bash
- kubectl create -f
- ```
-
-1. Monitor progress, wait until all components show a status of `Available`, then proceed to the next step.
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
- :::note
-
- If there are any problems you can use `kubectl get tigerastatus -o yaml` to get more details.
-
- :::
-
-## Next steps
-
-- [Configure access to the $[prodname] web console](../../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../../operations/cnx/authentication-quickstart.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/index.mdx
deleted file mode 100644
index 95d4c43eeb..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Upgrade from Calico Open Source to Calico Enterprise on a Kubernetes cluster — pick a path based on the original install method.
-hide_table_of_contents: true
----
-
-# Kubernetes
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/standard.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/standard.mdx
deleted file mode 100644
index efdf05c161..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/standard.mdx
+++ /dev/null
@@ -1,111 +0,0 @@
----
-description: Upgrade from an operator-installed Calico Open Source cluster to Calico Enterprise on Kubernetes.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import UpgradeOperatorSimple from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/UpgradeOperatorSimple';
-
-# Upgrade from Calico to Calico Enterprise
-
-## Prerequisites
-
-Ensure that your Kubernetes cluster is running with open source Calico on the latest release using an operator-based
-installation. If not, follow the [Calico upgrade documentation](/calico/latest/operations/upgrading/kubernetes-upgrade)
-before continuing.
-
-$[prodname] only supports clusters with a Kubernetes datastore.
-Please contact Tigera Support for assistance upgrading a cluster with an `etcdv3` datastore.
-
-If your cluster already has $[prodname] installed, follow the [Upgrading $[prodname] from an earlier release guide](../../upgrading-enterprise/kubernetes-upgrade-tsee/index.mdx) instead.
-
-For hybrid Linux and Windows clusters, ensure that your Windows nodes have at least 4 cores, 8GB RAM.
-
-## Prepare your cluster for the upgrade
-
-$[prodname] creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
-
-### Deleting Goldmane and Whisker resources (for upgrades from Calico 3.30 or later)
-
-If you are upgrading from Calico 3.30 and have custom resources related to Goldmane and Whisker, you should delete these resources before the upgrade.
-
-```bash
-kubectl delete goldmanes,whiskers --all
-```
-
-If you receive error indicating the custom resource definitions or resource type does not exist, it means these resources were not present in your cluster. You can safely ignore the error and proceed.
-
-## Upgrade Calico to $[prodname]
-
-:::note
-
-GKE upgrades from open source Calico are not currently supported.
-
-:::
-
-### Before you begin
-
-**Required**
-
-- [Configure a storage class for $[prodname].](../../../../operations/logstorage/create-storage.mdx)
-
-### Install $[prodname]
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-:::note
-
-The following instructions are only for AKS clusters that use a Kubernetes reconciler. For AKS clusters with a self-managed Calico installation (including AKS clusters with Calico CNI), or a cluster that is not using a reconciler, follow the upgrade steps under the **Kubernetes** tab.
-
-:::
-
-These upgrade instructions will upgrade your AKS clusters with Azure CNI and an AKS-managed Calico installation.
-
-
-
-
-
-
-Wait until the `apiserver` shows a status of `Available`, then proceed to the next section.
-
-:::note
-
-If there are any problems you can use `kubectl get tigerastatus -o yaml` to get more details.
-
-:::
-
-### Install the $[prodname] license
-
-To use $[prodname], you must install the license provided to you by Tigera.
-
-```
-kubectl create -f
-```
-
-You can now monitor progress with the following command:
-
-```
-watch kubectl get tigerastatus
-```
-
-### Next steps
-
-- [Configure access to the $[prodname] web console](../../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../../operations/cnx/authentication-quickstart.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/index.mdx
deleted file mode 100644
index 50ba657cee..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Upgrade an existing Calico Enterprise cluster to a newer version — pick a path based on the install method and platform.
-hide_table_of_contents: true
----
-
-# Upgrade Calico Enterprise
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/helm.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/helm.mdx
deleted file mode 100644
index 6c77fdb76c..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/helm.mdx
+++ /dev/null
@@ -1,168 +0,0 @@
----
-description: Upgrade a Helm-installed Calico Enterprise cluster on Kubernetes to a newer version.
----
-
-# Upgrade Calico Enterprise installed with Helm
-
-import CodeBlock from '@theme/CodeBlock';
-
-:::note
-
-All upgrades in $[prodname] are free with a valid license.
-
-:::
-
-## Prerequisites
-
-- Verify that your Kubernetes cluster is using Helm
-
- ```bash
- kubectl get tigerastatus
- ```
-
- If the result is successful, then your installation is using Helm.
-
-## Prepare your cluster for the upgrade
-
-During the upgrade the controller that manages Elasticsearch is updated. Because of this, the $[prodname] LogStorage
-CR is temporarily removed during upgrade. Features that depend on LogStorage are temporarily unavailable, among which
-are the dashboards in the web console. Data ingestion is temporarily paused and will continue when the LogStorage is
-up and running again.
-
-To retain data from your current installation (optional), ensure that the currently mounted persistent volumes
-have their reclaim policy set to [retain data](https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/).
-Retaining data is only recommended for users that use a valid Elastic license. Trial licenses can get invalidated during
-the upgrade.
-
-If your cluster has Windows nodes and uses custom TLS certificates for log storage then, prior to upgrade, prepare and apply new certificates for [log storage](../../../../operations/comms/log-storage-tls.mdx) that include the required service DNS names.
-
-### Upgrade OwnerReferences
-
-If you do not use OwnerReferences on resources in the projectcalico.org/v3 API group, you can skip this section.
-
-Starting in $[prodname] v3.19, a change in the way UIDs are generated for projectcalico.org/v3 resources requires that you update any OwnerReferences
-that refer to projectcalico.org/v3 resources as an owner. After upgrade, the UID for all projectcalico.org/v3 resources will be changed, resulting in any
-owned resources being garbage collected by Kubernetes.
-
-1. Remove any OwnerReferences from resources in your cluster that have `apiGroup: projectcalico.org/v3`.
-1. Perform the upgrade normally.
-1. Add new OwnerReferences to your resources referencing the new UID.
-
-### Default Deny
-
-$[prodname] creates a default-deny for the calico-system namespace. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
-
-## Upgrade from 3.19 or later
-
-:::note
-
-These steps differ based on your cluster type. If you are unsure of your cluster type, look at the field `clusterManagementType` when you run `kubectl get installation -o yaml` before you proceed.
-
-:::
-
-1. Get the Helm chart
-
-
- {'$[version]' === 'master'
- ? (`gsutil cp gs://tigera-helm-charts/tigera-operator-v0.0.tgz`)
- : (`curl -O -L $[downloadsurl]/ee/charts/tigera-operator-$[chart_version_name].tgz`)
- }
-
-
-1. Install the $[prodname] custom resource definitions.
-
- ```bash
- kubectl apply --server-side --force-conflicts -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl apply --server-side --force-conflicts -f $[filesUrl]/manifests/prometheus-operator-crds.yaml
- kubectl apply --server-side --force-conflicts -f $[filesUrl]/manifests/eck-operator-crds.yaml
- ```
-
-1. If your cluster is v3.19 or older, update `values.yaml` with `packetCaptureAPI` enabled to true.
-
- If your `values.yaml` configuration does not include `packetCaptureAPI`, add `packetCaptureAPI` to the configuration and set `enabled` to `true`.
-
- ```
- packetCaptureAPI:
- enabled: true
- ```
-
- or
-
- If you are using default `values.yaml`, copy the custom `values.yaml` and update packetCaptureAPI's `enabled` to `true`. Then, replace `` in the next step with this modified `values.yaml` for the Helm upgrade.
-
-
- {'$[version]' === 'master'
- ? (
- `helm show values ./tigera-operator-v0.0.tgz >values.yaml`
- )
- : (
- `helm show values ./tigera-operator-$[chart_version_name].tgz >values.yaml`
- )
- }
-
-
-1. Optional: Compliance and packetcapture features are optional. To enable or maintain the enabled status, review the `values.yaml` file and set the flag to `enabled: true`.
-
- If your `values.yaml` configuration does not include `compliance` or `packetCaptureAPI`, add them to the configuration and set to `enabled: true`
-
- ```
- packetCaptureAPI:
- enabled: true
-
- compliance:
- enabled:true
- ```
-
- or
-
- If you are using default `values.yaml`, copy the custom `values.yaml` and update compliance and packetCaptureAPI's `enabled` to `true`. Then, replace `` in the next step with this modified `values.yaml` for the Helm upgrade.
-
-
- {'$[version]' === 'master'
- ? (
- `helm show values ./tigera-operator-v0.0.tgz >values.yaml`
- )
- : (
- `helm show values ./tigera-operator-$[chart_version_name].tgz >values.yaml`
- )
- }
-
-
-1. Run the Helm upgrade command for `tigera-operator` and make sure to either update `values.yaml` with your configuration or use custom `values.yaml` file:
-
-
- {'$[version]' === 'master'
- ? (
- `helm upgrade calico-enterprise --values= tigera-operator-v0.0.tgz \\
- --set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
- --set-file licenseKeyContent= \\
- --namespace tigera-operator`
- )
- : (
- `helm upgrade calico-enterprise --values= tigera-operator-$[chart_version_name].tgz \\
- --set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
- --set-file licenseKeyContent= \\
- --namespace tigera-operator`
- )
- }
-
-
- :::note
-
- If you previously upgraded from open source to enterprise, your installation name will be `calico`. Substitute the command
- above with `helm upgrade calico ...` instead.
-
- :::
-
- 1. You can monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
-:::note
-
-Make sure you have the `CNI Type` defined in your `values.yaml` file, especially if it is different from the default `CNI` type.
-If there are any problems you can use `kubectl get tigerastatus -o yaml` to get more details.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/index.mdx
deleted file mode 100644
index 054877eaf6..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Upgrade an existing Calico Enterprise installation on a Kubernetes cluster to a newer version.
-hide_table_of_contents: true
----
-
-# Kubernetes
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/operator.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/operator.mdx
deleted file mode 100644
index 49226f2b21..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/kubernetes-upgrade-tsee/operator.mdx
+++ /dev/null
@@ -1,114 +0,0 @@
----
-description: Upgrade an operator-installed Calico Enterprise cluster on Kubernetes to a newer version.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import UpgradeOperatorSimple from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/UpgradeOperatorSimple';
-
-# Upgrade Calico Enterprise installed with the operator
-
-:::note
-
-All upgrades in $[prodname] are free with a valid license.
-
-:::
-
-## Upgrades paths
-
-You can upgrade your cluster to a maximum of **two releases** from your existing version. For example, if you are on version 3.16, you can upgrade to 3.17, or you can upgrade directly to 3.18. However, you cannot upgrade beyond **two releases**; upgrading from 3.16 to 3.19 (three releases) is not supported.
-
-If you are several versions behind where you want to be, you must go through each group of two releases to get there. For example, if you are on version 3.16, and you want to get to 3.20, you can upgrade to 3.18, then upgrade from 3.18 directly to 3.20.
-
-:::note
-
-Always check the [Release Notes](../../../../release-notes/index.mdx) for exceptions; limitations can override the above pattern.
-
-:::
-
-## Prerequisites
-
-Verify that your Kubernetes cluster is using a version of $[prodname] installed with the operator, by running
-`kubectl get tigerastatus`. If the result is successful, then your installation is using the operator.
-
-If your cluster has a Calico installation, contact Tigera support to upgrade.
-
-## Prepare your cluster for the upgrade
-
-During the upgrade the controller that manages Elasticsearch is updated. Because of this, the $[prodname] LogStorage
-CR is temporarily removed during upgrade. Features that depend on LogStorage are temporarily unavailable, among which
-are the dashboards in the web console. Data ingestion is temporarily paused and will continue when the LogStorage is
-up and running again.
-
-To retain data from your current installation (optional), ensure that the currently mounted persistent volumes
-have their reclaim policy set to [retain data](https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/).
-Retaining data is only recommended for users that use a valid Elastic license. Trial licenses can get invalidated during
-the upgrade.
-
-### Upgrade OwnerReferences
-
-If you do not use OwnerReferences on resources in the projectcalico.org/v3 API group, you can skip this section.
-
-Starting in $[prodname] v3.19, a change in the way UIDs are generated for projectcalico.org/v3 resources requires that you update any OwnerReferences
-that refer to projectcalico.org/v3 resources as an owner. After upgrade, the UID for all projectcalico.org/v3 resources will be changed, resulting in any
-owned resources being garbage collected by Kubernetes.
-
-1. Remove any OwnerReferences from resources in your cluster that have `apiGroup: projectcalico.org/v3`.
-1. Perform the upgrade normally.
-1. Add new OwnerReferences to your resources referencing the new UID.
-
-### Default Deny
-
-$[prodname] creates a default-deny for the calico-system namespace. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
-
-### Windows
-
-If your cluster has Windows nodes and uses custom TLS certificates for log storage, prior to upgrade, prepare and apply new certificates for [log storage](../../../../operations/comms/log-storage-tls.mdx) that include the required service DNS names.
-
-For AKS only, upgrades to a newer version will automatically upgrade $[prodnameWindows]. During the upgrade, Windows nodes will be tainted so new pods will not be scheduled until the upgrade of the node has finished. The $[prodnameWindows] upgrade status can be monitored with: `kubectl get tigerastatus calico -oyaml`.
-
-### Multi-cluster management
-
-For $[prodname], upgrading multi-cluster management setups must include updating all managed and management clusters.
-
-:::note
-
-These steps differ based on your cluster type. If you are unsure of your cluster type, look at the field `clusterManagementType` when you run `kubectl get installation -o yaml` before you proceed.
-
-:::
-
-## Upgrade Calico Enterprise
-
-
-
-
-
-
-
-
-
-:::note
-
-If $[prodname] was installed directly onto the AKS cluster, follow the upgrade instructions in the **Kubernetes** tab.
-
-:::
-
-These AKS upgrade instructions apply only to AKS clusters which were upgraded to
-$[prodname] from Calico. Check whether the cluster was upgraded from Calico by
-checking the namespace for the active operator:
-
-```bash
-kubectl get configmap -n calico-system active-operator -oyaml | grep active-namespace
-```
-
-If the `active-namespace` is `tigera-operator-enterprise`, then the cluster was
-upgraded from Calico.
-
-
-
-
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/openshift-upgrade.mdx b/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/openshift-upgrade.mdx
deleted file mode 100644
index 9d9dbbb46f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/getting-started/upgrading/upgrading-enterprise/openshift-upgrade.mdx
+++ /dev/null
@@ -1,199 +0,0 @@
----
-description: Upgrade an existing Calico Enterprise installation on an OpenShift 4 cluster to a newer version.
----
-
-import InstallOpenShiftManifests from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShiftManifests';
-import OpenShiftPrometheusOperator from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/OpenShiftPrometheusOperator';
-
-# Upgrade Calico Enterprise installed with OpenShift
-
-:::note
-
-All upgrades in $[prodname] are free with a valid license.
-
-:::
-
-## Upgrades paths
-
-You can upgrade your cluster to a maximum of **two releases** from your existing version. For example, if you are on version 3.16, you can upgrade to 3.17, or you can upgrade directly to 3.18. However, you cannot upgrade beyond **two releases**; upgrading from 3.16 to 3.19 (three releases) is not supported.
-
-If you are several versions behind where you want to be, you must go through each group of two releases to get there. For example, if you are on version 3.16, and you want to get to 3.20, you can upgrade to 3.18, then upgrade from 3.18 directly to 3.20.
-
-:::note
-
-Always check the [Release Notes](../../../release-notes/index.mdx) for exceptions; limitations can override the above pattern.
-
-:::
-
-## Prerequisites
-
-Ensure that your $[prodname] OpenShift cluster is running a supported version of [OpenShift Container Platform](../../compatibility.mdx#openshift), and the $[prodname] operator version is v1.2.4 or greater.
-
-:::note
-
-You can check if you are running the operator by checking for the existence of the operator namespace
-with `oc get ns tigera-operator` or issuing `oc get tigerastatus`; a successful return means your installation is
-using the operator.
-
-:::
-
-## Prepare your cluster for the upgrade
-
-During upgrade, the $[prodname] LogStorage CR is temporarily removed so Elasticsearch can be upgraded. Features
-that depend on LogStorage are temporarily unavailable, including dashboards in the web console. Data ingestion is paused
-temporarily, but resumes when the LogStorage is up and running again.
-
-To retain data from your current installation (optional), ensure that the currently mounted persistent volumes
-have their reclaim policy set to [retain data](https://kubernetes.io/docs/tasks/administer-cluster/change-pv-reclaim-policy/).
-Data retention is recommended only for users that have a valid Elasticsearch license. (Trial licenses can be invalidated
-during upgrade).
-
-### Upgrade OwnerReferences
-
-If you do not use OwnerReferences on resources in the projectcalico.org/v3 API group, you can skip this section.
-
-Starting in $[prodname] v3.19, a change in the way UIDs are generated for projectcalico.org/v3 resources requires that you update any OwnerReferences
-that refer to projectcalico.org/v3 resources as an owner. After upgrade, the UID for all projectcalico.org/v3 resources will be changed, resulting in any
-owned resources being garbage collected by Kubernetes.
-
-1. Remove any OwnerReferences from resources in your cluster that have `apiGroup: projectcalico.org/v3`.
-1. Perform the upgrade normally.
-1. Add new OwnerReferences to your resources referencing the new UID.
-
-### Default Deny
-
-$[prodname] creates a default-deny for the calico-system namespace. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
-
-### Windows
-
-If your cluster has Windows nodes and uses custom TLS certificates for log storage, prior to upgrade, prepare and apply new certificates for [log storage](../../../operations/comms/log-storage-tls.mdx) that include the required service DNS names.
-
-### Multi-cluster management
-
-For $[prodname] v3.5 and v3.7, upgrading multi-cluster management setups must include updating all managed and management clusters.
-
-### Egress gateway
-
-If your cluster has egress gateway in a non-default namespace, ensure the namespace is privileged by adding the following to the namespace:
-
-##### Label
-```
-openshift.io/run-level: "0"
-pod-security.kubernetes.io/enforce: privileged
-pod-security.kubernetes.io/enforce-version: latest
-```
-##### Annotation
-```
-security.openshift.io/scc.podSecurityLabelSync: "false"
-```
-
-## Download the new manifests
-
-Make a manifests directory.
-
-```bash
-mkdir manifests
-```
-
-
-
-# Upgrade from 3.0 or later
-
-:::note
-
-The steps differ based on your cluster type. If you are unsure of your cluster type, look at the field `clusterManagementType` when you run `oc get installation -o yaml` before you proceed.
-
-:::
-
-1. Apply the updated manifests.
-
- ```bash
- oc apply --server-side --force-conflicts -f manifests/
- ```
-
-1.
-
-1. If your cluster is a management cluster, apply a [ManagementCluster](../../../reference/installation/api.mdx#managementcluster)
- CR to your cluster.
-
- ```bash
- oc apply -f - <
- ```
- Replace `` with a pod CIDR range that suits your deployment and does not conflict with other ranges in your network.
-
-1. To start the MKE 4k installation process, run the following command:
-
- ```bash
- mkectl apply -f .yaml --cni-check-timeout
- ```
- Replace the following:
- * ``: The path of your installation configuration file.
- * ``: The amount of time, in minutes, that the MKE 4k installer will wait for you to complete the network installation.
-
- Wait until you see that the installer is waiting for cluster networking to be established.
-
- ```bash title="Example output"
- waiting 60 minutes for cluster networking to be established using custom CNI provider
- ```
-
-1. SSH into one of the controller nodes and run the following command:
-
- ```bash
- sudo /usr/local/bin/k0s kubeconfig admin
- ```
-
- Add the kubeconfig to your local kubectl.
-
- :::important
- Don't close this terminal session as you move to the next step.
- The MKE 4k installation process does not complete until after you install $[prodname].
- For the next step, open a second terminal session.
- After you install $[prodname], you can return to the first terminal session to observe and verify the installation process.
- :::
-
-## Install Calico Enterprise
-
-In a new terminal, install the $[prodname] CNI.
-
-1. [Configure a `StorageClass` resource for Elasticsearch](../operations/logstorage/create-storage.mdx).
-
-1. Install the Tigera Operator and custom resource definitions.
-
- ```bash
- kubectl apply --server-side -f $[filesUrl]/manifests/operator-crds.yaml
- kubectl apply -f $[filesUrl]/manifests/tigera-operator.yaml
- ```
-
-1. Install your pull secret.
-
- If pulling images directly from `quay.io/tigera`, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.
-
- ```bash
- kubectl create secret generic tigera-pull-secret \
- --type=kubernetes.io/dockerconfigjson -n tigera-operator \
- --from-file=.dockerconfigjson=
- ```
- Replace `` with the path to your pull secret.
-
-1. Optional: If your cluster architecture requires any custom Calico Enterprise resources to function at startup, install them now using calicoctl.
-
-1. Optional: Compliance and packet capture features are optional.
- To enable these features during installation, download and review the `custom-resources.yaml` file.
- Uncomment the necessary CRs and use this `custom-resources.yaml` for installation.
-
- ```bash
- curl -O -L $[filesUrl]/manifests/custom-resources.yaml
- ```
-
-1. Install the Tigera custom resources.
- For more information on configuration options available in this manifest, see [the installation reference](../reference/installation/api.mdx).
- ```bash
- kubectl create -f $[filesUrl]/manifests/custom-resources.yaml
- ```
-
-1. Restrict privileged container access in the `tigera-elasticsearch` namespace to only the necessary Tigera and Elasticsearch service accounts using an MKE admission policy annotation.
- ```bash
- kubectl annotate namespace tigera-elasticsearch "mke.mirantis.com/allowed-accounts-privileged=system:serviceaccount:tigera-eck-operator:elastic-operator,system:serviceaccount:tigera-elasticsearch:tigera-elasticsearch"`
- ```
-
-1. Wait until the API server shows a status of `Available`, and then proceed to the next section.
- ```bash
- watch kubectl get tigerastatus
- ```
-
-1. Install the Calico Enterprise license.
- ```bash
- kubectl create -f .yaml
- ```
- Replace `` with the path to your license file.
-
-1. Continue monitoring until all items in tigera-status are `Available`
- ```bash
- watch kubectl get tigerastatus
- ```
- When the $[prodname] installation is complete, you can return to your other terminal and wait for the MKE 4k installation to finish.
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking uses IP in IP encapsulation with BGP routing. For all networking options, see [Determine best networking option](../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../network-policy/policy-tiers/tiered-policy.mdx)
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/change-cluster-type.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/change-cluster-type.mdx
deleted file mode 100644
index 2d080521b3..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/change-cluster-type.mdx
+++ /dev/null
@@ -1,187 +0,0 @@
----
-description: Convert a Calico Enterprise cluster between management, managed, and standalone roles by editing ManagementCluster and ManagementClusterConnection resources.
----
-
-# Change a cluster type
-
-## Big picture
-
-Change the configuration type for an existing $[prodname] cluster to management, managed, or standalone.
-
-## Value
-
-As you build out a multi-cluster management deployment, it is critical to have flexibility to repurpose existing cluster types to meet your needs.
-
-## Before you begin…
-
-To verify the type of an existing cluster, run the following command:
-
-```bash
-kubectl get managementcluster,managementclusterconnection
-```
-
-Your cluster is a management cluster if a `ManagementCluster` is returned, a managed cluster if a `ManagementClusterConnection` is returned.
-We refer to `Standalone` clusters, as clusters who have neither.
-
-We do not support having both `ManagementCluster` and `ManagementClusterConnection` in one cluster.
-
-## How to
-
-- [Change a standalone cluster to a management cluster](#change-a-standalone-cluster-to-a-management-cluster)
-- [Change a standalone cluster to a managed cluster](#change-a-standalone-cluster-to-a-managed-cluster)
-- [Change a management cluster to a standalone cluster](#change-a-management-cluster-to-a-standalone-cluster)
-- [Change a managed cluster to a standalone cluster](#change-a-managed-cluster-to-a-standalone-cluster)
-
-### Change a standalone cluster to a management cluster
-
-1. Create a service to expose the management cluster.
- The following example of a NodePort service may not be suitable for production and high availability. For options, see [Fine-tune multi-cluster management for production](fine-tune-deployment.mdx).
- Apply the following service manifest.
-
- ```bash
- kubectl create -f - <
- ```
-
-1. Apply the [ManagementCluster](../reference/installation/api.mdx) CR.
-
- ```bash
- kubectl apply -f - < $MANAGED_CLUSTER.yaml create -f - < -n calico-system
- ```
-1. Delete all managed cluster resources in your cluster.
-
- ```bash
- kubectl delete managedcluster --all
- ```
-
- :::note
-
- Although installation automatically cleans up credentials for managed clusters, the management cluster Elasticsearch still retains managed cluster data based on the retention value that you specify in your [LogStorage](../reference/installation/api.mdx).
-
- :::
-
-### Change a managed cluster to a standalone cluster
-
-1. Ensure a persistent volume is provisioned to store log data for the standalone cluster.
- See [Configure storage for logs and reports](../operations/logstorage/create-storage.mdx).
-
-1. Remove the `ManagementClusterConnection` from your cluster and delete the managed cluster connection secret.
-
- ```bash
- kubectl delete managementclusterconnection tigera-secure
- kubectl delete secret tigera-managed-cluster-connection -n tigera-operator
- ```
-
- :::note
-
- If the operator in your managed cluster is running in a different namespace, use that namespace in the `kubectl delete secret...` command.
-
- :::
-
- Follow the following step to also disconnect your managed cluster from your management cluster.
-
- 1. In your management cluster, delete the `ManagedCluster` resource for your managed cluster. Note that deleting the managed cluster does not result in loss of data. Whenever you reconnect your cluster using the same name, existing data is available again.
- ```bash
- kubectl delete managedcluster
- ```
-
-1. Install the Tigera custom resources.
- For more information, see [the installation reference](../reference/installation/api.mdx).
- ```bash
- kubectl apply -f $[filesUrl]/manifests/custom-resources.yaml
- ```
-1. Monitor the progress with the following command:
- ```bash
- watch kubectl get tigerastatus
- ```
- When all components show a status of `Available`, go to the next step.
-1. Remove your managed cluster from the **management cluster**.
- ```bash
- kubectl delete managedcluster
- ```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/aws.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/aws.mdx
deleted file mode 100644
index ba0b79c686..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/aws.mdx
+++ /dev/null
@@ -1,68 +0,0 @@
----
-description: Sample Calico Enterprise cluster mesh configuration that peers an on-premises cluster with an AWS VPC cluster using BGP, NLB, and the Federated Services Controller.
----
-
-# Cluster mesh example for clusters in AWS
-
-## Big picture
-
-A sample configuration for cluster mesh using AWS clusters.
-
-## Tutorial
-
-**Set up**
-
-The cluster is installed on real hardware where node and pod IPs are routable, using an edge VPN router to peer with the AWS cluster.
-
-
-
-**Calico Enterprise configuration**
-
-- IP pool resource is configured for the on-premise IP assignment with IPIP is disabled
-- BGP peering to the VPN router
-- A Remote Cluster Configuration resource references the AWS cluster
-- Service discovery of the AWS cluster services uses the Calico Enterprise Federated Services Controller
-
-**Notes**
-
-- If VPN Router is configured as a route reflector for the on-premise cluster, you would:
- - Configure the default BGP Configuration resource to disable node-to-node mesh
- - Configure a global BGP Peer resource to peer with the VPN router
-- If the IP Pool has `Outgoing NAT` enabled, then you must add an IP Pool covering the AWS cluster VPC with disabled set to `true`. When set to `true` the pool is not used for IP allocations, and SNAT is not performed for traffic to the AWS cluster.
-
-**AWS configuration**
-
-- A VPC CIDR is chosen that does not overlap with the on-premise IP ranges.
-- There are 4 subnets within the VPC, split across two AZs (for availability) such that each AZ has a public and private subnet. In this particular example, the split of responsibility is:
- - The private subnet is used for node and pod IP allocation
- - The public subnet is used to home a NAT gateway for pod-to-internet traffic.
-- The VPC is peered to an on-premise network using a VPN. This is configured as a VPN gateway for the AWS side, and a classic VPN for the customer side. BGP is used for route distribution.
-- Routing table for private subnet has:
- - "propagate" set to "true" to ensure BGP-learned routes are distributed
- - Default route to the NAT gateway for public internet traffic
- - Local VPC traffic
-- Routing table for public subnet has default route to the internet gateway.
-- Security group for the worker nodes has:
- - Rule to allow traffic from the peered networks
- - Other rules required for settings up VPN peering (refer to the AWS docs for details).
-
-To automatically create a Network Load Balancer (NLB) for the AWS deployment, we apply a service with the correct annotation.
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- service.beta.kubernetes.io/aws-load-balancer-type: nlb
- name: nginx-external
-spec:
- externalTrafficPolicy: Local
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: 80
- selector:
- run: nginx
- type: LoadBalancer
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/index.mdx
deleted file mode 100644
index 82e448ac11..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Form a Calico Enterprise cluster mesh with federated endpoint identity, federated services, and multi-cluster networking for cross-cluster connectivity.
-hide_table_of_contents: true
----
-
-# Federation and multi-cluster networking
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/kubeconfig.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/kubeconfig.mdx
deleted file mode 100644
index 54b057c166..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/kubeconfig.mdx
+++ /dev/null
@@ -1,419 +0,0 @@
----
-description: Connect a Calico Enterprise cluster mesh by generating per-cluster kubeconfig credentials and RemoteClusterConfiguration resources with VXLAN or WireGuard overlays.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Creating the cluster mesh
-In this page, we will create a $[prodname] cluster mesh by connecting clusters together. Once created, $[prodname] cluster mesh enables multi-cluster networking, network policy for cross-cluster connections, cross-cluster services, and encryption via WireGuard.
-
-## Requirements
-$[prodname] multi-cluster networking provides routing between clusters that preserves pod IPs. This section outlines the requirements for this routing to be established. If your network already provides routing between clusters that preserves pod IPs, you can skip this section.
-
-### Prerequisites for $[prodname] multi-cluster networking:
-- All nodes participating in the cluster mesh must be able to establish connections to each other via their private IP.
-- All nodes participating in the cluster mesh must have unique node names.
-- Pod CIDRs between clusters must not overlap.
-- All clusters must have at least one overlay network in common (VXLAN and/or WireGuard).
-- All clusters must have the same `routeSource` setting on `FelixConfiguration`.
-
-If using VXLAN:
-- The `vxlan*` settings on `FelixConfiguration` must be the same across clusters participating in the mesh.
-- The underlying network must allow traffic on `vxlanPort` between clusters participating in the mesh.
-- All clusters must use Calico CNI.
-
-If using WireGuard:
-- The `wireguard*` settings on `FelixConfiguration` must be the same across clusters participating in the mesh.
-- The underlying network must allow traffic on `wireguardListeningPort` between clusters participating in the mesh.
-- All clusters must use Calico CNI OR All clusters must use non-Calico CNI (mixing non-Calico CNI types is supported).
-
-Note: much like intra-cluster routing in $[prodname], cross-cluster routing can utilize both VXLAN and WireGuard at the same time. If both are enabled and a WireGuard peer is not ready, communication with that peer will fall back to VXLAN.
-
-## Setup
-
-### Generate credentials for cross-cluster resource synchronization
-:::tip[mental model]
-The basis of cluster mesh is the ability for a cluster connect to a remote cluster and sync data from it. This enables each $[prodname] cluster to have a view into the datastore that includes both local and remote cluster pods.
-:::
-
-In this section, we will create a `kubeconfig` for each cluster. This `kubeconfig` is what other clusters will use to connect to a given cluster and synchronize data from it.
-
-**For each** cluster in the cluster mesh, utilizing an existing `kubeconfig` with administrative privileges, follow these steps:
-
-1. Create the ServiceAccount used by remote clusters for authentication:
-
- ```bash
- kubectl apply -f $[filesUrl]/manifests/federation-remote-sa.yaml
- ```
-
-1. Create the ClusterRole and ClusterRoleBinding used by remote clusters for authorization:
-
- ```bash
- kubectl apply -f $[filesUrl]/manifests/federation-rem-rbac-kdd.yaml
- ```
-1. Create the ServiceAccount token that will be used in the `kubeconfig`:
-
- ```yaml
- kubectl apply -f - < $KUBECONFIG_NAME
- ```
-
-1. Verify that the `kubeconfig` file works:
-
- Issue the following command to validate the `kubeconfig` file can be used to connect to the current cluster and access resources:
- ```bash
- kubectl --kubeconfig=$KUBECONFIG_NAME get nodes
- ```
-
-Once you've created a `kubeconfig` for **each** cluster, you can proceed to the next section to establish the cluster connections that form the mesh.
-
-### Establish cross-cluster resource synchronization
-:::tip[mental model]
-The cluster mesh is formed when each cluster connects to every other cluster to synchronize data. A cluster connects to another cluster using a RemoteClusterConfiguration, which references a kubeconfig created for the remote cluster.
-:::
-
-In this section, within each cluster, we will create a RemoteClusterConfiguration for each other cluster in the mesh. This RemoteClusterConfiguration instructs the cluster to connect to a cluster using a kubeconfig.
-
-With each cluster being connected to each other cluster, a full cluster mesh will be formed.
-
-
-
-:::tip[mental model]
-$[prodname] achieves cross-cluster routing by extending the overlay network of a cluster to include nodes from remote clusters. This is made possible by each cluster having a view into the datastore that now includes remote pods and nodes.
-:::
-**For each pair** of clusters in the cluster mesh (e.g. \{A,B\}, \{A,C\}, \{B,C\} for clusters A,B,C):
-
-1. In cluster 1, create a secret that contains the `kubeconfig` for cluster 2:
-
- Determine the namespace (``) for the secret to replace in all steps.
- The simplest method to create a secret for a remote cluster is to use the `kubectl` command because it correctly encodes the data and formats the file.
- ```bash
- kubectl create secret generic remote-cluster-secret-name -n \
- --from-literal=datastoreType=kubernetes \
- --from-file=kubeconfig=
- ```
-
-1. If RBAC is enabled in cluster 1, create a Role and RoleBinding for $[prodname] to use to access the secret that contains the `kubeconfig` for cluster 2:
- ```bash
- kubectl create -f - <
- rules:
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["watch", "list", "get"]
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: remote-cluster-secret-access
- namespace:
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: remote-cluster-secret-access
- subjects:
- - kind: ServiceAccount
- name: calico-typha
- namespace: calico-system
- EOF
- ```
-
-1. Create the RemoteClusterConfiguration in cluster 1:
-
- Within the RemoteClusterConfiguration, we specify the secret used to access cluster 2, and the overlay routing mode which toggles the establishment of cross-cluster overlay routes.
- ```bash
- kubectl create -f - <
- kind: Secret
- syncOptions:
- overlayRoutingMode: Enabled
- EOF
- ```
-
-1. [Validate](#check-remote-cluster-connection) the that the remote cluster connection can be established.
-
-1. Repeat the above steps, switching cluster 1 and cluster 2.
-
-
-
-In this setup, the cluster mesh will rely on the underlying network to provides cross-cluster routing that preserves pod IPs.
-
-**For each pair** of clusters in the cluster mesh (e.g. \{A,B\}, \{A,C\}, \{B,C\} for clusters A,B,C):
-
-1. In cluster 1, create a secret that contains the `kubeconfig` for cluster 2:
-
- Determine the namespace (``) for the secret to replace in all steps.
- The simplest method to create a secret for a remote cluster is to use the `kubectl` command because it correctly encodes the data and formats the file.
- ```bash
- kubectl create secret generic remote-cluster-secret-name -n \
- --from-literal=datastoreType=kubernetes \
- --from-file=kubeconfig=
- ```
-
-1. If RBAC is enabled in cluster 1, create a Role and RoleBinding for $[prodname] to use to access the secret that contains the `kubeconfig` for cluster 2:
- ```bash
- kubectl create -f - <
- rules:
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["watch", "list", "get"]
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: remote-cluster-secret-access
- namespace:
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: remote-cluster-secret-access
- subjects:
- - kind: ServiceAccount
- name: calico-typha
- namespace: calico-system
- EOF
- ```
-
-1. Create the RemoteClusterConfiguration in cluster 1:
-
- Within the RemoteClusterConfiguration, we specify the secret used to access cluster 2, and the overlay routing mode which toggles the establishment of cross-cluster overlay routes.
- ```bash
- kubectl create -f - <
- kind: Secret
- syncOptions:
- overlayRoutingMode: Disabled
- EOF
- ```
-
-1. If you have no IP pools in cluster 1 with NAT-outgoing enabled, skip this step.
-
- Otherwise, if you have IP pools in cluster 1 with NAT-outgoing enabled, and workloads in that pool will egress to workloads in cluster 2, you need to instruct $[prodname] to not perform NAT on traffic destined for IP pools in cluster 2.
-
- You can achieve this by creating a disabled IP pool in cluster 1 for each CIDR in cluster 2. This IP pool should have NAT-outgoing disabled. For example:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: IPPool
- metadata:
- name: cluster2-main-pool
- spec:
- cidr:
- disabled: true
- ```
-
-1. [Validate](#check-remote-cluster-connection) the that the remote cluster connection can be established.
-
-1. Repeat the above steps, switching cluster 1 and cluster 2.
-
-
-
-
-#### 🎉 Done!
-After completing the above steps for all cluster pairs in the cluster mesh, your clusters should now be forming a cluster mesh! You should now be able to route traffic between clusters, and write policy that can select remote workloads.
-
-:::tip[mental model]
-A cluster in the mesh can write policy rules that select pods from other clusters in the mesh. This is because traffic from remote clusters has pod IPs preserved, and the local cluster can associate remote pod IPs with the pod specs it synchronized from remote clusters.
-:::
-
-## How to
-
-### Switch to multi-cluster networking
-The steps above assume that you are configuring both federated endpoint identity and multi-cluster networking for the first time. If you already have federated endpoint identity, and want to use multi-cluster networking, follow these steps:
-
-1. Validate that all [requirements](#calico-enterprise-multi-cluster-networking) for multi-cluster networking have been met.
-2. Update the ClusterRole in each cluster in the cluster mesh using the RBAC manifest found in [Generate credentials for cross-cluster authentication](#generate-credentials-for-cross-cluster-resource-synchronization)
-3. In all RemoteClusterConfigurations, set `Spec.OverlayRoutingMode` to `Enabled`.
-4. Verify that all RemoteClusterConfigurations are bidirectional (in both directions for each cluster pair) using these [instructions](#establish-cross-cluster-resource-synchronization).
-5. If you had previously created disabled IP pools to prevent NAT outgoing from applying to remote cluster destinations, those disabled IP pools are no longer needed when using multi-cluster networking and must be deleted.
-
-### Validate federated endpoint identity & multi-cluster networking
-#### Validate RemoteClusterConfiguration and federated endpoint identity
-##### Check remote cluster connection
-You can validate in a local cluster that Typha has synced to the remote cluster through the [Prometheus metrics for Typha](../../reference/component-resources/typha/prometheus#metric-reference).
-
-Alternatively, you can check the Typha logs for remote cluster connection status. Run the following command:
-```bash
-kubectl logs deployment/calico-typha -n calico-system | grep "Sending in-sync update"
-```
-You should see an entry for each RemoteClusterConfiguration in the local cluster.
-
-If either output contains unexpected results, proceed to the [troubleshooting](#troubleshoot) section.
-
-#### Validate multi-cluster networking
-If all requirements were met for $[prodname] to establish multi-cluster networking, you can test the functionality by establishing a connection from a pod in a local cluster to the IP of a pod in a remote cluster. Ensure that there is no policy in either cluster that may block this connection.
-
-If the connection fails, proceed to the [troubleshooting](#troubleshoot) section.
-
-### Create remote-identity-aware network policy
-With federated endpoint identity and routing between clusters established, you can now use labels to reference endpoints on a remote cluster in local policy rules, rather than referencing them by IP address.
-
-The main policy selector still refers only to local endpoints; and that selector chooses which local endpoints to apply the policy.
-However, rule selectors can now refer to both local and remote endpoints.
-
-In the following example, cluster A (an application cluster) has a network policy that governs outbound connections to cluster B (a database cluster).
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: default.app-to-db
- namespace: myapp
-spec:
- # The main policy selector selects endpoints from the local cluster only.
- selector: app == 'backend-app'
- tier: default
- egress:
- - destination:
- # Rule selectors can select endpoints from local AND remote clusters.
- selector: app == 'postgres'
- protocol: TCP
- ports: [5432]
- action: Allow
-```
-
-### Troubleshoot
-#### Troubleshoot RemoteClusterConfiguration and federated endpoint identity
-
-##### Verify configuration
-For each impacted remote cluster pair (between cluster A and cluster B):
-1. Retrieve the `kubeconfig` from the secret stored in cluster A. Manually verify that it can be used to connect to cluster B.
- ```bash
- kubectl get secret -n remote-cluster-secret-name -o=jsonpath="{.data.kubeconfig}" | base64 -d > verify_kubeconfig_b
- kubectl --kubeconfig=verify_kubeconfig_b get nodes
- ```
- This validates that the credentials used by Typha to connect to cluster B's API server are stored in the correct location and provide sufficient access.
-
- The command above should yield a result like the following:
- ```
- NAME STATUS ROLES AGE VERSION
- clusterB-master Ready master 7d v1.27.0
- clusterB-worker-1 Ready worker 7d v1.27.0
- clusterB-worker-2 Ready worker 7d v1.27.0
- ```
-
- If you do not see the nodes of cluster B listed in response to the command above, verify that you [created](#generate-credentials-for-cross-cluster-resource-synchronization) the `kubeconfig` for cluster B correctly, and that you [stored](#establish-cross-cluster-resource-synchronization) it in cluster A correctly.
-
- If you do see the nodes of cluster B listed in response to the command above, you can run this test (or a similar test) on a node in cluster A to verify that cluster A nodes can connect to the API server of cluster B.
-
-2. Validate that the Typha service account in Cluster A is authorized to retrieve the `kubeconfig` secret for cluster B.
- ```bash
- kubectl auth can-i list secrets --namespace --as=system:serviceaccount:calico-system:calico-typha
- ```
-
- This command should yield the following output:
- ```
- yes
- ```
-
- If the command does not return this output, verify that you correctly [configured RBAC](#establish-cross-cluster-resource-synchronization) in cluster A.
-
-3. Repeat the above, switching cluster A to cluster B.
-
-##### Check logs
-Validate that querying Typha logs yield the expected result outlined in the [validation](#validate-federated-endpoint-identity--multi-cluster-networking) section.
-
-If the Typha logs do not yield the expected result, review the warning or error-related logs in `typha` or `calico-node` for insights.
-
-###### calicoq
-[calicoq](../../operations/clis/calicoq/installing) can be used to emulate the connection that Typha will make to remote clusters. Use the following command:
-```bash
-calicoq eval "all()"
-```
-If all remote clusters are accessible, calicoq returns something like the following. Note the remote cluster prefixes: there should be endpoints prefixed with the name of each RemoteClusterConfiguration in the local cluster.
-```
-Endpoints matching selector all():
- Workload endpoint remote-cluster-1/host-1/k8s/kube-system.kube-dns-5fbcb4d67b-h6686/eth0
- Workload endpoint remote-cluster-1/host-2/k8s/kube-system.cnx-manager-66c4dbc5b7-6d9xv/eth0
- Workload endpoint host-a/k8s/kube-system.kube-dns-5fbcb4d67b-7wbhv/eth0
- Workload endpoint host-b/k8s/kube-system.cnx-manager-66c4dbc5b7-6ghsm/eth0
-```
-
-If this command fails, the error messages returned by the command may provide insight into where issues are occurring.
-
-#### Troubleshoot multi-cluster networking
-##### Basic validation
-* Ensure that RemoteClusterConfiguration and federated endpoint identity are [functioning correctly](#validate-federated-endpoint-identity--multi-cluster-networking)
-* Verify that you have met the [prerequisites](#calico-enterprise-multi-cluster-networking) for multi-cluster networking
-* If you had previously set up RemoteClusterConfigurations without multi-cluster networking, and are upgrading to use the feature, review the [switching considerations](#switch-to-multi-cluster-networking)
-* Verify that traffic between clusters is not being denied by network policy
-
-##### Check overlayRoutingMode
-Ensure that `overlayRoutingMode` is set to `"Enabled"` on all RemoteClusterConfigurations.
-
-If overlay routing is successfully enabled, you can view the logs of a Typha instance using:
-```bash
-kubectl logs deployment/calico-typha -n calico-system
-```
-
-You should see an output for each connected remote cluster that looks like this:
-```
-18:49:35.394 [INFO][14] wrappedcallbacks.go 443: Creating syncer for RemoteClusterConfiguration(my-cluster)
-18:49:35.394 [INFO][14] watchercache.go 186: Full resync is required ListRoot="/calico/ipam/v2/assignment/"
-18:49:35.395 [INFO][14] watchercache.go 186: Full resync is required ListRoot="/calico/resources/v3/projectcalico.org/workloadendpoints"
-18:49:35.396 [INFO][14] watchercache.go 186: Full resync is required ListRoot="/calico/resources/v3/projectcalico.org/hostendpoints"
-18:49:35.396 [INFO][14] watchercache.go 186: Full resync is required ListRoot="/calico/resources/v3/projectcalico.org/profiles"
-18:49:35.396 [INFO][14] watchercache.go 186: Full resync is required ListRoot="/calico/resources/v3/projectcalico.org/nodes"
-18:49:35.397 [INFO][14] watchercache.go 186: Full resync is required ListRoot="/calico/resources/v3/projectcalico.org/ippools"
-```
-
-If you do not see the each of the resource types above, overlay routing was not successfully enabled in your cluster. Verify that you followed the [setup](#establish-cross-cluster-resource-synchronization) correctly for overlay routing, and that the cluster is using a version of $[prodname] that supports multi-cluster networking.
-
-###### Check logs
-Warning or error logs in `typha` or `calico-node` may provide insight into where issues are occurring.
-
-## Next steps
-
-[Configure federated services](services-controller.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/overview.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/overview.mdx
deleted file mode 100644
index 7c0f58413d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/overview.mdx
+++ /dev/null
@@ -1,54 +0,0 @@
----
-description: Calico Enterprise cluster mesh concepts including pod IP routability, federated workload endpoints, federated services, and identity-aware cross-cluster policy.
----
-
-# Overview
-
-## Big picture
-
-Secure cross-cluster connections with identity-aware network policy, and federate services for cross-cluster service discovery.
-
-Utilize $[prodname] to establish cross-cluster connectivity.
-
-## Value
-
-At some point in your Kubernetes journey, you may have applications that need to access services and workloads running in another cluster.
-
-By default, pods can only communicate with pods within the same cluster. Additionally, services and network policy only select pods from within the same cluster. $[prodname] can help overcome these barriers by forming a cluster mesh the following features:
-- **Federated endpoint identity**
-
- Allow a local Kubernetes cluster to include the workload endpoints (pods) and host endpoints of a remote cluster in the calculation of local network policies applied on each node of the local cluster.
-
-- **Federated services**
-
- Enable a local Kubernetes Service to populate with Endpoints selected from both local cluster and remote cluster Services.
-
-- **Multi-cluster networking**
-
- Establish an overlay network between clusters to provide cross-cluster connectivity with $[prodname].
-
-## Concepts
-
-### Pod IP routability
-
-$[prodname] cluster mesh is implemented at Kubernetes at the network layer, based on pod IPs.
-
-Taking advantage of federated workload endpoint identity and federated services requires that pod IPs are routable between clusters. This is because identity-aware network policy requires source and destination pod IPs to be preserved to establish pod identity. Additionally, the Endpoint IPs of pods selected by a federated Service must be routable in order for that Service to be of value.
-
-You can utilize $[prodname] multi-cluster networking to establish pod IP routability between clusters via overlay. Alternatively, you can manually set up pod IP routability between clusters without encapsulation (e.g. VPC routing, BGP routing).
-
-### Federated endpoint identity
-
-Federated endpoint identity in a cluster mesh allows a local Kubernetes cluster to include the workload endpoints (pods) and host endpoints of a remote cluster in the calculation of the local policies for each node, e.g. Cluster A network policy allows its application pods to talk to database pods in Cluster B.
-
-This feature does not _federate network policies_; policies from a remote cluster are not applied to the endpoints on the local cluster, and the policy from the local cluster is rendered only locally and applied to the local endpoints.
-
-### Federated services
-
-Federated services in a cluster mesh works with federated endpoint identity, providing cross-cluster service discovery for a local cluster. If you have an existing service discovery mechanism, this feature is optional.
-
-Federated services use the Tigera Federated Services Controller to federate all Kubernetes endpoints (workload and host endpoints) across all of the clusters. The Federated Services Controller accesses service and endpoints data in the remote clusters directly through the Kubernetes API.
-
-## Next steps
-
-[Configure remote-aware policy and multi-cluster networking](kubeconfig.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/services-controller.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/services-controller.mdx
deleted file mode 100644
index fb851285d4..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/federation/services-controller.mdx
+++ /dev/null
@@ -1,209 +0,0 @@
----
-description: Configure a Calico Enterprise federated service with the Tigera Federated Services Controller to consolidate endpoints across a cluster mesh.
----
-
-# Configure federated services
-
-## Big picture
-
-Configure local clusters to discover services across multiple clusters.
-
-## Value
-
-Use cluster mesh and federated services discovery along with federated endpoint identity to extend and automate endpoints sharing. (Optional if you have your own service discovery mechanism.)
-
-## Concepts
-
-### Federated services
-
-A federated service (also called a backing service), is a set of services with consolidated endpoints. $[prodname] discovers services across a cluster mesh (both local cluster and remote clusters) and creates a "federated service" on the local cluster that encompasses all of the individual services.
-
-Federated services are managed by the Tigera Federated Service Controller, which monitors and maintains endpoints for each locally-federated service. The controller does not change configuration on remote clusters.
-
-A federated service looks similar to a regular Kubernetes service, but instead of using a pod selector, it uses an annotation. For example:
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: my-app-federated
- namespace: default
- annotations:
- federation.tigera.io/serviceSelector: run == "my-app"
-spec:
- ports:
- - name: my-app-ui
- port: 8080
- protocol: TCP
- type: ClusterIP
-```
-
-| Annotation | Description |
-| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `federation.tigera.io/serviceSelector` | Required field that specifies the services used in the federated service. Format is a standard $[prodname] selector (i.e. the same as $[prodname] policy resources) and selects services based on their labels. The selector annotation selects services, not pods.
Only services in the same namespace as the federated service are included. This implies namespace names across clusters are linked (this is a basic premise of federated endpoint identity).
If the value is incorrectly specified, the service is not federated and endpoint data is removed from the service. View the warning logs in the controller for any issues processing this value. |
-
-**Syntax and rules**
-
-- Services that you specify in the federated service must be in the same namespace or they are ignored. A basic assumption of federated endpoint identity is that namespace names are linked across clusters.
-- If you specify a `spec.Selector` in a federated service, the service is not federated.
-- You cannot federate another federated service. If a service has a federated services annotation, it is not included as a backing service of another federated service.
-- The target port number in the federated service ports is not used.
-
-**Match services using a label**
-
-You can also match services using a label. The label is implicitly added to each service, but it does not appear in `kubectl` when viewing the service.
-
-| Label | Description |
-| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `federation.tigera.io/remoteClusterName` | Label added to all remote services that correspond to the Remote Cluster Configuration name for the remote cluster. Use this label to restrict the clusters selected by the services. **Note**: The label is not added for services in the local cluster. |
-
-**About endpoints**
-
-- Do not manually create or manage endpoints resources; let the Tigera controller do all of the work. User updates to endpoint resources are ignored.
-- Endpoints are selected only when the service port name and protocol in the federated service matches the port name and protocol in the backing service.
-- Endpoint data configured in the federated service is slightly modified from the original data of the backing service. For backing services on remote clusters, the `targetRef.name` field in the federated service adds the ``. For example, `/`.
-
-## Before you begin
-
-**Required**
-
-- [Configure federated endpoint identity](kubeconfig.mdx)
-
-## How to
-
-- [Create service resources](#create-service-resources)
-- [Create a federated service](#create-a-federated-service)
-- [Access a federated service](#access-a-federated-service)
-
-### Create service resources
-
-On each cluster in the mesh that is providing a particular service, create your service resources as you normal would with the following requirements:
-
-- Services must all be in the same namespace.
-- Configure each service with a common label key and value to identify the common set of services across your clusters (for example, `run=my-app`).
-
-Kubernetes manages the service by populating the service endpoints from the pods that match the selector configured in the service spec.
-
-### Configure a federated service
-
-1. On a cluster that needs to access the federated set of pods that are running an application, create a
- service on that cluster leaving the `spec selector` blank.
-1. Set the `federation.tigera.io/serviceSelector` annotation to be a $[prodname] selector that selects the previously-configured services using the matching label match (for example, `run == "my-app"`).
-
-The Federated Services Controller manages this service, populating the service endpoints from all of the services that match the service selector configured in the annotation.
-
-### Access a federated service
-
-Any application can access the federated service using the local DNS name for that service. The simplest way to access a federated service is through its corresponding DNS name.
-
-By default, Kubernetes adds DNS entries to access a service locally. For a service called `my-svc` in the namespace
-`my-namespace`, the following DNS entry would be added to access the service within the local cluster:
-
-```
-my-svc.my-namespace.svc.cluster.local
-```
-
-DNS lookup for this name returns the fixed ClusterIP address assigned for the federated service. The ClusterIP is translated in iptables to one of the federated service endpoint IPs, and is load balanced across all of the endpoints.
-
-## Tutorial
-
-### Create a service
-
-In the following example, the remote cluster defines the following service.
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- run: my-app
- name: my-app
- namespace: default
-spec:
- selector:
- run: my-app
- ports:
- - name: my-app-ui
- port: 80
- protocol: TCP
- targetPort: 9000
- - name: my-app-console
- port: 81
- protocol: TCP
- targetPort: 9001
- type: ClusterIP
-```
-
-This service definition exposes two ports for the application `my-app`. One port for accessing a UI, and the other for accessing a management console. The service specifies a Kubernetes selector, which means the endpoints for this service are automatically populated by Kubernetes from matching pods within the services own cluster.
-
-### Create a federated service
-
-To create a federated service on your local cluster that federates the web access port for both the local and remote service, you would create a service resource on your local cluster as follows:
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: my-app-federated
- namespace: default
- annotations:
- federation.tigera.io/serviceSelector: run == "my-app"
-spec:
- ports:
- - name: my-app-ui
- port: 8080
- protocol: TCP
- type: ClusterIP
-```
-
-The `spec.selector` is not specified so it will not be managed by Kubernetes. Instead, we use a `federation.tigera.io/selector` annotation, indicating that this is a federated service managed by the Federated Services Controller.
-
-The controller matches the `my-app` services (matching the run label) on both the local and remote clusters, and consolidates endpoints from the `my-app-ui` TCP port for both of those services. Because the federated service does not specify the `my-app-console` port, the controller does not include these endpoints in the federated service.
-
-The endpoints data for the federated service is similar to the following. Note that the name of the remote cluster is included in `targetRef.name`.
-
-```yaml
-apiVersion: v1
-kind: Endpoints
-metadata:
- creationTimestamp: 2018-07-03T19:41:38Z
- annotations:
- federation.tigera.io/serviceSelector: run == "my-app"
- name: my-app-federated
- namespace: default
- resourceVersion: '701812'
- selfLink: /api/v1/namespaces/default/endpoints/my-app-federated
- uid: 1a0427e8-7ef9-11e8-a24c-0259d75c6290
-subsets:
- - addresses:
- - ip: 192.168.93.12
- nodeName: node1.localcluster.tigera.io
- targetRef:
- kind: Pod
- name: my-app-59cf48cdc7-frf2t
- namespace: default
- resourceVersion: '701655'
- uid: 19f5e914-7ef9-11e8-a24c-0259d75c6290
- ports:
- - name: my-app-ui
- port: 80
- protocol: TCP
- - addresses:
- - ip: 192.168.0.28
- nodeName: node1.remotecluster.tigera.io
- targetRef:
- kind: Pod
- name: remotecluster/my-app-7b6f758bd5-ctgbh
- namespace: default
- resourceVersion: '701648'
- uid: 19e2c841-7ef9-11e8-a24c-0259d75c6290
- ports:
- - name: my-app-ui
- port: 80
- protocol: TCP
-```
-
-## Additional resources
-
-- [Cluster mesh example for AWS](aws.mdx)
-- [Federated service controller](../../reference/component-resources/kube-controllers/configuration.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/fine-tune-deployment.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/fine-tune-deployment.mdx
deleted file mode 100644
index a131982e6b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/fine-tune-deployment.mdx
+++ /dev/null
@@ -1,154 +0,0 @@
----
-description: Harden a Calico Enterprise multi-cluster management deployment for production with scalable service types, log retention tuning, and RBAC for managed cluster data.
----
-
-# Fine-tune multi-cluster management
-
-## Big picture
-
-Fine-tune your multi-cluster management deployment for production.
-
-## How to
-
-- [Review log storage collection and retention](#review-log-storage-collection-and-retention)
-- [Review service type for the management cluster](#review-service-type-for-the-management-cluster)
-- [Review user permissions](#review-user-permissions)
-- [Review user permissions for managed cluster log data](#review-user-permissions-for-managed-cluster-log-data)
-- [Filter log data for a managed cluster in Kibana](#filter-log-data-for-a-managed-cluster-in-kibana)
-
-### Review log storage collection and retention
-
-Because the management cluster stores all log data across your managed clusters, choose a size to accommodate your anticipated data volume. See [Adjust log storage size](../operations/logstorage/adjust-log-storage-size.mdx).
-
-### Review service type for the management cluster
-
-In the [Install multi-cluster management guide](./set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx), we used a `NodePort` service because it was the quickest way to expose the management cluster. But, there are drawbacks to using `NodePort` services, described in [Defining a Service in Kubernetes](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service). For production and high availability, choose a type of service that is scalable. We have tested both `NodePort` and `LoadBalancer` services. For both, a security rule/firewall rule is needed to allow connections to the management cluster.
-
-The configuration for your service (regardless of type) should obey the following requirements:
-
-- Uses TCP protocol
-- Maps to port 9449 on the Manager (web console) pod
-- Exists within the `calico-system` namespace
-- Uses label selector `k8s-app: calico-manager`
-
-The following is an example of a valid `LoadBalancer` service:
-
-```yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: calico-manager-mcm
- namespace: calico-system
-spec:
- type: LoadBalancer
- ports:
- - port: 9449
- protocol: TCP
- targetPort: 9449
- selector:
- k8s-app: calico-manager
-```
-
-:::note
-
-Using a LoadBalancer may require additional steps, depending on how you provisioned your Kubernetes cluster.
-
-:::
-
-:::note
-
-If you previously set up a management cluster with a service, don’t forget to update the IP address in each managed clusters, by editing the `ManagementClusterConnection` [manifest that you downloaded](./set-up-multi-cluster-management/standard-install/create-a-managed-cluster.mdx) and apply it, or use `kubectl edit managementclusterconnection tigera-secure`.
-
-:::
-
-### Review user permissions
-
-In the [Install multi-cluster management guide](./set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx), we created a user with full admin-level permissions in both the management and managed cluster. In a production environment you will want to define narrow permissions for your users.
-
-When defining roles and permissions across your clusters, make note of the following:
-
-- All users that log in to the $[prodname] web console must use a valid service account or user account in the management cluster.
-- When the management cluster performs actions on a managed cluster, it passes the user ID of the current logged in user to the managed cluster for authorization. As a requirement, the user must have the same username defined across the management cluster and managed clusters. A user can have different permissions for accessing resources in each managed cluster, as defined by Kubernetes Role and ClusterRole objects, but the username used in the corresponding RoleBinding and ClusterRoleBinding objects must always match what is in the management cluster.
-
-### Review user permissions for managed cluster log data
-
-Log data across all managed clusters is stored in a centralized Elasticsearch within the management cluster. You can use [Kubernetes RBAC roles and cluster roles](https://kubernetes.io/rbac/) to define granular access to cluster log data. For example, using the RBAC rule syntax, you can define rules to control access to specific log types or specific clusters by using the resources and resourceNames list fields.
-
-$[prodname] log data is stored within Elasticsearch indexes. The indexes have the following naming scheme:
-
-```bash
-..
-```
-
-A standalone cluster uses the cluster name cluster for Elasticsearch indexes. This is also the name used by a management cluster. For a managed cluster, its cluster name is the value chosen by the user at the time of registration, through the $[prodname] web console.
-
-To restrict to a specific cluster or subset of clusters use, resources. To restrict to a specific log type use, resourceNames. The following are valid cluster types:
-
-- “flows”
-- “audit”
-- “audit_ee”
-- “audit_kube”
-- “events”
-- “dns”
-- "l7"
-
-Let’s look at some examples for defining RBAC rules within a role or cluster role to restrict access to log data by log type and cluster name.
-
-The rule below allows access to log types flow and DNS for a single cluster with the name app-cluster.
-
-```yaml
-- apiGroups: ['lma.tigera.io']
- resources: ['app-cluster']
- resourceNames: ['flows', 'dns']
- verbs: ['get']
-```
-
-:::note
-
-The apiGroups will always be `lma.tigera.io`. The verbs will always be get.
-The rule below allows access to any cluster for log types flow, DNS and audit.
-
-:::
-
-```yaml
-- apiGroups: ['lma.tigera.io']
- resources: ['*']
- resourceNames: ['flows', 'dns', 'audit']
- verbs: ['get']
-```
-
-The rule below allows access to any cluster for all log types.
-
-```yaml
-- apiGroups: ['lma.tigera.io']
- resources: ['*']
- resourceNames: ['*']
- verbs: ['get']
-```
-
-### Filter log data for a managed cluster in Kibana
-
-1. Log in to the $[prodname] web console.
-1. In the left navigation, click Kibana and log in to the Kibana dashboard.
-1. Navigate to the Discovery view and filter logs by managed cluster indexes.
-1. Select a type of log (audit, dns, events, flow).
-1. From the Available Fields section in the side panel, select the `_index` field.
-
- 
-
-In the example above, the selected log type (flow logs) has the index prefix, `tigera_secure_ee_flows` and two cluster indexes available:
-
-- Index: tigera_secure_ee_flows.cluster.20200207
-- Index: tigera_secure_ee_flows.app-cluster-1.20200207
-
-:::note
-
-The management cluster has a default cluster name to identify indexes. When filtering logs for the management cluster, use the cluster name: `cluster`.
-
-:::
-
-To filter log data by a given managed cluster you can include the filter criteria `_index: ..*` to your query when executing a search through the Kibana UI.
-
-# Additional resources
-
-- [ManagementClusterConnection resource reference](../reference/installation/api.mdx#managementclusterconnection)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/index.mdx
deleted file mode 100644
index 0503cf3ce2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/index.mdx
+++ /dev/null
@@ -1,40 +0,0 @@
----
-description: Centralize control of Kubernetes clusters in a self-managed Calico Enterprise management cluster with federated endpoints, federated services, and cross-cluster networking.
-hide_table_of_contents: true
----
-
-import { DocCardLink, DocCardLinkLayout } from '/src/___new___/components';
-
-# Multi-cluster management and federation
-
-With multi-cluster management, you can centralize control of multiple Kubernetes clusters in a single management plane, with federated endpoint identity, federated services, and multi-cluster networking.
-
-## Setting up multi-cluster management
-
-
-
-
-
-
-## Setting up multi-cluster management using Helm
-
-
-
-
-
-
-## Cluster mesh
-
-
-
-
-
-
-
-
-## Advanced
-
-
-
-
-
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/create-a-managed-cluster-helm.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/create-a-managed-cluster-helm.mdx
deleted file mode 100644
index 486151bd1a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/create-a-managed-cluster-helm.mdx
+++ /dev/null
@@ -1,172 +0,0 @@
----
-description: Install a Calico Enterprise managed cluster with Helm 3 and connect it to a self-managed management cluster for centralized control and log storage.
----
-
-# Create a Calico Enterprise managed cluster
-
-import CodeBlock from '@theme/CodeBlock';
-
-## Big picture
-
-Create a $[prodname] managed cluster that you can control from your management cluster using Helm 3.
-
-## Value
-
-Helm charts are a way to package up an application for Kubernetes (similar to `apt` or `yum` for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.
-
-## Before you begin
-
-**Required**
-
-- Install Helm 3
-- `kubeconfig` is configured to work with your cluster (check by running `kubectl get nodes`)
-- [Credentials for the Tigera private registry and a license key](../../../getting-started/install-on-clusters/calico-enterprise.mdx)
-
-## Concepts
-
-### Operator-based installation
-
-In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera Operator provides lifecycle management for $[prodname] exposed via the Kubernetes API defined as a custom resource definition.
-
-## How to
-
-### Download the Helm chart
-
-```bash
-helm repo add tigera-ee https://downloads.tigera.io/ee/charts
-helm repo update
-helm pull tigera-ee/tigera-operator --version $[releaseTitle]
-```
-
-### Prepare the Installation Configuration
-
-You **must** provide the desired configuration for your cluster via the `values.yaml`, otherwise installation will use the default settings based on the auto-detected provider.
-The configurations you need to provide depends on your cluster's settings and your desired state.
-
-Some important configurations you might need to provide to the installer (via `values.yaml`) includes (but not limited to): _kubernetesProvider_, _cni type_, or if you need to customize _TLS certificates_.
-
-Here are some examples for updating `values.yaml` with your configurations:
-
-Example 1. Providing `kubernetesProvider`: if you are installing on a cluster installed by EKS, set the `kubernetesProvider` as described in the [Installation reference](../../../reference/installation/api.mdx#provider)
-
- ```bash
- echo '{ installation: {kubernetesProvider: EKS }}' > values.yaml
- ```
-
-Example 2. Providing custom settings in `values.yaml` for Azure AKS cluster with no Kubernetes CNI pre-installed:
-
- ```bash
- cat > values.yaml <
- ```
-
-1. Export the management cluster certificate and managed cluster certificate and key.
-
- If you haven't already done so, generate the base64 encoded CRT and KEY for this managed cluster:
-
- ```bash
- openssl genrsa 2048 | base64 -w 0 > my-managed-cluster.key.base64
- openssl req -new -key <(base64 -d my-managed-cluster.key.base64) -subj "/CN=my-managed-cluster" | \
- openssl x509 -req -signkey <(base64 -d my-managed-cluster.key.base64) -days 365 | base64 -w 0 > my-managed-cluster.crt.base64
- ```
-
- Get the MANAGEMENT_CLUSTER_CRT by running the following command on the management cluster:
-
- ```bash
- kubectl get secret -n tigera-operator $(kubectl get managementcluster tigera-secure -o jsonpath='{.spec.tls.secretName}') -o jsonpath='{.data.tls\.crt}' > management-cluster.crt.base64
- ```
-
- Export the managed cluster variables:
-
- ```bash
- export MANAGEMENT_CLUSTER_CRT=$(cat management-cluster.crt.base64)
- export MANAGED_CLUSTER_CRT=$(cat my-managed-cluster.crt.base64)
- export MANAGED_CLUSTER_KEY=$(cat my-managed-cluster.key.base64)
- ```
-
-1. Append the management cluster context to your `values.yaml`:
-
- ```bash
- echo "
- managementClusterConnection:
- enabled: true
- managementClusterAddress: $MANAGEMENT_CLUSTER_ADDR
- management:
- tls:
- crt: $MANAGEMENT_CLUSTER_CRT
- managed:
- tls:
- crt: $MANAGED_CLUSTER_CRT
- key: $MANAGED_CLUSTER_KEY" >> values.yaml
- ```
-
-1. Install the Tigera Operator and custom resource definitions using the Helm 3 chart:
-
-
- {'$[version]' === 'master'
- ? `helm install $[prodnamedash] tigera/tigera-operator --version tigera-operator-v0.0 -f values.yaml \\
---set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
---set-file licenseKeyContent= \\
---set logStorage.enabled=false --set manager.enabled=false \\
---namespace tigera-operator --create-namespace`
- : `helm install $[prodnamedash] tigera-operator-$[chart_version_name].tgz -f values.yaml \\
---set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
---set-file licenseKeyContent= \\
---set logStorage.enabled=false --set manager.enabled=false \\
---namespace tigera-operator --create-namespace`}
-
-
-1. You can now monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
-#### Provide permissions to view the managed cluster
-
- To access resources belonging to a managed cluster from the $[prodname] web console, the service or user account used to log in must have appropriate permissions defined in the managed cluster.
-
-Define admin-level permissions for the service account `mcm-user` we created to log in to the web console. Run the following command against your managed cluster.
-
- ```bash
- kubectl create clusterrolebinding mcm-user-admin --clusterrole=tigera-network-admin --serviceaccount=default:mcm-user
- ```
-
- Congratulations! You have now installed $[prodname] for a managed cluster using the Helm 3 chart.
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking is IP in IP encapsulation using BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/create-a-management-cluster-helm.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/create-a-management-cluster-helm.mdx
deleted file mode 100644
index c20c63a2b9..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/create-a-management-cluster-helm.mdx
+++ /dev/null
@@ -1,304 +0,0 @@
----
-description: Install a self-managed Calico Enterprise management cluster with Helm 3 to consolidate control of multiple managed clusters from a single plane.
----
-
-# Create a Calico Enterprise management cluster
-
-import CodeBlock from '@theme/CodeBlock';
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-## Big picture
-
-Create a $[prodname] management cluster to manage multiple clusters from a single management plane using Helm 3.
-
-## Value
-
-Helm charts are a way to package up an application for Kubernetes (similar to `apt` or `yum` for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.
-
-## Before you begin
-
-**Required**
-
-- Install Helm 3
-- `kubeconfig` is configured to work with your cluster (check by running `kubectl get nodes`)
-- [Credentials for the Tigera private registry and a license key](../../../getting-started/install-on-clusters/calico-enterprise.mdx)
-
-## Concepts
-
-### Operator-based installation
-
-In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera Operator provides lifecycle management for $[prodname] exposed via the Kubernetes API defined as a custom resource definition.
-
-## How to
-
-### Get the Helm chart
-
-
- {'$[version]' === 'master'
- ? `helm repo add tigera gs://tigera-helm-charts
-helm repo update
-helm pull tigera/tigera-operator --version $[releaseTitle]`
- : `helm repo add tigera-ee https://downloads.tigera.io/ee/charts
-helm repo update
-helm pull tigera-ee/tigera-operator --version $[releaseTitle]`}
-
-
-### Prepare the Installation Configuration
-
-You **must** provide the desired configuration for your cluster via the `values.yaml`, otherwise installation will use the default settings based on the auto-detected provider.
-The configurations you need to provide depends on your cluster's settings and your desired state.
-
-Some important configurations you might need to provide to the installer (via `values.yaml`) includes (but not limited to): _kubernetesProvider_, _cni type_, or if you need to customize _TLS certificates_.
-
-Here are some examples for updating `values.yaml` with your configurations:
-
-Example 1. Providing `kubernetesProvider`: if you are installing on a cluster installed by EKS, set the `kubernetesProvider` as described in the [Installation reference](../../../reference/installation/api.mdx#provider)
-
- ```bash
- echo '{ installation: {kubernetesProvider: EKS }}' > values.yaml
- ```
-
-Example 2. Providing custom settings in `values.yaml` for Azure AKS cluster with no Kubernetes CNI pre-installed:
-
- ```bash
- cat > values.yaml <
-
-
-To install a $[prodname] [management](create-a-management-cluster-helm#value) cluster with Helm, using a NodePort service:
-
-1. [Configure a storage class for Calico Enterprise](../../../operations/logstorage/create-storage).
-
-1. Export the service node port number
-
- ```bash
- export EXT_SERVICE_NODE_PORT=30449
- ```
-
- Export the public address or host of the management cluster. (Ex. "example.com:1234" or "10.0.0.10:1234".)
-
- ```bash
- export MANAGEMENT_CLUSTER_ADDR=:$EXT_SERVICE_NODE_PORT
- ```
-
-1. Export one or more managed clusters.
-
- Generate the base64 encoded CRT and KEY for a managed cluster:
-
- ```bash
- openssl genrsa 2048 | base64 -w 0 > my-managed-cluster.key.base64
- openssl req -new -key <(base64 -d my-managed-cluster.key.base64) -subj "/CN=my-managed-cluster" | \
- openssl x509 -req -signkey <(base64 -d my-managed-cluster.key.base64) -days 365 | base64 -w 0 > my-managed-cluster.crt.base64
- ```
-
- Export the managed cluster variables:
-
- ```bash
- export MANAGED_CLUSTER_NAME=my-managed-cluster
- export MANAGED_CLUSTER_OPERATOR_NAMESPACE=tigera-operator
- export MANAGED_CLUSTER_CERTIFICATE=$(cat my-managed-cluster.crt.base64)
- ```
-
-1. Append the management cluster context to your `values.yaml`:
-
- ```bash
- echo "
- managementCluster:
- enabled: true
- address: $MANAGEMENT_CLUSTER_ADDR
- service:
- enabled: true
- annotations:
- type: NodePort
- port: 9449
- targetPort: 9449
- protocol: TCP
- nodePort: $EXT_SERVICE_NODE_PORT
-
- managedClusters:
- enabled: true
- clusters:
- - name: $MANAGED_CLUSTER_NAME
- operatorNamespace: $MANAGED_CLUSTER_OPERATOR_NAMESPACE
- certificate: $MANAGED_CLUSTER_CERTIFICATE" >> values.yaml
- ```
-
-1. Install the Tigera Operator and custom resource definitions using the Helm 3 chart:
-
-
- {'$[version]' === 'master'
- ? `helm install $[prodnamedash] tigera/tigera-operator --version tigera-operator-v0.0 -f values.yaml \\
---set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
---set-file licenseKeyContent= \\
---namespace tigera-operator --create-namespace`
- : `helm install $[prodnamedash] tigera-operator-$[chart_version_name].tgz -f values.yaml \\
---set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
---set-file licenseKeyContent= \\
---namespace tigera-operator --create-namespace`}
-
-
-1. You can now monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
-
-
-
-To install a $[prodname] [management](create-a-management-cluster-helm#value) cluster with Helm, using a LoadBalancer service:
-
-#### Meet cloud provider requirements
-
-Ensure that you have met the requirements for your cloud provider to provision a load balancer in your environment.
-
-For example, if you are using EKS, you must meet the requirements defined in [create a network load balancer for AWS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html)
-
-#### Install the management cluster
-
-1. [Configure a storage class for Calico Enterprise](../../../operations/logstorage/create-storage).
-
-1. Export one or more managed clusters.
-
- Generate the base64 encoded CRT and KEY for a managed cluster:
-
- ```bash
- openssl genrsa 2048 | base64 -w 0 > my-managed-cluster.key.base64
- openssl req -new -key <(base64 -d my-managed-cluster.key.base64) -subj "/CN=my-managed-cluster" | \
- openssl x509 -req -signkey <(base64 -d my-managed-cluster.key.base64) -days 365 | base64 -w 0 > my-managed-cluster.crt.base64
- ```
-
- Export the managed cluster variables:
-
- ```bash
- export MANAGED_CLUSTER_NAME=my-managed-cluster
- export MANAGED_CLUSTER_OPERATOR_NAMESPACE=tigera-operator
- export MANAGED_CLUSTER_CERTIFICATE=$(cat my-managed-cluster.crt.base64)
- ```
-
-1. Append the management cluster context to your `values.yaml`:
-
- ```bash
- echo "
- managementCluster:
- enabled: true
- service:
- enabled: true
- annotations:
- type: LoadBalancer
- port: 9449
- targetPort: 9449
- protocol: TCP
-
- managedClusters:
- enabled: true
- clusters:
- - name: $MANAGED_CLUSTER_NAME
- operatorNamespace: $MANAGED_CLUSTER_OPERATOR_NAMESPACE
- certificate: $MANAGED_CLUSTER_CERTIFICATE" >> values.yaml
- ```
-
- If you are using EKS, make sure your management cluster has the following annotations:
- ```yaml
- managementCluster:
- service:
- annotations:
- - key: service.beta.kubernetes.io/aws-load-balancer-type
- value: "external"
- - key: service.beta.kubernetes.io/aws-load-balancer-nlb-target-type
- value: "instance"
- - key: service.beta.kubernetes.io/aws-load-balancer-scheme
- value: "internet-facing"
- ```
-
-1. Install the Tigera Operator and custom resource definitions using the Helm 3 chart:
-
-
- {'$[version]' === 'master'
- ? `helm install $[prodnamedash] tigera/tigera-operator --version tigera-operator-v0.0 -f values.yaml \\
---set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
---set-file licenseKeyContent= \\
---namespace tigera-operator --create-namespace`
- : `helm install $[prodnamedash] tigera-operator-$[chart_version_name].tgz -f values.yaml \\
---set-file imagePullSecrets.tigera-pull-secret=,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret= \\
---set-file licenseKeyContent= \\
---namespace tigera-operator --create-namespace`}
-
-
-1. You can now monitor progress with the following command:
-
- ```bash
- watch kubectl get tigerastatus
- ```
-
-#### Update the ManagementCluster address
-
-1. Export the service port number
-
- ```bash
- export EXT_LB_PORT=
- ```
-
- Export the public address or host of the management cluster, in this case the load-balancer's external IP (Ex. "example.com:1234" or "10.0.0.10:1234".)
-
- ```bash
- export MANAGEMENT_CLUSTER_ADDR=:$EXT_LB_PORT
- ```
-
- Replace the `address` field in the ManagementCluster resource.
-
- ```bash
- kubectl patch managementcluster tigera-secure --type merge -p "{\"spec\":{\"address\":\"${MANAGEMENT_CLUSTER_ADDR}\"}}"
- ```
-
-
-
-
-#### Create an admin user and verify management cluster connection
-
-To access resources in a managed cluster from the $[prodname] web console within the management cluster, the logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).
-
-Create an admin user, `mcm-user`, in the default namespace with full permissions, and token.
-
- ```bash
- kubectl create sa mcm-user
- kubectl create clusterrolebinding mcm-user-admin --clusterrole=tigera-network-admin --serviceaccount=default:mcm-user
- kubectl create token mcm-user -n default
- ```
-
- Use the generated token, to connect to the UI. In the top right banner in the UI, your management cluster is displayed as the first entry in the cluster selection drop-down menu with the fixed name, `management cluster`.
-
- Congratulations! You have now installed $[prodname] for a management cluster using the Helm 3 chart.
-
-## Next steps
-
-**Recommended**
-
-- [Configure access to the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-- [Authentication quickstart](../../../operations/cnx/authentication-quickstart.mdx)
-- [Configure your own identity provider](../../../operations/cnx/configure-identity-provider.mdx)
-
-**Recommended - Networking**
-
-- The default networking is IP in IP encapsulation using BGP routing. For all networking options, see [Determine best networking option](../../../networking/determine-best-networking.mdx).
-
-**Recommended - Security**
-
-- [Get started with $[prodname] tiered network policy](../../../network-policy/policy-tiers/tiered-policy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/index.mdx
deleted file mode 100644
index 7b25f2b4b5..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/helm-install/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Install a self-managed Calico Enterprise management and managed cluster pairing with Helm 3 charts, suitable for GitOps tooling such as ArgoCD.
-hide_table_of_contents: true
----
-
-# Helm and multi-cluster management
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/index.mdx
deleted file mode 100644
index 74596ca245..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Pair a self-managed Calico Enterprise management cluster with managed clusters for centralized log storage, RBAC, and federated policy across providers.
-hide_table_of_contents: true
----
-
-# Multi-cluster management
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/standard-install/create-a-managed-cluster.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/standard-install/create-a-managed-cluster.mdx
deleted file mode 100644
index 45125b3a9f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/standard-install/create-a-managed-cluster.mdx
+++ /dev/null
@@ -1,72 +0,0 @@
----
-description: Register a Calico Enterprise managed cluster with a self-managed management cluster using the Tigera Operator for centralized log storage and RBAC.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import InstallAKS from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallAKS';
-import InstallGKE from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGKE';
-import InstallEKS from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallEKS';
-import InstallGeneric from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallGeneric';
-import InstallOpenShift from '@site/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/InstallOpenShift';
-
-# Create a Calico Enterprise managed cluster
-
-## Big picture
-
-Create a $[prodname] managed cluster that you can control from your management cluster.
-
-## Value
-
-Managing standalone clusters and multiple instances of Elasticsearch is not onerous when you first install $[prodname].
-As you move to production with 300+ clusters, it is not scalable; you need centralized cluster management and log storage.
-With $[prodname] multi-cluster management, you can securely connect multiple clusters from different cloud providers
-in a single management plane, and control user access using RBAC. This architecture also supports federation of network
-policy resources across clusters, and lays the foundation for a “single pane of glass.”
-
-## Before you begin...
-
-**Required**
-
-- A [Calico Enterprise management cluster](create-a-management-cluster.mdx)
-- A [$[prodname] pull secret](../../../getting-started/install-on-clusters/calico-enterprise.mdx)
-
-## How to
-
-### Create a managed cluster
-
-Follow these steps in the cluster you intend to use as the managed cluster.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Next steps
-
-- When you are ready to fine-tune your multi-cluster management deployment for production, see [Fine-tune multi-cluster management](../../fine-tune-deployment.mdx)
-- To change an existing $[prodname] standalone cluster to a management or managed cluster, see [Change cluster types](../../change-cluster-type.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx b/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx
deleted file mode 100644
index 8d13ce1e81..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/multicluster/set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx
+++ /dev/null
@@ -1,121 +0,0 @@
----
-description: Provision a self-managed Calico Enterprise management cluster with the Tigera Operator to control hundreds of managed Kubernetes clusters from one plane.
----
-
-# Create a Calico Enterprise management cluster
-
-## Big picture
-
-Create a $[prodname] management cluster to manage multiple clusters from a single management plane.
-
-## Value
-
-Managing standalone clusters and multiple instances of Elasticsearch is not onerous when you first install $[prodname]. But as you move to production with 300+ clusters, it is not scalable; you need centralized cluster management and log storage. With $[prodname] multi-cluster management, you can securely connect multiple clusters from different cloud providers in a single management plane, and control user access using RBAC. This architecture also supports federation of network policy resources across clusters, and lays the foundation for a “single pane of glass.”
-
-## Before you begin...
-
-**Required**
-
-- A Calico Enterprise cluster, see [here](../../../getting-started/install-on-clusters/index.mdx) for help
-- A reachable, public IP address for the management cluster
-
-## How to
-
-### Create a management cluster
-
-To control managed clusters from your central management plane, you must ensure it is reachable for connections. The simplest way to get started (but not for production scenarios), is to configure a `NodePort` service to expose the management cluster. Note that the service must live within the `calico-system` namespace.
-
-1. Create a service to expose the management cluster.
- The following example of a NodePort service may not be suitable for production and high availability. For options, see [Fine-tune multi-cluster management for production](../../fine-tune-deployment.mdx).
- Apply the following service manifest.
-
- ```bash
- kubectl create -f - <
- ```
-1. Apply the [ManagementCluster](../../../reference/installation/api.mdx#managementcluster) CR.
-
- ```bash
- kubectl apply -f - <
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/alp-tutorial.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/alp-tutorial.mdx
deleted file mode 100644
index b7a3d7d934..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/alp-tutorial.mdx
+++ /dev/null
@@ -1,169 +0,0 @@
----
-description: Step-by-step tutorial for applying Calico Enterprise application-layer policy to workloads — control ingress traffic by HTTP attributes.
----
-
-# Application layer policy tutorial
-
-This tutorial shows how to use $[prodname] application layer policy to restrict ingress traffic for applications and microservices.
-
-### Install the demo application
-
-We will use a simple microservice application to demonstrate $[prodname]
-application layer policy. The [YAO Bank](https://github.com/projectcalico/yaobank) application creates a
-customer-facing web application, a microservice that serves up account
-summaries, and an [etcd](https://github.com/coreos/etcd) datastore.
-
-```bash
-kubectl apply -f $[tutorialFilesURL]/10-yaobank.yaml
-```
-```bash
-namespace/yaobank configured
-service/database created
-serviceaccount/database created
-deployment.apps/database created
-service/summary created
-serviceaccount/summary created
-deployment.apps/summary created
-service/customer created
-serviceaccount/customer created
-deployment.apps/customer created
-```
-
-:::note
-
-You can also
-[view the manifest in your browser](/files/10-yaobank.yaml).
-
-:::
-
-Verify that the application pods have been created and are ready.
-```bash
- kubectl rollout status deploy/summary deploy/customer deploy/database
-```
-
-When the demo application is displayed, you will see three pods.
-
-```
-NAME READY STATUS RESTARTS AGE
-customer-2809159614-qqfnx 3/3 Running 0 21h
-database-1601951801-m4w70 3/3 Running 0 21h
-summary-2817688950-g1b3n 3/3 Running 0 21h
-```
-
-## Set up
-- A $[prodname] cluster is running with application layer policy enabled
-- Cluster has three microservices: customer, database, summary
-- The customer web service should not have access to the backend database, but should have access to clients outside the cluster
-
-Imagine what would happen if an attacker were to gain control of the customer web pod in our
-application. Let's simulate this by executing a remote shell inside that pod.
-
-```bash
-kubectl exec -ti customer- -c customer -- bash
-```
-
-Notice that from here, we get direct access to the backend database. For example, we can list all the entries in the database like this:
-
-```bash
-curl http://database:2379/v2/keys?recursive=true | python -m json.tool
-```
-
-(Piping to `python -m json.tool` nicely formats the output.)
-
-## Apply application layer policy
-
-In this step, we get the application layer policy YAML and apply it. Note that the policy scope is cluster-wide.
-
-With a $[prodname] policy, you can mitigate risks to the banking application.
-
-```bash
-wget $[tutorialFilesURL]/30-policy.yaml
-kubectl create -f 30-policy.yaml
-```
-
-Let's examine this policy piece by piece. First, notice that an application layer policy looks like a regular $[prodname] global network policy.
-The only difference you'll see is the ability to use the application layer policy parameters in global network policy. Another important difference
-is that you'll see HTTP traffic flows in the web console in features like Service Graph.
-
-Next, there are three policy objects, one for each microservice.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: customer
-spec:
- selector: app == 'customer'
- ingress:
- - action: Allow
- http:
- methods: ['GET']
- egress:
- - action: Allow
-```
-
-The first policy protects the customer web app. Because this application is customer-facing, we do not
-restrict what can communicate with it. We do, however, restrict its communications to HTTP `GET`
-requests.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: summary
-spec:
- selector: app == 'summary'
- ingress:
- - action: Allow
- source:
- serviceAccounts:
- names: ['customer']
- egress:
- - action: Allow
-```
-
-The second policy protects the account summary microservice. We know the only consumer of this
-service is the customer web app, so we restrict the source of incoming connections to the service
-account for the customer web app.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: database
-spec:
- selector: app == 'database'
- ingress:
- - action: Allow
- source:
- serviceAccounts:
- names: ["summary"]
- egress:
- - action: Allow
-
-```
-
-The third policy protects the database. Only the summary microservice should have direct access to
-the database.
-
-### Verify the policy is working
-
-Let's verify our policy is working as intended. First, return to your browser and refresh to
-ensure policy enforcement has not broken the application.
-
-Next, return to the customer web app. Recall that we simulated an attacker gaining control of that
-pod by executing a remote shell inside it.
-
-```bash
-kubectl exec -ti customer- -c customer bash
-```
-
-Repeat our attempt to access the database.
-
-```bash
-curl -I http://database:2379/v2/keys?recursive=true
-```
-
-We omitted the JSON formatting because we do not expect to get a valid JSON response. This
-time we should get a `403 Forbidden` response. Only the account summary microservice has database
-access according to our policy.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/alp.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/alp.mdx
deleted file mode 100644
index 714da651a9..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/alp.mdx
+++ /dev/null
@@ -1,106 +0,0 @@
----
-description: Configure access controls based on Layer-7 attributes by enforcing Calico Enterprise application-layer policy in the cluster.
----
-
-# Enable and enforce application layer policies
-
-:::warning[deprecation and removal notice]
-
-Application layer policy based on Envoy is deprecated and will be removed in an upcoming release.
-For similar functionality, try [Istio Ambient Mode](../../compliance/istio/about-istio-ambient.mdx) with [Istio authorization policies](https://istio.io/latest/docs/ambient/getting-started/enforce-auth-policies/).
-
-:::
-
-Application layer policies let you configure access controls based on L7 attributes.
-
-## Before you begin
-
-### Limitations
-
-* Application layer policy is not compatible with a service mesh such as Istio.
-* Application layer policy can restrict only _ingress_ traffic.
- It can not restrict egress traffic.
-* Support for L7 attributes is limited to HTTP method and URL exact/prefix path.
-* Supported protocols are limited to TCP-based protocols (for example, HTTP, HTTPS, or gRPC).
-* Application layer policies apply to the entire cluster.
- They can not be namespaced.
-* Logs for application layer polices are not included with other L7 logs in Service Graph.
- To view logs for application layer policies, you must [view them in Kibana](../../observability/elastic/l7/configure.mdx#kibana).
-* Application layer policy is supported only on Kubernetes 1.29 and later.
-
-:::important
-
-When you enable application layer policy for a deployment, all of that deployment's pods will restart
-Active connections may be disrupted.
-
-:::
-
-### Enable application layer policy (ALP)
-
-Create an (or edit an existing ApplicationLayer) resource with the `sidecarInjection` field to `Enabled`:
-
-```bash
-kubectl apply -f - < -n -p '{"spec":{"template":{"metadata":{"labels":{"applicationlayer.projectcalico.org/sidecar":"true"},"annotations":{"applicationlayer.projectcalico.org/policy":"Enabled"}}}}}'
-```
-
-### Enforce application layer policies for ingress traffic
-
-You can restrict ingress traffic using HTTP match criteria using Global network policy.
-For a list of all HTTP match parameters, see [Global network policy](/reference/resources/globalnetworkpolicy.mdx).
-
-In the following example, the trading app is allowed ingress traffic only for HTTP GET requests that match the exact path `/projects/calico`, or that begin with the prefix `/users`.
-Additionally, the HTTP request must contain the `Content-Type` HTTP header with a value of either `text/plain` or `application/json`, as well as the `User-Agent` HTTP header with a value that has the prefix `curl`.
-Any HTTP request from the trading app that does not fulfill the outlined criteria is rejected.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: customer
-spec:
- selector: app == 'tradingapp'
- ingress:
- - action: Allow
- http:
- methods: ["GET"]
- paths:
- - exact: "/projects/calico"
- - prefix: "/users"
- headers:
- - header: "content-type"
- operator: "In"
- values: ["text/plain", "application/json"]
- - header: "user-agent"
- operator: "HasPrefix"
- values: ["curl"]
- egress:
- - action: Allow
-```
-
-### Disable application layer policies
-
-To disable the policies, do one of the following steps:
-* Recreate your application pods without the sidecar label and annotations.
-* Remove the `applicationLayerPolicy` field entirely.
-* Remove the `sidecarInjection` field entirely, if sidecar mode was being used only for ALP.
-* Delete the ApplicationLayer` custom resource if only ALP was enabled on it.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/index.mdx
deleted file mode 100644
index 96bec20f67..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/application-layer-policies/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Restrict ingress traffic to Calico Enterprise workloads by HTTP method, path, or other Layer-7 attributes using application-layer policy.
-hide_table_of_contents: true
----
-
-# Application layer policies to control ingress traffic
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/calico-labels.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/calico-labels.mdx
deleted file mode 100644
index ae85a8d5fb..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/calico-labels.mdx
+++ /dev/null
@@ -1,124 +0,0 @@
----
-description: Reference list of automatic labels Calico Enterprise attaches to resources, useful as selectors in policy rules.
----
-
-# Calico Enterprise automatic labels
-
-As a convenience, $[prodname] provides immutable labels that are used for specific resources when evaluating selectors in policies. The labels make it easier to match resources in common ways (such as matching a namespace by name).
-
-## Labels for matching namespaces
-
-The label `projectcalico.org/name` is set to the name of the namespace. This allows for matching namespaces by name when using a `namespaceSelector` field.
-
-For example, the following GlobalNetworkPolicy applies to workloads with label, `color: red` in namespaces named, `"foo"` and `"bar"`. The policy allows ingress traffic to port 8080 from all workloads in a third namespace named, `"baz"`:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: foo-and-bar
-spec:
- namespaceSelector: projectcalico.org/name in {"foo", "bar"}
- selector: color == "red"
- types:
- - Ingress
- ingress:
- - action: Allow
- source:
- namespaceSelector: projectcalico.org/name == "baz"
- destination:
- ports:
- - 8080
-```
-
-Be aware that the default values for `namespaceSelector` for NetworkPolicy and GlobalNetworkPolicy are different. For example:
-
-**In a network policy**,
-
- ```yaml
- namespaceSelector:
- selector: foo == "bar"
- ```
-means "resources in the same namespace as the network policy that matches foo == 'bar'".
-
-**In a global network policy**,
-
- ```yaml
- namespaceSelector:
- selector: foo == "bar"
- ```
-means "resources in any namespace and non-namespaced resources that match foo == 'bar'".
-
-Further,
-
- ```yaml
- namespaceSelector: projectcalico.org/name == "some-namespace"
- selector: foo == "bar"
- ```
-is equivalent to:
-
- ```yaml
- namespaceSelector:
- selector: (foo == "bar") && (projectcalico.org/namespace == "some-namespace")
- ```
-
-### Labels for matching service accounts
-
-Similarly, the `projectcalico.org/name` label is applied to ServiceAccounts and allows for matching by name in a `serviceAccountSelector`.
-
-### Kubernetes labels for matching namespaces
-
-Kubernetes also has [automatic labeling](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling), for example `kubernetes.io/metadata.name`. The Kubernetes namespace label serves the same purpose and can be used in the same way as the $[prodname] label. The `projectcalico.org/name` label predates the automatic Kubernetes label.
-
-## Labels for matching workload endpoints
-
-WorkloadEndpoints (which represent Pods in Kubernetes, or VM instances in OpenStack), receive several automatic labels:
-
-* `projectcalico.org/orchestrator` is applied to all WorkloadEndpoints and allows Kubernetes Pods to be distinguished from OpenStack VM instances, and from HostEndpoints (which do not have the label):
-
-* `has(projectcalico.org/orchestrator)` matches only WorkloadEndpoints
-* `projectcalico.org/orchestrator == "k8s"` matches only Kubernetes Pods
-
-* For WorkloadEndpoints that represent Kubernetes Pods, `projectcalico.org/namespace` contains the name of the pod's namespace. `projectcalico.org/namespace` predates the addition of `namespaceSelector` fields to GlobalNetworkPolicies; it serves the same purpose as the `projectcalico.org/name` label in a `namespaceSelector` field. The following GlobalNetworkPolicy is exactly equivalent to the example shown in the Namespaces section:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: foo-and-bar
-spec:
- selector: projectcalico.org/namespace in {"foo", "bar"} && color == "red"
- types:
- - Ingress
- ingress:
- - action: Allow
- source:
- selector: projectcalico.org/namespace == "baz"
- destination:
- ports:
- - 8080
-```
-
-### Labels for matching workload endpoints with multiple networks
-
-If you enable [multiple networks](../../networking/configuring/multiple-networks), the following automatic labels are available:
-
-- `projectcalico.org/network` - Name of the network specified in the NetworkAttachmentDefinition
-- `projectcalico.org/network-namespace` - Namespace of the network
-- `projectcalico.org/network-interface` - Network interface for the WorkloadEndpoint
-
-## Labels for matching host endpoints
-
-[Automatic HostEndpoints](../../network-policy/hosts/kubernetes-nodes) use the following label to differentiate them from regular HostEndpoints:
-
-- `projectcalico.org/created-by: calico-kube-controllers`
-
-## Use the correct selector with labels in policies
-
-$[prodname] labels must be used with the correct selector or the policy will not work as designed (and there are no error messages in the web console or when applying the YAML).
-
-| Calico label | Usage requirements | Use in these resources... |
-| --------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
-| `projectcalico.org/name` | Use with a **namespaceSelector** or **serviceAccountSelector**. | - Network policy - Staged network policy
Namespaced resources that apply only to workload endpoint resources in the namespace. |
-| `projectcalico.org/namespace` | Use only with selectors.
Use the label as the label name, and a namespace name as the value to compare against (for example projectcalico.org/namespace == "default"). | - Global network policy - Staged global network policy
Cluster-wide (non-namespaced) resources that apply to workload endpoint resources in all namespaces, and to host endpoint resources. |
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/calico-network-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/calico-network-policy.mdx
deleted file mode 100644
index c7cba36755..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/calico-network-policy.mdx
+++ /dev/null
@@ -1,253 +0,0 @@
----
-description: Write your first Calico Enterprise NetworkPolicy — sample policies that exercise the rich rule features beyond Kubernetes NetworkPolicy.
----
-
-# Get started with Calico network policy
-
-## Big picture
-
-Enforce which network traffic that is allowed or denied using rules in Calico network policy.
-
-## Value
-
-### Extends Kubernetes network policy
-
-Calico network policy provides a richer set of policy capabilities than Kubernetes including: policy ordering/priority, deny rules, and more flexible match rules. While Kubernetes network policy applies only to pods, Calico network policy can be applied to multiple types of endpoints including pods, VMs, and host interfaces.
-
-### Write once, works everywhere
-
-No matter which cloud provider you use now, adopting Calico network policy means you write the policy once and it is portable. If you move to a different cloud provider, you don’t need to rewrite your Calico network policy. Calico network policy is a key feature to avoid cloud provider lock-in.
-
-### Works seamlessly with Kubernetes network policies
-
-You can use Calico network policy in addition to Kubernetes network policy, or exclusively. For example, you could allow developers to define Kubernetes network policy for their microservices. For broader and higher-level access controls that developers cannot override, you could allow only security or Ops teams to define Calico network policies.
-
-## Concepts
-
-### Endpoints
-
-Calico network policies apply to **endpoints**. In Kubernetes, each pod is a Calico endpoint. However, Calico can support other kinds of endpoints. There are two types of Calico endpoints: **workload endpoints** (such as a Kubernetes pod or OpenStack VM) and **host endpoints** (an interface or group of interfaces on a host).
-
-### Namespaced and global network policies
-
-**Calico network policy** is a namespaced resource that applies to pods/containers/VMs in that namespace.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-tcp-port-6379
- namespace: production
-```
-
-**Calico global network policy** is a non-namespaced resource and can be applied to any kind of endpoint (pods, VMs, host interfaces) independent of namespace.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-tcp-port-6379
-```
-
-Because global network policies use **kind: GlobalNetworkPolicy**, they are grouped separately from **kind: NetworkPolicy**. For example, global network policies will not be returned from `kubectl get networkpolicy.p`, and are rather returned from `kubectl get globalnetworkpolicy`.
-
-### Ingress and egress
-
-Each network policy rule applies to either **ingress** or **egress** traffic. From the point of view of an endpoint (pod, VM, host interface), **ingress** is incoming traffic to the endpoint, and **egress** is outgoing traffic from the endpoint. In a Calico network policy, you create ingress and egress rules independently (egress, ingress, or both).
-
-You can specify whether policy applies to ingress, egress, or both using the **types** field. If you do not use the types field, Calico defaults to the following values.
-
-| Ingress rule present? | Egress rule present? | Value |
-| :-------------------: | :------------------: | :-------------: |
-| No | No | Ingress |
-| Yes | No | Ingress |
-| No | Yes | Egress |
-| Yes | Yes | Ingress, Egress |
-
-### Network traffic behaviors: deny and allow
-
-The Kubernetes network policy specification defines the following behavior:
-
-- If no network policies apply to a pod, then all traffic to/from that pod is allowed.
-- If one or more network policies apply to a pod containing ingress rules, then only the ingress traffic specifically allowed by those policies is allowed.
-- If one or more network policies apply to a pod containing egress rules, then only the egress traffic specifically allowed by those policies is allowed.
-
-For compatibility with Kubernetes, **Calico network policy** follows the same behavior for Kubernetes pods. For other endpoint types (VMs, host interfaces), Calico network policy is default deny. That is, only traffic specifically allowed by network policy is allowed, even if no network policies apply to the endpoint.
-
-## Before you begin
-
-`calicoctl` must be **installed** and **configured** before use. `calicoctl` will use Kubernetes as the datastore. You can find more information on how to configure `calicoctl` in the following link:
-
-- [Configure `calicoctl`](../../operations/clis/calicoctl/configure/overview.mdx)
-
-## How to
-
-- [Control traffic to/from endpoints in a namespace](#control-traffic-tofrom-endpoints-in-a-namespace)
-- [Control traffic to/from endpoints independent of namespace](#control-traffic-tofrom-endpoints-independent-of-namespace)
-- [Control traffic to/from endpoints using IP addresses or CIDR ranges](#control-traffic-tofrom-endpoints-using-ip-addresses-or-cidr-ranges)
-- [Apply network policies in specific order](#apply-network-policies-in-specific-order)
-- [Generate logs for specific traffic](#generate-logs-for-specific-traffic)
-
-### Control traffic to/from endpoints in a namespace
-
-In the following example, ingress traffic to endpoints in the **namespace: production** with label **color: red** is allowed, only if it comes from a pod in the same namespace with **color: blue**, on port **6379**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-tcp-port-6379
- namespace: production
-spec:
- selector: color == 'red'
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: color == 'blue'
- destination:
- ports:
- - 6379
-```
-
-To allow ingress traffic from endpoints in other namespaces, use a **namespaceSelector** in the policy rule. A namespaceSelector matches namespaces based on the labels that are applied in the namespace. In the following example, ingress traffic is allowed from endpoints in namespaces that match **shape == circle**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-tcp-port-6379
- namespace: production
-spec:
- selector: color == 'red'
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: color == 'blue'
- namespaceSelector: shape == 'circle'
- destination:
- ports:
- - 6379
-```
-
-### Control traffic to/from endpoints independent of namespace
-
-The following Calico network policy is similar to the previous example, but uses **kind: GlobalNetworkPolicy** so it applies to all endpoints, regardless of namespace.
-
-In the following example, incoming TCP traffic to any pods with label **color: red** is denied if it comes from a pod with **color: blue**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: deny-blue
-spec:
- selector: color == 'red'
- ingress:
- - action: Deny
- protocol: TCP
- source:
- selector: color == 'blue'
-```
-
-As with **kind: NetworkPolicy**, you can allow or deny ingress traffic from endpoints in specific namespaces using a namespaceSelector in the policy rule:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: deny-circle-blue
-spec:
- selector: color == 'red'
- ingress:
- - action: Deny
- protocol: TCP
- source:
- selector: color == 'blue'
- namespaceSelector: shape == 'circle'
-```
-
-### Control traffic to/from endpoints using IP addresses or CIDR ranges
-
-Instead of using a selector to define which traffic is allowed to/from the endpoints in a network policy, you can also specify an IP block in CIDR notation.
-
-In the following example, outgoing traffic is allowed from pods with the label **color: red** if it goes to an IP address in the **1.2.3.4/24** CIDR block.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-egress-external
- namespace: production
-spec:
- selector: color == 'red'
- types:
- - Egress
- egress:
- - action: Allow
- destination:
- nets:
- - 1.2.3.0/24
-```
-
-### Apply network policies in specific order
-
-To control the order/sequence of applying network policies, you can use the **order** field (with precedence from the lowest value to highest). Defining policy **order** is important when you include both **action: allow** and **action: deny** rules that may apply to the same endpoint.
-
-In the following example, the policy **allow-cluster-internal-ingress** (order: 10) will be applied before the **policy drop-other-ingress** (order: 20).
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: drop-other-ingress
-spec:
- order: 20
- #...deny policy rules here...
-```
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-cluster-internal-ingress
-spec:
- order: 10
- #...allow policy rules here...
-```
-
-### Generate logs for specific traffic
-
-In the following example, incoming TCP traffic to an application is denied, and each connection attempt is logged to syslog.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-tcp-port-6379
- namespace: production
-spec:
- selector: role == 'database'
- types:
- - Ingress
- - Egress
- ingress:
- - action: Log
- protocol: TCP
- source:
- selector: role == 'frontend'
- - action: Deny
- protocol: TCP
- source:
- selector: role == 'frontend'
-```
-### Create policy for established connections
-
-Policies are immediately applied to any new connections. However, for existing connections that are already open, the policy changes will only take effect after the connection has been reestablished. This means that any ongoing sessions may not immediately reflect policy changes until they are initiated again.
-
-## Additional resources
-
-- For additional Calico network policy features, see [Calico network policy](../../reference/resources/networkpolicy.mdx) and [Calico global network policy](../../reference/resources/globalnetworkpolicy.mdx)
-- For an alternative to using IP addresses or CIDRs in policy, see [Network sets](../../reference/resources/networkset.mdx)
-- For details on how to stage network policy, see [Staged network policies](../staged-network-policies.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/index.mdx
deleted file mode 100644
index 5a8e13769b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Beginner-friendly path for writing your first Calico Enterprise network policies — a tour of the basic resource types and rule patterns.
-hide_table_of_contents: true
----
-
-# Calico Enterprise network policy for beginners
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/kubernetes-default-deny.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/kubernetes-default-deny.mdx
deleted file mode 100644
index eb72a9abfc..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/kubernetes-default-deny.mdx
+++ /dev/null
@@ -1,149 +0,0 @@
----
-description: Apply a default-deny network policy in a Calico Enterprise cluster so unprotected pods are denied traffic until explicit policy is written.
----
-
-# Enable a default deny policy for Kubernetes pods
-
-## Big picture
-
-Enable a default deny policy for Kubernetes pods using Kubernetes or $[prodname] network policy.
-
-## Value
-
-A **default deny** network policy provides an enhanced security posture so pods without policy (or incorrect policy) are not allowed traffic until appropriate network policy is defined.
-
-## Features
-
-This how-to guide uses the following $[prodname] features:
-
-- **NetworkPolicy**
-- **GlobalNetworkPolicy**
-
-## Concepts
-
-### Default deny/allow behavior
-
-**Default allow** means all traffic is allowed by default, unless otherwise specified. **Default deny** means all traffic is denied by default, unless explicitly allowed. **Kubernetes pods are default allow**, unless network policy is defined to specify otherwise.
-
-For compatibility with Kubernetes, **$[prodname] network policy** enforcement follows the standard convention for Kubernetes pods:
-
-- If no network policies apply to a pod, then all traffic to/from that pod is allowed.
-- If one or more network policies apply to a pod with type ingress, then only the ingress traffic specifically allowed by those policies is allowed.
-- If one or more network policies apply to a pod with type egress, then only the egress traffic specifically allowed by those policies is allowed.
-
-For other endpoint types (VMs, host interfaces), the default behavior is to deny traffic. Only traffic specifically allowed by network policy is allowed, even if no network policies apply to the endpoint.
-
-## How to
-
-- [Create a default deny network policy](#crate-a-default-deny-network-policy)
-- [Create a global default deny network policy](#create-a-global-default-deny-network-policy)
-
-### Create a default deny network policy
-
-Immediately after installation, a best practice is to create a namespaced default deny network policy to secure pods without policy or incorrect policy until you can put policies in place and test them.
-
-In the following example, we create a $[prodname] default deny **NetworkPolicy** for all workloads in the namespace, **engineering**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: default-deny
- namespace: engineering
-spec:
- selector: all()
- types:
- - Ingress
- - Egress
-```
-
-Here's an equivalent default deny **Kubernetes network policy** for all pods in the namespace, **engineering**
-
-```yaml
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: default-deny
- namespace: engineering
-spec:
- podSelector: {}
- policyTypes:
- - Ingress
- - Egress
-```
-
-### Create a global default deny policy
-
-A default deny policy ensures that unwanted traffic (ingress and egress) is denied by default without you having to remember default deny/allow behavior of Kubernetes and $[prodname] policies. This policy can also help mitigate risks of lateral malicious attacks.
-
-#### Best practice #1: Allow, stage, then deny
-
-We recommend that you create a global default deny policy after you complete writing policy for the traffic that you want to allow. The following steps summarizes the best practice to test and lock down the cluster to block unwanted traffic:
-
-1. Create a global default deny policy and test it in a staging environment. (The policy will show all the traffic that would be blocked if it were converted into a deny.)
-1. Create network policies to individually allow the traffic shown as blocked in step 1 until no connections are denied.
-1. Enforce the global default deny policy.
-
-#### Best practice #2: Keep the scope to non-system pods
-
-A global default deny policy applies to the entire cluster including all workloads in all namespaces, hosts (computers that run the hypervisor for VMs or container runtime for containers), including Kubernetes control plane and $[prodname] control plane nodes and pods.
-
-For this reason, the best practice is to create a global default deny policy for **non-system pods** as shown in the following example.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: deny-app-policy
-spec:
- namespaceSelector: kubernetes.io/metadata.name not in {"calico-system", "kube-public", "kube-system", "tigera-operator"}
- types:
- - Ingress
- - Egress
- egress:
- # allow all namespaces to communicate to DNS pods
- - action: Allow
- protocol: UDP
- destination:
- selector: 'k8s-app == "kube-dns"'
- ports:
- - 53
- - action: Allow
- protocol: TCP
- destination:
- selector: 'k8s-app == "kube-dns"'
- ports:
- - 53
-```
-
-Note the following:
-
-- Even though we call this policy "global default deny", the above policy is not explicitly denying traffic. By selecting the traffic with the `namespaceSelector` but not specifying an allow, the traffic is denied after all other policy is evaluated. This design also makes it unnecessary to ensure any specific order (priority) for the default-deny policy.
-- Allowing access to `kube-dns` simplifies per-pod policies because you don't need to duplicate the DNS rules in every policy
-- This policy uses a negative selector for the `spec.namespaceselector` field to exclude control plane namespaces.
- In this example, those namespaces include the `calico-system`, `kube-public`, `kube-system`, and `tigera-operator` namespaces.
- Because your installation may have different components, make sure to check what you have installed before implementing a similar policy.
-
-In a staging environment, verify that the policy does not block any necessary traffic before enforcing it.
-
-### Don't try this!
-
-The following policy works and looks fine on the surface. But as described in Best practices #2, the policy is too broad in scope and could break your cluster. Therefore, we do not recommend adding this type of policy, even if you have verified allowed traffic in your staging environment.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: default.default-deny
-spec:
- tier: default
- selector: all()
- types:
- - Ingress
- - Egress
-```
-
-## Additional resources
-
-- [Network policy](../../reference/resources/networkpolicy.mdx)
-- [Global network policy](../../reference/resources/globalnetworkpolicy.mdx)
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/external-ips-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/external-ips-policy.mdx
deleted file mode 100644
index 4329fc3539..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/external-ips-policy.mdx
+++ /dev/null
@@ -1,112 +0,0 @@
----
-description: Restrict egress and ingress to specific IP ranges in Calico Enterprise policy, either inline or via reusable network sets.
----
-
-# Use external IPs or networks rules in policy
-
-## Big picture
-
-Use $[prodname] network policy to limit traffic to/from external non-$[prodname] workloads or networks.
-
-## Value
-
-Modern applications often integrate with third-party APIs and SaaS services that live outside Kubernetes clusters. To securely enable access to those integrations, network security teams must be able to limit IP ranges for egress and ingress traffic to workloads. This includes using IP lists or ranges to deny-list bad actors or embargoed countries.
-
-Using $[prodname] network policy, you can define IP addresses/CIDRs directly in policy to limit traffic to external networks. Or using $[prodname] network sets, you can easily scale out by using the same set of IPs in multiple policies.
-
-## Concepts
-
-### IP addresses/CIDRs
-
-IP addresses and CIDRs can be specified directly in both Kubernetes and $[prodname] network policy rules. $[prodname] network policy supports IPV4 and IPV6 CIDRs.
-
-### Network sets
-
-A **network set** resource is an arbitrary set of IP subnetworks/CIDRs that can be matched by standard label selectors in Kubernetes or $[prodname] network policy. This is useful to reference a set of IP addresses using a selector from a namespaced network policy resource. It is typically used when you want to scale/reuse the same set of IP addresses in policy.
-
-A **global network set** resource is similar, but can be selected only by $[prodname] global network policies.
-
-## How to
-
-- [Limit traffic to or from external networks, IPs in network policy](#limit-traffic-to-or-from-external-networks-ips-in-network-policy)
-- [Limit traffic to or from external networks, global network set](#limit-traffic-to-or-from-external-networks-global-network-set)
-
-### Limit traffic to or from external networks, IPs in network policy
-
-In the following example, a $[prodname] NetworkPolicy allows egress traffic from pods with the label **color: red**, if it goes to an IP address in the 192.0.2.0/24 CIDR block.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-egress-external
- namespace: production
-spec:
- selector: color == 'red'
- types:
- - Egress
- egress:
- - action: Allow
- destination:
- nets:
- - 192.0.2.0/24
-```
-
-### Limit traffic to or from external networks, global network set
-
-In this example, we use a $[prodname] **GlobalNetworkSet** and reference it in a **GlobalNetworkPolicy**.
-
-In the following example, a $[prodname] **GlobalNetworkSet** deny-lists the CIDR ranges 192.0.2.55/32 and 203.0.113.0/24:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkSet
-metadata:
- name: ip-protect
- labels:
- ip-deny-list: 'true'
-spec:
- nets:
- - 192.0.2.55/32
- - 203.0.113.0/24
-```
-
-Next, we create two $[prodname] **GlobalNetworkPolicy** objects. The first is a high “order” policy that allows traffic as a default for things that don’t match our second policy, which is low “order” and uses the **GlobalNetworkSet** label as a selector to deny ingress traffic (IP-deny-list in the previous step). In the label selector, we also include the term **!has(projectcalico.org/namespace)**, which prevents this policy from matching pods or NetworkSets that also have this label. To more quickly enforce the denial of forwarded traffic to the host at the packet level, use the **doNotTrack** and **applyOnForward** options.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: forward-default-allow
-spec:
- selector: apply-ip-protect == 'true'
- order: 1000
- doNotTrack: true
- applyOnForward: true
- types:
- - Ingress
- ingress:
- - action: Allow
----
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: ip-protect
-spec:
- selector: apply-ip-protect == 'true'
- order: 0
- doNotTrack: true
- applyOnForward: true
- types:
- - Ingress
- ingress:
- - action: Deny
- source:
- selector: ip-deny-list == 'true' && !has(projectcalico.org/namespace)
-```
-
-## Additional resources
-
-- To understand how to use global network sets to mitigate common threats, see [Defend against DoS attacks](../../extreme-traffic/defend-dos-attack.mdx)
-- [Global network sets](../../../reference/resources/globalnetworkset.mdx)
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/icmp-ping.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/icmp-ping.mdx
deleted file mode 100644
index 1b355556bc..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/icmp-ping.mdx
+++ /dev/null
@@ -1,130 +0,0 @@
----
-description: Allow or deny ICMP and ping traffic for Calico Enterprise workloads and host endpoints using policy rules.
----
-
-# Use ICMP/ping rules in policy
-
-## Big picture
-
-Use $[prodname] network policy to allow and deny ICMP/ping messages.
-
-## Value
-
-The **Internet Control Message Protocol (ICMP)** provides valuable network diagnostic functions, but it can also be used maliciously. Attackers can use
-it to learn about your network, or for DoS attacks. Using $[prodname] network policy, you can control where ICMP is used. For example, you can:
-
-- Allow ICMP ping, but only for workloads, host endpoints (or both)
-- Allow ICMP for pods launched by operators for diagnostic purposes, but block other uses
-- Temporarily enable ICMP to diagnose a problem, then disable it after the problem is resolved
-- Deny/allow ICMPv4 and/or ICMPv6
-
-## Concepts
-
-### ICMP packet type and code
-
-$[prodname] network policy also lets you deny and allow ICMP traffic based on specific types and codes. For example, you can specify ICMP type 5, code 2 to match specific ICMP redirect packets.
-
-For details, see [ICMP type and code](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages).
-
-## How to
-
-- [Deny all ICMP, all workloads and host endpoints](#deny-all-icmp-all-workloads-and-host-endpoints)
-- [Allow ICMP ping, all workloads and host endpoints](#allow-icmp-ping-all-workloads-and-host-endpoints)
-- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-kubernetes-pods)
-
-### Deny all ICMP, all workloads and host endpoints
-
-In this example, we introduce a "deny all ICMP" **GlobalNetworkPolicy**.
-
-This policy **selects all workloads and host endpoints**. It enables a default deny for all workloads and host endpoints, in addition to the explicit ICMP deny rules specified in the policy.
-
-If your ultimate goal is to allow some traffic, have your regular "allow" policies in place before applying a global deny-all ICMP traffic policy.
-
-In this example, all workloads and host endpoints are blocked from sending or receiving **ICMPv4** and **ICMPv6** messages.
-
-If **ICMPv6** messages are not used in your deployment, it is still good practice to deny them specifically as shown below.
-
-In any "deny-all" $[prodname] network policy, be sure to specify a lower order (**order:200**) than regular policies that might allow traffic.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: block-icmp
-spec:
- order: 200
- selector: all()
- types:
- - Ingress
- - Egress
- ingress:
- - action: Deny
- protocol: ICMP
- - action: Deny
- protocol: ICMPv6
- egress:
- - action: Deny
- protocol: ICMP
- - action: Deny
- protocol: ICMPv6
-```
-
-### Allow ICMP ping, all workloads and host endpoints
-
-In this example, workloads and host endpoints can receive **ICMPv4 type 8** and **ICMPv6 type 128** ping requests that come from other workloads and host endpoints.
-
-All other traffic may be allowed by other policies. If traffic is not explicitly allowed, it will be denied by default.
-
-The policy applies only to **ingress** traffic. (Egress traffic is not affected, and default deny is not enforced for egress.)
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-ping-in-cluster
-spec:
- selector: all()
- types:
- - Ingress
- ingress:
- - action: Allow
- protocol: ICMP
- source:
- selector: all()
- icmp:
- type: 8 Ping request
- - action: Allow
- protocol: ICMPv6
- source:
- selector: all()
- icmp:
- type: 128 Ping request
-```
-
-### Allow ICMP matching protocol type and code, all Kubernetes pods
-
-In this example, only Kubernetes pods that match the selector **projectcalico.org/orchestrator == 'kubernetes'** are allowed to receive ICMPv4 **code: 1 host unreachable** messages.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-host-unreachable
-spec:
- selector: projectcalico.org/orchestrator == 'kubernetes'
- types:
- - Ingress
- ingress:
- - action: Allow
- protocol: ICMP
- icmp:
- type: 3 Destination unreachable
- code: 1 Host unreachable
-```
-
-## Additional resources
-
-For more on the ICMP match criteria, see:
-
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
-- [Network policy](../../../reference/resources/networkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/index.mdx
deleted file mode 100644
index 9a038bae5d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Control traffic to and from endpoints using Calico Enterprise network policy rules — selectors, actions, and egress/ingress directions.
-hide_table_of_contents: true
----
-
-# Policy rules
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/namespace-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/namespace-policy.mdx
deleted file mode 100644
index eec4ed1fc3..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/namespace-policy.mdx
+++ /dev/null
@@ -1,89 +0,0 @@
----
-description: Group or separate workloads in Calico Enterprise policy using namespaces and namespace selectors so policies apply only to specified namespaces.
----
-
-# Use namespace rules in policy
-
-## Big picture
-
-Use $[prodname] network policies to reference pods in other namespaces.
-
-## Value
-
-Kubernetes namespaces let you group/separate resources to meet a variety of use cases. For example, you can use namespaces to separate development, production, and QA environments, or allow different teams to use the same cluster. You can use namespace selectors in $[prodname] network policies to allow or deny traffic to/from pods in specific namespaces.
-
-## How to
-
-- [Control traffic to/from endpoints in a namespace](#control-traffic-tofrom-endpoints-in-a-namespace)
-- [Use Kubernetes RBAC to control namespace label assignment](#use-kubernetes-rbac-to-control-namespace-label-assignment)
-
-### Control traffic to/from endpoints in a namespace
-
-In the following example, ingress traffic is allowed to endpoints in the **namespace: production** with label **color: red**, and only from a pod in the same namespace with **color: blue**, on **port 6379**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-tcp-6379
- namespace: production
-spec:
- selector: color == 'red'
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: color == 'blue'
- destination:
- ports:
- - 6379
-```
-
-To allow ingress traffic from endpoints in other namespaces, use a **namespaceSelector** in the policy rule. A namespaceSelector matches one or more namespaces based on the labels that are applied on the namespace. In the following example, ingress traffic is also allowed from endpoints with **color: blue** in namespaces with **shape: circle**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-tcp-6379
- namespace: production
-spec:
- selector: color == 'red'
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: color == 'blue'
- namespaceSelector: shape == 'circle'
- destination:
- ports:
- - 6379
-```
-
-### Use Kubernetes RBAC to control namespace label assignment
-
-Network policies can be applied to endpoints using selectors that match labels on the endpoint, the endpoint's namespace, or the endpoint's service account. By applying selectors based on the endpoint's namespace, you can use Kubernetes RBAC to control which users can assign labels to namespaces. This allows you to separate groups who can deploy pods from those who can assign labels to namespaces.
-
-In the following example, users in the development environment can communicate only with pods that have a namespace labeled, `environment == "development"`.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: restrict-development-access
-spec:
- namespaceSelector: 'environment == "development"'
- ingress:
- - action: Allow
- source:
- namespaceSelector: 'environment == "development"'
- egress:
- - action: Allow
- destination:
- namespaceSelector: 'environment == "development"'
-```
-
-## Additional resources
-
-- For more network policies, see [Network policy](../../../reference/resources/networkpolicy.mdx)
-- To apply policy to all namespaces, see [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/policy-rules-overview.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/policy-rules-overview.mdx
deleted file mode 100644
index b84819c205..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/policy-rules-overview.mdx
+++ /dev/null
@@ -1,22 +0,0 @@
----
-description: How to write policy rules in Calico Enterprise — label selectors, source and destination match criteria, and rule actions.
----
-
-# Basic rules
-
-## Big picture
-
-Use Calico policy rules and label selectors that match Calico endpoints (pods, OpenStack VMs, and host interfaces) to define network connectivity.
-
-## Value
-
-Using label selectors to identify the endpoints (pods, OpenStack VMs, host interfaces) that a policy applies to, or that should be selected by policy rules, means you can define policy without knowing the IP addresses of the endpoints. This is ideal for handling dynamic workloads with ephemeral IPs (such as Kubernetes pods).
-
-## How to
-
-Read [Get started with Calico policy](../calico-network-policy.mdx) and [Kubernetes policy](../../get-started/kubernetes-network-policy.mdx), which cover all the basics of using label selectors in policies to select endpoints the policies apply to, or in policy rules.
-
-## Additional resources
-
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
-- [Network policy](../../../reference/resources/networkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/service-accounts.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/service-accounts.mdx
deleted file mode 100644
index 187b621fa5..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/service-accounts.mdx
+++ /dev/null
@@ -1,116 +0,0 @@
----
-description: Match on Kubernetes service accounts in Calico Enterprise policy rules to validate workload identity and apply RBAC-controlled rules.
----
-
-# Use service accounts rules in policy
-
-## Big picture
-
-Use $[prodname] network policy to allow/deny traffic for Kubernetes service accounts.
-
-## Value
-
-Using $[prodname] network policy, you can leverage Kubernetes service accounts with RBAC for flexible control over how policies are applied in a cluster. For example, the security team can have RBAC permissions to:
-
-- Control which service accounts the developer team can use within a namespace
-- Write high-priority network policies for those service accounts (that the developer team cannot override)
-
-The network security team can maintain full control of security, while selectively allowing developer operations where it makes sense.
-
-## Concepts
-
-### Use smallest set of permissions required
-
-Operations on service accounts are controlled by RBAC, so you can grant permissions only to trusted entities (code and/or people) to create, modify, or delete service accounts. To perform any operation in a workload, clients are required to authenticate with the Kubernetes API server.
-
-If you do not explicitly assign a service account to a pod, it uses the default ServiceAccount in the namespace.
-
-You should not grant broad permissions to the default service account for a namespace. If an application needs access to the Kubernetes API, create separate service accounts with the smallest set of permissions required.
-
-### Service account labels
-
-Like all other Kubernetes objects, service accounts have labels. You can use labels to create ‘groups’ of service accounts. $[prodname] network policy lets you select workloads by their service account using:
-
-- An exact match on service account name
-- A service account label selector expression
-
-## Before you begin...
-
-Configure unique Kubernetes service accounts for your applications.
-
-## How to
-
-- [Limit ingress traffic for workloads by service account name](#limit-ingress-traffic-for-workloads-by-service-account-name)
-- [Limit ingress traffic for workloads by service account label](#limit-ingress-traffic-for-workloads-by-service-account-label)
-- [Use Kubernetes RBAC to control service account label assignment](#use-kubernetes-rbac-to-control-service-account-label-assignment)
-
-### Limit ingress traffic for workloads by service account name
-
-In the following example, ingress traffic is allowed from any workload whose service account matches the names **api-service** or **user-auth-service**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: demo-calico
- namespace: prod-engineering
-spec:
- ingress:
- - action: Allow
- source:
- serviceAccounts:
- names:
- - api-service
- - user-auth-service
- selector: 'app == "db"'
-```
-
-### Limit ingress traffic for workloads by service account label
-
-In the following example, ingress traffic is allowed from any workload whose service account matches the label selector, **app == web-frontend**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-web-frontend
- namespace: prod-engineering
-spec:
- ingress:
- - action: Allow
- source:
- serviceAccounts:
- selector: 'app == "web-frontend"'
- selector: 'app == "db"'
-```
-
-### Use Kubernetes RBAC to control service account label assignment
-
-Network policies can be applied to endpoints using selectors that match labels on the endpoint, the endpoint's namespace, or the endpoint's service account. By applying selectors based on the endpoint's service account, you can use Kubernetes RBAC to control which users can assign labels to service accounts. This allows you to separate groups who can deploy pods from those who can assign labels to service accounts.
-
-In the following example, pods with an intern service account can communicate only with pods with service accounts labeled, `role: intern`.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: restrict-intern-access
- namespace: prod-engineering
-spec:
- serviceAccountSelector: 'role == "intern"'
- ingress:
- - action: Allow
- source:
- serviceAccounts:
- selector: 'role == "intern"'
- egress:
- - action: Allow
- destination:
- serviceAccounts:
- selector: 'role == "intern"'
-```
-
-## Additional resources
-
-- [Network policy](../../../reference/resources/networkpolicy.mdx)
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/service-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/service-policy.mdx
deleted file mode 100644
index 17d27f47df..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/policy-rules/service-policy.mdx
+++ /dev/null
@@ -1,119 +0,0 @@
----
-description: Match on Kubernetes Service names in Calico Enterprise policy rules instead of specific pod selectors.
----
-
-# Use service rules in policy
-
-## Big picture
-
-Use $[prodname] network policy to allow/deny traffic for Kubernetes services.
-
-## Value
-
-Using $[prodname] network policy, you can leverage Kubernetes Service names to easily define access to Kubernetes services. Using service names in policy enables you to:
-
-- Allow or deny access to the Kubernetes API service.
-- Reference port information already declared by the application, making it easier to keep policy up-to-date as application requirements change.
-
-## How to
-
-- [Allow access to the Kubernetes API for a specific namespace](#allow-access-to-the-kubernetes-api-for-a-specific-namespace)
-- [Allow access to Kubernetes DNS for the entire cluster](#allow-access-to-kubernetes-dns-for-the-entire-cluster)
-- [Allow access from a specified service](#allow-access-from-a-specified-service)
-
-### Allow access to the Kubernetes API for a specific namespace
-
-In the following example, egress traffic is allowed to the `kubernetes` service in the `default` namespace for all pods in the namespace `my-app`. This service is the typical
-access point for the Kubernetes API server.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-api-access
- namespace: my-app
-spec:
- selector: all()
- egress:
- - action: Allow
- destination:
- services:
- name: kubernetes
- namespace: default
-```
-
-Endpoint addresses and ports to allow will be automatically detected from the service.
-
-### Allow access to Kubernetes DNS for the entire cluster
-
-In the following example, a GlobalNetworkPolicy is used to select all pods in the cluster to apply a rule which ensures
-all pods can access the Kubernetes DNS service.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-kube-dns
-spec:
- selector: all()
- egress:
- - action: Allow
- destination:
- services:
- name: kube-dns
- namespace: kube-system
-```
-
-:::note
-
-This policy also enacts a default-deny behavior for all pods, so make sure any other required application traffic is allowed by a policy.
-
-:::
-
-## Allow access from a specified service
-
-In the following example, ingress traffic is allowed from the `frontend-service` service in the `frontend` namespace for all pods in the namespace `backend`.
-This allows all pods that back the `frontend-service` service to send traffic to all pods in the `backend` namespace.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-frontend-service-access
- namespace: backend
-spec:
- selector: all()
- ingress:
- - action: Allow
- source:
- services:
- name: frontend-service
- namespace: frontend
-```
-
-We can also further specify the ports that the `frontend-service` service is allowed to access. The following example limits access from the `frontend-service`
-service to port 80.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-frontend-service-access
- namespace: backend
-spec:
- selector: all()
- ingress:
- - action: Allow
- protocol: TCP
- source:
- services:
- name: frontend-service
- namespace: frontend
- destination:
- ports: [80]
-```
-
-## Additional resources
-
-- [Network policy](../../../reference/resources/networkpolicy.mdx)
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/index.mdx
deleted file mode 100644
index a5ca4e1dd7..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Apply Calico Enterprise policy to Kubernetes Services — node ports, ClusterIPs, and externally exposed services.
-hide_table_of_contents: true
----
-
-# Policy for Kubernetes services
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/kubernetes-node-ports.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/kubernetes-node-ports.mdx
deleted file mode 100644
index aa443dd632..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/kubernetes-node-ports.mdx
+++ /dev/null
@@ -1,135 +0,0 @@
----
-description: Restrict access to Kubernetes NodePort services using a Calico Enterprise GlobalNetworkPolicy at the host endpoint.
----
-
-# Apply Calico Enterprise policy to Kubernetes node ports
-
-## Big picture
-
-Restrict access to node ports to specific external clients.
-
-## Value
-
-Exposing services to external clients using node ports is a standard Kubernetes feature. However, if you want to restrict access to node ports to specific external clients, you need to use Calico global network policy.
-
-## Concepts
-
-### Network policy with preDNAT field
-
-In a Kubernetes cluster, kube-proxy will DNAT a request to the node's port and IP address to one of the pods that backs the service. For Calico global network policy to both allow normal ingress cluster traffic and deny other general ingress traffic, it must take effect before DNAT. To do this, you simply add a **preDNAT** field to a Calico global network policy. The preDNAT field:
-
-- Applies before DNAT
-- Applies only to ingress rules
-- Enforces all ingress traffic through a host endpoint, regardless of destination
- The destination can be a locally hosted pod, a pod on another node, or a process running on the host.
-
-## Before you begin...
-
-For services that you want to expose to external clients, configure Kubernetes services with type **NodePort**.
-
-## How to
-
-To securely expose a Kubernetes service to external clients, you must implement all of the following steps.
-
-- [Allow cluster ingress traffic, but deny general ingress traffic](#allow-cluster-ingress-traffic-but-deny-general-ingress-traffic)
-- [Allow local host egress traffic](#allow-local-host-egress-traffic)
-- [Create host endpoints with appropriate network policy](#create-host-endpoints-with-appropriate-network-policy)
-- [Allow ingress traffic to specific node ports](#allow-ingress-traffic-to-specific-node-ports)
-
-### Allow cluster ingress traffic but deny general ingress traffic
-
-In the following example, we create a global network policy to allow cluster ingress traffic (**allow-cluster-internal-ingress**): for the nodes’ IP addresses (**1.2.3.4/16**), and for pod IP addresses assigned by Kubernetes (**100.100.100.0/16**). By adding a preDNAT field, Calico global network policy is applied before regular DNAT on the Kubernetes cluster.
-
-In this example, we use the **selector: has(kubernetes-host)** -- so the policy is applicable to any endpoint with a **kubernetes-host** label (but you can easily specify particular nodes).
-
-Finally, when you specify a preDNAT field, you must also add the **applyOnForward: true** field.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-cluster-internal-ingress-only
-spec:
- order: 20
- preDNAT: true
- applyOnForward: true
- ingress:
- - action: Allow
- source:
- nets: [1.2.3.4/16, 100.100.100.0/16]
- - action: Deny
- selector: has(kubernetes-host)
-```
-
-### Allow local host egress traffic
-
-We also need a global network policy to allow egress traffic through each node's external interface. Otherwise, when we define host endpoints for those interfaces, no egress traffic will be allowed from local processes (except for traffic that is allowed by the [Failsafe rules](../../../reference/host-endpoints/failsafe.mdx).
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-outbound-external
-spec:
- order: 10
- egress:
- - action: Allow
- selector: has(kubernetes-host)
-```
-
-### Create host endpoints with appropriate network policy
-
-In this example, we assume that you have already defined Calico host endpoints with network policy that is appropriate for the cluster. (For example, you wouldn’t want a host endpoint with a “default deny all traffic to/from this host” network policy because that is counter to the goal of allowing/denying specific traffic.) For help, see [host endpoints](../../../reference/resources/hostendpoint.mdx).
-
-All of our previously-defined global network policies have a selector that makes them applicable to any endpoint with a **kubernetes-host label**; so we will include that label in our definitions. For example, for **eth0** on **node1**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: HostEndpoint
-metadata:
- name: node1-eth0
- labels:
- kubernetes-host: ingress
-spec:
- interfaceName: eth0
- node: node1
- expectedIPs:
- - INSERT_IP_HERE
-```
-
-When creating each host endpoint, replace `INSERT_IP_HERE` with the IP address on eth0. The `expectedIPs` field is required so that any selectors within ingress or egress rules can properly match the host endpoint.
-
-### Allow ingress traffic to specific node ports
-
-Now we can allow external access to the node ports by creating a global network policy with the preDNAT field. In this example, **ingress traffic is allowed** for any host endpoint with **port: 31852**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-nodeport
-spec:
- preDNAT: true
- applyOnForward: true
- order: 10
- ingress:
- - action: Allow
- protocol: TCP
- destination:
- selector: has(kubernetes-host)
- ports: [31852]
- selector: has(kubernetes-host)
-```
-
-To make the NodePort accessible only through particular nodes, give the nodes a particular label. For example:
-
-```yaml
-nodeport-external-ingress: true
-```
-
-Then, use **nodeport-external-ingress: true** as the selector of the **allow-nodeport** policy, instead of **has(kubernetes-host)**.
-
-## Additional resources
-
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
-- [Host endpoints](../../../reference/resources/hostendpoint.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/services-cluster-ips.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/services-cluster-ips.mdx
deleted file mode 100644
index 48ac7bf894..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/services/services-cluster-ips.mdx
+++ /dev/null
@@ -1,193 +0,0 @@
----
-description: Expose Kubernetes Service ClusterIPs over BGP using Calico Enterprise and restrict who can reach them with network policy.
----
-
-# Apply Calico Enterprise policy to services exposed externally as cluster IPs
-
-## Big picture
-
-Control access to services exposed through clusterIPs that are advertised outside the cluster using BGP.
-
-## Value
-
-$[prodname] network policy uses standard Kubernetes Services that allow you to expose services within clusters to external clients in the following ways:
-
-- [Apply policy to Kubernetes nodeports](kubernetes-node-ports.mdx)
-- Using cluster IPs over BGP (described in this article)
-
-## Concepts
-
-### Advertise cluster IPs outside the cluster
-
-A **cluster IP** is a virtual IP address that represents a Kubernetes Service. Kube Proxy on each host translates the clusterIP into a pod IP for one of the pods backing the service, acting as a reverse proxy and load balancer.
-
-Cluster IPs were originally designed for use within the Kubernetes cluster. $[prodname] allows you to advertise Cluster IPs externally -- so external clients can use them to access services hosted inside the cluster. This means that $[prodname] ingress policy can be applied at **one or both** of the following locations:
-
-- Host interface, when the traffic destined for the clusterIP first ingresses the cluster
-- Pod interface of the backend pod
-
-### Traffic routing: local versus cluster modes
-
-$[prodname] implements [Kubernetes service external traffic policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip), which controls whether external traffic is routed to node-local or cluster-wide endpoints. The following table summarizes key differences between these settings. The default is **cluster mode**.
-
-| **Service setting** | **Traffic is load balanced...** | **Pros and cons** | **Required service type** |
-| ------------------------------------------- | --------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
-| **externalTrafficPolicy: Cluster**(default) | Across all nodes in the cluster | Equal distribution of traffic among all pods running a service.
Possible unnecessary network hops between nodes for ingress external traffic.When packets are rerouted to pods on another node, traffic is SNAT’d (source network address translation).
Destination pod can see the proxying node’s IP address rather than the actual client IP. | **ClusterIP** |
-| **externalTrafficPolicy: Local** | Across the nodes with the endpoints for the service | Avoids extra hops so better for apps that ingress a lot external traffic.
Traffic is not SNAT’d so actual client IPs are preserved.
Traffic distributed among pods running a service may be imbalanced. | **LoadBalancer** (for cloud providers), or **NodePort** (for node’s static port) |
-
-## Before you begin...
-
-[Configure Calico to advertise cluster IPs over BGP](../../../networking/configuring/advertise-service-ips.mdx).
-
-## How to
-
-Selecting which mode to use depends on your goals and resources. At an operational level, **local mode** simplifies policy, but load balancing may be uneven in certain scenarios. **Cluster mode** requires more work to manage clusterIPs, SNAT, and create policies that reference specific IP addresses, but you always get even load balancing.
-
-- [Secure externally exposed cluster IPs, local mode](#secure-externally-exposed-cluster-ips-local-mode)
-- [Secure externally exposed cluster IPs, cluster mode](#secure-externally-exposed-cluster-ips-cluster-mode)
-
-### Secure externally exposed cluster IPs, local mode
-
-Using **local mode**, the original source address of external traffic is preserved, and you can define policy directly using standard $[prodname] network policy.
-
-1. Create $[prodname] **NetworkPolicies** or **GlobalNetworkPolicies** that select the same set of pods as your Kubernetes Service.
-1. Add rules to allow the external traffic.
-1. If desired, add rules to allow in-cluster traffic.
-
-### Secure externally exposed cluster IPs, cluster mode
-
-In the following steps, we define **GlobalNetworkPolicy** and **HostEndpoints**.
-
-#### Step 1: Verify Kubernetes Service manifest
-
-Ensure that your Kubernetes Service manifest explicitly lists the clusterIP; do not allow Kubernetes to automatically assign the clusterIP because you need it for your policies in the following steps.
-
-#### Step 2: Create global network policy at the host interface
-
-In this step, you create a **GlobalNetworkPolicy** that selects all **host endpoints**. It controls access to the cluster IP, and prevents unauthorized clients from outside the cluster from accessing it. The hosts then forwards only authorized traffic.
-
-**Set policy to allow external traffic for cluster IPs**
-
-Add rules to allow the external traffic for each clusterIP. The following example allows connections to two cluster IPs. Make sure you add **applyOnForward** and **preDNAT** rules.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-cluster-ips
-spec:
- selector: k8s-role == 'node'
- types:
- - Ingress
- applyOnForward: true
- preDNAT: true
- ingress:
- # Allow 50.60.0.0/16 to access Cluster IP A
- - action: Allow
- source:
- nets:
- - 50.60.0.0/16
- destination:
- nets:
- - 10.20.30.40/32 Cluster IP A
- # Allow 70.80.90.0/24 to access Cluster IP B
- - action: Allow
- source:
- nets:
- - 70.80.90.0/24
- destination:
- nets:
- - 10.20.30.41/32 Cluster IP B
-```
-
-**Add a rule to allow traffic destined for the pod CIDR**
-
-Without this rule, normal pod-to-pod traffic is blocked because the policy applies to forwarded traffic.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-to-pods
-spec:
- selector: k8s-role == 'node'
- types:
- - Ingress
- applyOnForward: true
- preDNAT: true
- ingress:
- # Allow traffic forwarded to pods
- - action: Allow
- destination:
- nets:
- - 192.168.0.0/16 Pod CIDR
-```
-
-**Add a rule to allow traffic destined for all host endpoints**
-
-Or, you can add rules that allow specific host traffic including Kubernetes and $[prodname]. Without this rule, normal host traffic is blocked.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-traffic-hostendpoints
-spec:
- selector: k8s-role == 'node'
- types:
- - Ingress
- # Allow traffic to the node (not nodePorts, TCP) (not nodePorts, TCP)
- - action: Allow
- protocol: TCP
- destination:
- selector: k8s-role == 'node'
- notPorts: ["30000:32767"] #nodePort range
- # Allow traffic to the node (not nodePorts, TCP) (not nodePorts, UDP)
- - action: Allow
- protocol: UDP
- destination:
- selector: k8s-role == 'node'
- notPorts: ["30000:32767"] #nodePort range
-```
-
-#### Step 3: Create a global network policy that selects pods
-
-In this step, you create a **GlobalNetworkPolicy** that selects the **same set of pods as your Kubernetes Service**. Add rules that allow host endpoints to access the service ports.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-nodes-svc-a
-spec:
- selector: k8s-svc == 'svc-a'
- types:
- - Ingress
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: k8s-role == 'node'
- destination:
- ports: [80, 443]
- - action: Allow
- protocol: UDP
- source:
- selector: k8s-role == 'node'
- destination:
- ports: [80, 443]
-```
-
-#### Step 4: (Optional) Create network polices or global network policies that allow in-cluster traffic to access the service
-
-#### Step 5: Create HostEndpoints
-
-Create HostEndpoints for the interface of each host that will receive traffic for the clusterIPs. Be sure to label them so they are selected by the policy in Step 2 (Add a rule to allow traffic destined for the pod CIDR), and the rules in Step 3.
-
-In the previous example policies, the label **k8s-role: node** is used to identify these HostEndpoints.
-
-## Additional resources
-
-- [Enable service IP advertisement](../../../networking/configuring/advertise-service-ips.mdx)
-- [Defend against DoS attacks](../../extreme-traffic/defend-dos-attack.mdx)
-- [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/simple-policy-cnx.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/simple-policy-cnx.mdx
deleted file mode 100644
index c8581977f2..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/beginners/simple-policy-cnx.mdx
+++ /dev/null
@@ -1,329 +0,0 @@
----
-description: Tour of the additional features Calico Enterprise adds to Kubernetes policy that make it suitable for production environments.
----
-
-# Calico Enterprise for Kubernetes demo
-
-This guide is a variation of the [simple policy demo](../get-started/kubernetes-policy-basic.mdx) intended to introduce the extra features of $[prodname] to people already familiar with Project Calico for Kubernetes.
-
-It requires a Kubernetes cluster configured with Calico networking and $[prodname], and expects that you have `kubectl` configured to interact with the cluster.
-
-You can quickly and easily obtain such a cluster by following one of the
-[installation guides](../../getting-started/install-on-clusters/kubernetes/index.mdx),
-or by [upgrading an existing cluster](../../getting-started/upgrading/upgrading-calico-to-calico-enterprise/upgrade-to-tsee/index.mdx).
-
-The key steps in moving to $[prodname] are to change to the $[prodname] version of calico-node, update its configuration, download [calicoq](../../reference/clis/calicoq/index.mdx) and deploy Prometheus.
-
-This guide assumes that you have installed all the $[prodname] components from the
-guides above and that your cluster consists of the following nodes:
-
-- k8s-node1
-- k8s-node2
-- k8s-master
-
-Where you see references to these in the text below, substitute for your actual node names. You can find what nodes are on your cluster with `kubectl get nodes`
-
-## Configure Namespaces
-
-This guide will deploy pods in a Kubernetes namespace. Let's create the `Namespace` object for this guide.
-
-```
-kubectl create ns policy-demo
-```
-
-## Create demo pods
-
-We'll use Kubernetes `Deployment` objects to easily create pods in the namespace.
-
-1. Create some nginx pods in the `policy-demo` namespace.
-
- ```shell
- kubectl create deployment --namespace=policy-demo nginx --image=nginx
- ```
-
-1. Expose them through a service.
-
- ```shell
- kubectl expose --namespace=policy-demo deployment nginx --port=80
- ```
-
-1. Ensure the nginx service is accessible.
-
- ```shell
- kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
- ```
-
- This should open up a shell session inside the `access` pod, as shown below.
-
- ```
- Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
-
- If you don't see a command prompt, try pressing enter.
-
- / #
- ```
-
-1. From inside the `access` pod, attempt to reach the `nginx` service.
-
- ```shell
- wget -q nginx -O -
- ```
-
- You should see a response from `nginx`. Great! Our service is accessible. You can exit the pod now.
-
-1. Inspect the network policies using calicoq. The `host` command displays
- information about the policies for endpoints on a given host.
-
- :::note
-
- calicoq complements calicoctl by inspecting the
- dynamic aspects of $[prodname] Policy: in particular displaying the endpoints actually affected by policies,
- and the policies that actually apply to endpoints.
- The full calicoq documentation is [here](../../reference/clis/calicoq/index.mdx).
-
- :::
-
- ```
- DATASTORE_TYPE=kubernetes calicoq host k8s-node1
- ```
-
- You should see the following output.
-
- ```
- Policies and profiles for each endpoint on host "k8s-node1":
-
- Workload endpoint k8s/tigera-prometheus.alertmanager-calico-node-alertmanager-0/eth0
- Policies:
- Policy "tigera-prometheus/knp.default.calico-node-alertmanager" (order 1000; selector "(projectcalico.org/orchestrator == 'k8s' && alertmanager == 'calico-node-alertmanager' && app == 'alertmanager') && projectcalico.org/namespace == 'tigera-prometheus'")
- Policy "tigera-prometheus/knp.default.calico-node-alertmanager-mesh" (order 1000; selector "(projectcalico.org/orchestrator == 'k8s' && alertmanager == 'calico-node-alertmanager' && app == 'alertmanager') && projectcalico.org/namespace == 'tigera-prometheus'")
- Policy "tigera-prometheus/knp.default.default-deny" (order 1000; selector "(projectcalico.org/orchestrator == 'k8s') && projectcalico.org/namespace == 'tigera-prometheus'")
- Profiles:
- Profile "kns.tigera-prometheus"
- Rule matches:
- Policy "tigera-prometheus/knp.default.calico-node-alertmanager-mesh" inbound rule 1 source match; selector "(projectcalico.org/namespace == 'tigera-prometheus') && (projectcalico.org/orchestrator == 'k8s' && app in { 'alertmanager' } && alertmanager in { 'calico-node-alertmanager' })"
-
- ...
-
- Workload endpoint k8s/policy-demo.nginx-8586cf59-5bxvh/eth0
- Policies:
- Profiles:
- Profile "kns.policy-demo"
- ```
-
- For each workload endpoint, the `Policies:` section lists the policies that
- apply to that endpoint, in the order they apply. calicoq displays both
- $[prodname] Policies and Kubernetes NetworkPolicies, although this
- example focuses on the latter. The `Rule matches:` section lists the
- policies that match that endpoint in their rules, in other words that have
- rules that deny or allow that endpoint as a packet source or destination.
-
- Focusing on the
- `k8s/tigera-prometheus.alertmanager-calico-node-alertmanager-0/eth0` endpoint:
-
- - The first two policies are defined in the monitor-calico.yaml manifest.
- The selectors here have been translated from the original NetworkPolicies to
- the $[prodname] format (note the addition of the namespace test).
-
- - The third policy and the following profile are created automatically by the
- policy controller.
-
-1. Use kubectl to see the detail of any particular policy or profile. For
- example, for the `kns.policy-demo` profile, which defines default behavior for
- pods in the `policy-demo` namespace:
-
- ```shell
- kubectl get profile kns.policy-demo -o yaml
- ```
-
- You should see the following output.
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: Profile
- metadata:
- creationTimestamp: '2022-01-06T21:32:05Z'
- name: kns.policy-demo
- resourceVersion: 435026/
- uid: 75dd2ed4-d3a6-41ca-a106-db073bfa946a
- spec:
- egress:
- - action: Allow
- destination: {}
- source: {}
- ingress:
- - action: Allow
- destination: {}
- source: {}
- labelsToApply:
- pcns.projectcalico.org/name: policy-demo
- ```
-
- Alternatively, you may also use the $[prodname] web console to inspect and view information and metrics associated with policies, endpoints, and nodes.
-
-## Enable isolation
-
-Let's turn on isolation in our policy-demo namespace. $[prodname] will then prevent connections to pods in this namespace.
-
-Running the following command creates a NetworkPolicy which implements a default deny behavior for all pods in the `policy-demo` namespace.
-
-```shell
-kubectl create -f - <
-
-### Workload and host endpoints
-
-Policy with domain names can be enforced on workload or host endpoints. When a policy with domain names applies to a workload endpoint, it
-allows that workload to connect out to the specified domains. When policy with domain names applies to a host endpoint, it allows clients
-directly on the relevant host (including any host-networked workloads) to connect out to the specified domains.
-
-### Trusted DNS servers
-
-$[prodname] trusts DNS information only from its list of DNS trusted servers. Using trusted DNS servers to back domain names in
-policy, prevents a malicious workload from using IPs returned by a fake DNS server to hijack domain names in policy rules.
-
-By default, $[prodname] trusts the Kubernetes cluster’s DNS service (kube-dns or CoreDNS). For workload endpoints, these
-out-of-the-box defaults work with standard Kubernetes installs, so normally you won’t change them. For host endpoints you will need to add
-the IP addresses that the cluster nodes use for DNS resolution.
-
-## Before you begin
-
-**Not supported**
-
-DNS policy is not supported at egress of egress gateway pods. Domain-based rules will either never match in
-that hook, or, they may match intermittently. Intermittent matches occur when a pod on the same node as the
-egress gateway pod happens to make a matching DNS query. This is because the DNS-to-IP cache used to render
-the policy is shared node-wide.
-
-## How to
-
-You can specify allowed domain names directly in a **global network policy** or **namespaced network policy**, or specify domain names in a **global network set** (and then
-reference the global network set in a global network policy).
-
-- [Use domain names in a global network policy](#use-domain-names-in-a-global-network-policy)
-- [Use domain names in a namespaced network policy](#use-domain-names-in-a-namespaced-network-policy)
-- [Use domain names in a global network set, reference the set in a global network policy](#use-domain-names-in-a-global-network-set)
-
-### Best practice
-
-Use a **global network set** when the same set of domains needs to be referenced in multiple policies, or when you want the allowed
-destinations to be a mix of domains and IPs from global network sets, or IPs from workload endpoints and host endpoints. By using a single
-destination selector in a global network set, you can potentially match all of these resources.
-
-### Use domain names in a global network policy
-
-In this method, you create a **GlobalNetworkPolicy** with egress rules with `action: Allow` and a `destination.domains` field specifying the
-domain names to which egress traffic is allowed.
-
-In the following example, the first rule allows DNS traffic, and the second rule allows connections outside the cluster to domains
-**api.alice.com** and **\*.example.com** (which means `.example.com`, such as **bob.example.com**).
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-egress-to-domains
-spec:
- order: 1
- selector: my-pod-label == 'my-value'
- types:
- - Egress
- egress:
- - action: Allow
- protocol: UDP
- destination:
- ports:
- - 53
- - dns
- - action: Allow
- destination:
- domains:
- - api.alice.com
- - '*.example.com'
-```
-
-### Use domain names in a namespaced network policy
-
-In this method, you create a **NetworkPolicy** with egress rules with `action: Allow` and a `destination.domains` field specifying the
-domain names to which egress traffic is allowed.
-
-In the following example, the first rule allows DNS traffic, and the second rule allows connections outside the cluster to domains
-**api.alice.com** and **\*.example.com** (which means `.example.com`, such as **bob.example.com**).
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-egress-to-domains
- namespace: rollout-test
-spec:
- order: 1
- selector: my-pod-label == 'my-value'
- types:
- - Egress
- egress:
- - action: Allow
- protocol: UDP
- destination:
- ports:
- - 53
- - dns
- - action: Allow
- destination:
- domains:
- - api.alice.com
- - '*.example.com'
-```
-
-The difference between this and the **GlobalNetworkPolicy** example is that this namespaced NetworkPolicy can only grant egress access, to the specified domains, to workload endpoints in the `rollout-test` namespace.
-
-### Use domain names in a global network set
-
-In this method, you create a **GlobalNetworkSet** with the allowed destination domain names in the `allowedEgressDomains` field. Then,
-you create a **GlobalNetworkPolicy** with a `destination.selector` that matches that GlobalNetworkSet.
-
-In the following example, the allowed egress domains (`api.alice.com` and `*.example.com`) are specified in the GlobalNetworkSet.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkSet
-metadata:
- name: allowed-domains-1
- labels:
- color: red
-spec:
- allowedEgressDomains:
- - api.alice.com
- - '*.example.com'
-```
-
-Then, you reference the global network set in a **GlobalNetworkPolicy** using a destination label selector.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-egress-to-domain
-spec:
- order: 1
- selector: my-pod-label == 'my-value'
- types:
- - Egress
- egress:
- - action: Allow
- destination:
- selector: color == 'red'
-```
-
-### Use domain names in a network set
-
-In this method, you create a **NetworkSet** with the allowed destination domain names in the `allowedEgressDomains` field. Then,
-you create a **NetworkPolicy** with a `destination.selector` that matches that NetworkSet.
-
-In the following example, the allowed egress domains (`api.alice.com` and `*.example.com`) are specified in the NetworkSet.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkSet
-metadata:
- name: allowed-domains-1
- namespace: rollout-test
- labels:
- color: red
-spec:
- allowedEgressDomains:
- - api.alice.com
- - '*.example.com'
-```
-
-Then, you reference the network set in a **NetworkPolicy** using a destination label selector.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: allow-egress-to-domain
- namespace: rollout-test
-spec:
- order: 1
- selector: my-pod-label == 'my-value'
- types:
- - Egress
- egress:
- - action: Allow
- destination:
- selector: color == 'red'
-```
-
-### Tuning performance and latency
-
-$[prodname] supports different DNS policy modes with different performance and latency implications.
-The default mode for the iptables and nftables data planes is `DelayDeniedPacket`.
-The eBPF data plane defaults to `Inline` on kernels 5.17 (or RedHat 5.14) and newer and to `NoDelay` on older kernels.
-The Windows data plane support only `NoDelay` mode.
-
-With `NoDelay` mode, new pods sometimes fail to connect to domains that are allowed by a DNS policy.
-In these cases, the pod tries to connect to a domain before $[prodname] has finished processing the DNS policy that allows the connection.
-As soon as the processing is complete, the pod is able to connect.
-
-For more information, see [DNSPolicyMode](../reference/resources/felixconfig#dnspolicymode) and [BPFDNSPolicyMode](../reference/resources/felixconfig#bpfdnspolicymode).
-
-## Additional resources
-
-To change the default DNS trusted servers, use the [DNSTrustedServers parameter](../reference/component-resources/node/felix/configuration.mdx).
-
-For more detail about the relevant resources, see
-[GlobalNetworkSet](../reference/resources/globalnetworkset.mdx),
-[GlobalNetworkPolicy](../reference/resources/globalnetworkpolicy.mdx),
-[NetworkPolicy](../reference/resources/networkpolicy.mdx)
-and
-[NetworkSet](../reference/resources/networkset.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/defend-dos-attack.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/defend-dos-attack.mdx
deleted file mode 100644
index 87ad25693b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/defend-dos-attack.mdx
+++ /dev/null
@@ -1,107 +0,0 @@
----
-description: Define DoS mitigation rules in Calico Enterprise policy that drop connections at the eBPF or XDP layer, with hardware offload when available.
----
-
-# Defend against DoS attacks
-
-## Big picture
-
-Calico automatically enforces specific types of deny-list policies at the earliest possible point in the packet processing pipeline, including offloading to NIC hardware whenever possible.
-
-## Value
-
-During a DoS attack, a cluster can receive massive numbers of connection requests from attackers. The faster these connection requests are dropped, the less flooding and overloading to your hosts. When you define DoS mitigation rules in Calico network policy, Calico enforces the rules as efficiently as possible to minimize the impact.
-
-## Concepts
-
-### Earliest packet processing
-
-The earliest point in the packet processing pipeline that packets can be dropped, depends on the Linux kernel version and the capabilities of the NIC driver and NIC hardware. Calico automatically uses the fastest available option.
-
-| Processed by... | Used by Calico if... | Performance |
-| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| NIC hardware | The NIC supports **XDP offload** mode. | Fastest |
-| NIC driver | The NIC driver supports **XDP native** mode. | Faster |
-| Kernel | The kernel supports **XDP generic mode** and Calico is configured to explicitly use it. This mode is rarely used and has no performance benefits over iptables raw mode below. To enable, see [Felix Configuration](../../reference/resources/felixconfig.mdx). | Fast |
-| Kernel | If none of the modes above are available, **iptables raw** mode is used. | Fast |
-
-:::note
-
-XDP modes require Linux kernel v4.16 or later.
-
-:::
-
-## How to
-
-The high-level steps to defend against a DoS attack are:
-
-- [Step 1: Create host endpoints](#step-1-create-host-endpoints)
-- [Step 2: Add CIDRs to deny-list in a global network set](#step-2-add-cidrs-to-deny-list-in-a-global-network-set)
-- [Step 3: Create deny incoming traffic global network policy](#step-3-create-deny-incoming-traffic-global-network-policy)
-
-### Best practice
-
-The following steps walk through the above required steps, assuming no prior configuration is in place. A best practice is to proactively do these steps before an attack (create the host endpoints, network policy, and global network set). In the event of a DoS attack, you can quickly respond by just adding the CIDRs that you want to deny-list to the global network set.
-
-### Step 1: Create host endpoints
-
-First, you create the HostEndpoints corresponding to the network interfaces where you want to enforce DoS mitigation rules. In the following example, the HostEndpoint secures the interface named **eth0** with IP **10.0.0.1** on node **jasper**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: HostEndpoint
-metadata:
- name: production-host
- labels:
- apply-dos-mitigation: 'true'
-spec:
- interfaceName: eth0
- node: jasper
- expectedIPs: ['10.0.0.1']
-```
-
-### Step 2: Add CIDRs to deny-list in a global network set
-
-Next, you create a Calico **GlobalNetworkset**, adding the CIDRs that you want to deny-list. In the following example, the global network set deny-lists the CIDR ranges **1.2.3.4/32** and **5.6.0.0/16**:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkSet
-metadata:
- name: dos-mitigation
- labels:
- dos-deny-list: 'true'
-spec:
- nets:
- - '1.2.3.4/32'
- - '5.6.0.0/16'
-```
-
-### Step 3: Create deny incoming traffic global network policy
-
-Finally, create a Calico GlobalNetworkPolicy adding the GlobalNetworkSet label (**dos-deny-list** in the previous step) as a selector to deny ingress traffic. To more quickly enforce the denial of forwarded traffic to the host at the packet level, use the **doNotTrack** and **applyOnForward** options.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: dos-mitigation
-spec:
- selector: apply-dos-mitigation == 'true'
- doNotTrack: true
- applyOnForward: true
- types:
- - Ingress
- ingress:
- - action: Deny
- source:
- selector: dos-deny-list == 'true'
-```
-
-## Additional resources
-
-- [Global network sets](../../reference/resources/globalnetworkset.mdx)
-- [Global network policy](../../reference/resources/globalnetworkpolicy.mdx)
-- [Create a host endpoint](../../reference/resources/hostendpoint.mdx)
-- [Introduction to XDP](https://www.iovisor.org/technology/xdp)
-- [Advanced XDP documentation](https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/index.html)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/high-connection-workloads.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/high-connection-workloads.mdx
deleted file mode 100644
index ed32757a24..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/high-connection-workloads.mdx
+++ /dev/null
@@ -1,89 +0,0 @@
----
-description: Bypass Linux conntrack with a Calico Enterprise policy rule for workloads that handle an extreme number of concurrent connections.
----
-
-# Enable extreme high-connection workloads
-
-## Big picture
-
-Use a $[prodname] network policy rule to bypass Linux conntrack for traffic to workloads that experience extremely large number of connections.
-
-## Value
-
-When the number of connections on a node exceeds the number of connections that Linux conntrack can track, connections can be rejected or dropped. $[prodname] network policy can be used to selectively bypass Linux conntrack for traffic to/from these types of workloads.
-
-## Concepts
-
-### Linux conntrack
-
-Connection tracking (“conntrack”) is a core feature of the Linux kernel’s networking stack. It allows the kernel to keep track of all logical network connections or flows, and thereby identify all of the packets that make up each flow so they can be handled consistently together. Conntrack is an essential part of the mainline Linux network processing pipeline, normally improving performance, and enabling NAT and stateful access control.
-
-### Extreme high-connection workloads
-
-Some niche workloads handling extremely high number of simultaneous connections, or very high rate of short lived connections, can exceed the maximum number of connections Linux conntrack is able to track. One real world example of such a workload is an extreme scale memcached server handling 50k+ connections per second.
-
-### $[prodname] doNotTrack network policy
-
-The $[prodname] global network policy option, **doNotTrack**, indicates to apply the rules in the policy before connection tracking, and that packets allowed by these rules should not be tracked. The policy is applied early in the Linux packet processing pipeline, before any regular network policy rules, and independent of the policy order field.
-
-Unlike normal network policy rules, doNotTrack network policy rules are stateless, meaning you must explicitly specify rules to allow return traffic that would normally be automatically allowed by conntrack. For example, for a server on port 999, the policy must include an ingress rule allowing inbound traffic to port 999, and an egress rule to allow outbound traffic from port 999.
-
-In a doNotTrack policy:
-
-- Ingress rules apply to all incoming traffic through a host endpoint, regardless of where the traffic is going
-- Egress rules apply only to traffic that is sent from the host endpoint (not a local workload)
-
-Finally, you must add an **applyOnForward: true expression** for a **doNotTrack policy** to work.
-
-## Before you begin...
-
-Before creating a **doNotTrack** network policy, read this [blog](https://www.tigera.io/blog/when-linux-conntrack-is-no-longer-your-friend/) to understand use cases, benefits, and trade offs.
-
-## How to
-
-### Bypass connection traffic for high connection server
-
-In the following example, a memcached server pod with **hostNetwork: true** was scheduled on the node memcached-node-1. We create a HostEndpoint for the node. Next, we create a GlobalNetwork Policy with symmetrical rules for ingress and egress with doNotTrack and applyOnForward set to true.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: HostEndpoint
-metadata:
- name: memcached-node-1-eth0
- labels:
- memcached: server
-spec:
- interfaceName: eth0
- node: memcached-node-1
- expectedIPs:
- - 10.128.0.162
----
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: memcached-server
-spec:
- selector: memcached == 'server'
- applyOnForward: true
- doNotTrack: true
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: memcached == 'client'
- destination:
- ports:
- - 12211
- egress:
- - action: Allow
- protocol: TCP
- source:
- ports:
- - 12211
- destination:
- selector: memcached == 'client'
-```
-
-## Additional resources
-
-[Global network policy](../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/index.mdx
deleted file mode 100644
index d41e41533a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/extreme-traffic/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Apply Calico Enterprise network policy early in the Linux packet-processing pipeline to handle DoS, high-connection, and other extreme traffic scenarios.
-hide_table_of_contents: true
----
-
-# Policy for extreme traffic
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-egress.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-egress.mdx
deleted file mode 100644
index d124802ac0..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-egress.mdx
+++ /dev/null
@@ -1,103 +0,0 @@
----
-description: Why egress traffic from Kubernetes workloads matters and how to restrict it with Calico Enterprise policy.
----
-
-# Kubernetes egress
-
-:::note
-
-This guide provides educational material that is not specific to $[prodname].
-
-:::
-
-In this guide you will learn:
-
-- What is Kubernetes egress?
-- Why should you restrict egress traffic and how can you do it?
-- What is "NAT outgoing" and when is it used?
-- What is an egress gateway, and why might you want to use one?
-
-## What is Kubernetes egress?
-
-In this guide we are using the term Kubernetes egress to describe connections being made from pods to anything outside of the cluster.
-
-In contrast to ingress traffic, where Kubernetes has the [Ingress](about-kubernetes-ingress.mdx)
-resource type to help manage the traffic, there is no Kubernetes Egress resource. Instead, how the egress traffic is
-handled at a networking level is determined by the Kubernetes network implementation / CNI plugin being used by the
-cluster. In addition, if a service mesh is being used, this can add egress behaviors on top of those the
-network implementation provides.
-
-There are three areas of behavior worth understanding for egress traffic, so you can choose a networking and/or service
-mesh setup that best suits your needs:
-
-- Restricting egress traffic
-- Outgoing NAT behavior
-- Egress gateways
-
-## Restricting egress traffic
-
-It's a common security requirement and best practice to restrict outgoing connections from the cluster. This is normally
-achieved using [Network Policy](about-network-policy.mdx) to define egress rules for each
-microservice, often in conjunction with a [default deny](about-network-policy.mdx#default-deny)
-policy that ensures outgoing connections are denied by default, until a policy is defined to explicitly allow specific
-traffic.
-
-One limitation when using Kubernetes Network Policy to restrict access to specific external resources, is that the external
-resources need to be specified as IP addresses (or IP address ranges) within the policy rules. If the IP addresses
-associated with an external resource change, then every policy that referenced those IP addresses needs to be updated with
-the new IP addresses. This limitation can be circumvented using $[prodname] [Use external IPs or networks rules in policy](../beginners/policy-rules/external-ips-policy.mdx), or [DNS policy](../domain-based-policy.mdx) in policy rules.
-
-Note in addition to everything mentioned so far, perimeter firewalls can also be used to restrict outgoing connections,
-for example to allow connections only to particular external IP address ranges, or external services. However, since
-perimeter firewalls typically cannot distinguish individual pods, the rules apply equally to all pods in the cluster.
-This provides some defense in depth, but cannot replace the requirement for network policy.
-
-## NAT outgoing
-
-Network Address Translation ([NAT](https://en.wikipedia.org/wiki/Network_address_translation)) is the process of mapping an IP address in a packet
-to a different IP address as the packet passes through the device performing the NAT. Depending on the use case, NAT can
-apply to the source or destination IP address, or to both addresses.
-
-In the context of Kubernetes egress, NAT is used to allow pods to connect to services outside of the cluster if the pods
-have IP addresses that are not routable outside of the cluster (for example, if the pod network is an overlay).
-
-For example, if a pod in an overlay network attempts to connect to an IP address outside of the cluster, then the
-node hosting the pod uses SNAT (Source Network Address Translation) to map the non-routable source IP address of the
-packet to the node's IP address before forwarding on the packet. The node then maps response packets coming in the
-opposite direction back to the original pod IP address, so packets flow end-to-end in both directions, with neither
-pod or external service being aware the mapping is happening.
-
-In most clusters this NAT behavior is configured statically across the whole of the cluster. When using
-$[prodname], the NAT behavior can be configured at a more granular level for particular address ranges using [IP pools](../../reference/resources/ippool.mdx)
-. This effectively allows the scope of "non-routable" to be more
-tightly defined than just "inside the cluster vs outside the cluster", which can be useful in some enterprise deployment
-scenarios.
-
-## Egress gateways
-
-Another approach to Kubernetes egress is to route all outbound connections via one or more egress gateways. The gateways
-SNAT (Source Network Address Translation) the connections so the external service being connected to sees the connection
-as coming from the egress gateway. The main use case is to improve security, either with the egress gateway performing a
-direct security role in terms of what connections it allows, or in conjunction with perimeter firewalls (or other
-external entities). For example, so that perimeter firewalls see the connections coming from well known IP
-addresses (the egress gateways) rather than from dynamic pod IP addresses they don't understand.
-
-Egress gateways are not a native concept in Kubernetes itself, but are implemented by some Kubernetes network
-implementations and some service meshes. For example, $[prodname] provides egress gateway functionality, plus the
-ability to map namespaces (or even individual pods) to specific egress gateways. Perimeter firewalls (or other external
-security entities) can then effectively provide per namespace security controls, even though they do not have visibility
-to dynamic pod IP addresses.
-
-As an alternative approach to egress gateways, $[prodname] allows you to control pod IP address ranges based on
-namespace, or node, or even at the individual pod level. Assuming no outgoing NAT is required, this provides a very
-simple way for perimeter firewalls (or other external security entities) to integrate with Kubernetes for both ingress
-and egress traffic. (Note that this approach relies on having enough address space available to sensibly assign IP
-address ranges, for example to each namespace, so it can lead to IP address range exhaustion challenges for large scale
-deployments. In these scenarios, using egress gateways is likely to be a better option.)
-
-## Additional resources
-
-- [Use external IPs or networks rules in policy](../beginners/policy-rules/external-ips-policy.mdx)
-- [Restrict a pod to use an IP address in a specific range](../../networking/ipam/legacy-firewalls.mdx)
-- [Assign IP addresses based on topology](../../networking/ipam/assign-ip-addresses-topology.mdx)
-- [Egress gateways](../../networking/egress/index.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-ingress.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-ingress.mdx
deleted file mode 100644
index 4e196863e8..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-ingress.mdx
+++ /dev/null
@@ -1,136 +0,0 @@
----
-description: How different Kubernetes ingress implementations interact with Calico Enterprise network policy at the cluster edge.
----
-
-# Kubernetes ingress
-
-:::note
-
-This guide provides education material
-that is not specific to $[prodname].
-
-:::
-
-In this guide you will learn:
-
-- What is Kubernetes ingress?
-- Why use ingress?
-- What are the differences between different ingress implementations?
-- How does ingress and network policy interact?
-- How does ingress and services fit together under the covers?
-
-## What is Kubernetes ingress?
-
-Kubernetes Ingress builds on top of Kubernetes [Services](about-kubernetes-services.mdx) to provide
-load balancing at the application layer, mapping HTTP and HTTPS requests with particular domains or URLs to Kubernetes
-services. Ingress can also be used to terminate SSL / TLS before load balancing to the service.
-
-The details of how Ingress is implemented depend on which [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) you are using. The Ingress
-Controller is responsible for monitoring Kubernetes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) resources and provisioning / configuring one
-or more ingress load balancers to implement the desired load balancing behavior.
-
-Unlike Kubernetes services, which are handled at the network layer (L3-4), ingress load balancers operate at the
-application layer (L5-7). Incoming connections are terminated at the load balancer so it can inspect the individual HTTP /
-HTTPS requests. The requests are then forwarded via separate connections from the load balancer to the chosen service
-backing pods. As a result, network policy applied to the backing pods can restrict access to only allow connections from the load
-balancer, but cannot restrict access to specific original clients.
-
-## Why use Kubernetes Ingress?
-
-Given that Kubernetes [Services](about-kubernetes-services.mdx) already provide a mechanism for load
-balancing access to services from outside of the cluster, why might you want to use Kubernetes Ingress?
-
-The mainline use case is if you have multiple HTTP / HTTPS services that you want to expose through a single external IP
-address, perhaps with each service having a different URL path, or perhaps as multiple different domains. This is lot
-simpler from a client configuration point of view than exposing each service outside of the cluster using Kubernetes
-Services, which would give each service a separate external IP address.
-
-If on the other hand, your application architecture is fronted by a single "front end" microservice then Kubernetes
-Services likely already meet your needs. In this case you might prefer to not add Ingress to the picture, both from a
-simplicity point of view, and potentially also so you can more easily restrict access to specific clients using network
-policy. In effect, your "front end" microservice already plays the role of Kubernetes Ingress, in a way that is not that
-dissimilar to [in-cluster ingress](#in-cluster-ingress-solutions) solutions discussed below.
-
-## Types of Ingress solutions
-
-Broadly speaking there are two types of ingress solutions:
-
-- In-cluster ingress - where ingress load balancing is performed by pods within the cluster itself.
-- External ingress - where ingress load balancing is implemented outside of the cluster by
- appliances or cloud provider capabilities.
-
-### In-cluster ingress solutions
-
-In-cluster ingress solutions use software load balancers running in pods within the cluster itself. There are many
-different ingress controllers to consider that follow this pattern, including for example the NGINX ingress controller.
-
-The advantages of this approach are that you can:
-
-- horizontally scale your ingress solution up to the limits of Kubernetes
-- choose the ingress controller that best suits your specific needs, for example, with particular load balancing
- algorithms, or security options.
-
-To get your ingress traffic to the in-cluster ingress pods, the ingress pods are normally exposed externally as a
-Kubernetes service, so you can use any of the standard ways of accessing the service from outside of the cluster. A
-common approach is use an external network load balancer or service IP advertisement, with `externalTrafficPolicy:local`.
-This minimizes the number of network hops, and retains the client source IP address, which allows network policy to be used
-to restrict access to the ingress pods to particular clients if desired.
-
-
-
-### External ingress solutions
-
-External ingress solutions use application load balancers outside of the cluster. The exact details and
-features depend on which ingress controller you are using, but most cloud providers include an ingress controller that
-automates the provisioning and management of the cloud provider's application load balancers to provide ingress.
-
-The advantages of this type of ingress solution is that your cloud provider handles the operational complexity of the
-ingress for you. The downsides are a potentially more limited set of features compared to the rich range of in-cluster
-ingress solutions, and the maximum number of services exposed by ingress being constrained by cloud provider specific
-limits.
-
-
-
-Note that most application load balancers support a basic mode of operation of forwarding traffic to the chosen service
-backing pods via the [node port](about-kubernetes-services.mdx#node-port-services) of the
-corresponding service.
-
-In addition to this basic approach of load balancing to service node ports, some cloud providers support a second mode
-of application layer load balancing, which load balances directly to the pods backing each service, without going via
-node-ports or other kube-proxy service handling. This has the advantage of eliminating the potential second network hop
-associated with node ports load balancing to a pod on a different node. The potential disadvantage is that if you are
-operating at very high scales, for example with hundreds of pods backing a service, you may exceed the application layer
-load balancers maximum limit of IPs it can load balance to in this mode. In this case switching to an in-cluster ingress
-solution is likely the better fit for you.
-
-## Show me everything!
-
-All the above diagrams focus on connection level (L5-7) representation of ingress and services. You can learn more about
-the network level (L3-4) interactions involved in handling the connections, including which scenarios client source IP
-addresses are maintained, in the [About Kubernetes Services](about-kubernetes-services.mdx) guide.
-
-If you are already up to speed on how services work under the covers, here are some more complete diagrams that show details of how services are load balanced at the network layer (L3-4).
-
-:::note
-
-You can successfully use ingress without needing to understand this next level of detail! So feel free to skip
-over these diagrams if you don't want to dig deeper into how services and ingress interact under the covers.
-
-:::
-
-**In-cluster ingress solution exposed as service type `LoadBalancer` with `externalTrafficPolicy:local`**
-
-
-
-**External ingress solution via node ports**
-
-
-
-**External ingress solution direct to pods**
-
-
-
-## Additional resources
-
-- [Video: Everything you need to know about Kubernetes Ingress networking ](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-ingress-networking/)
-- [Video: Everything you need to know about Kubernetes Services networking ](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-services-networking/)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-services.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-services.mdx
deleted file mode 100644
index cb566ec84d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-kubernetes-services.mdx
+++ /dev/null
@@ -1,141 +0,0 @@
----
-description: How the three Kubernetes Service types behave in a Calico Enterprise cluster and where each one shows up in policy.
----
-
-# Kubernetes services
-
-:::note
-
-This guide provides educational material that is not specific to $[prodname].
-
-:::
-
-In this guide you will learn:
-
-- What are Kubernetes services?
-- What are the differences between the three main service types and what do you use them for?
-- How do services and network policy interact?
-- Some options for optimizing how services are handled.
-
-## What are Kubernetes services?
-
-Kubernetes [Services](https://kubernetes.io/docs/concepts/services-networking/service/) provide a way of abstracting access to a group
-of pods as a network service. The group of pods backing each service is usually defined using a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels).
-
-When a client connects to a Kubernetes service, the connection is load balanced to one of the pods backing the service,
-as illustrated in this conceptual diagram:
-
-
-
-There are three main types of Kubernetes services:
-
-- Cluster IP - which is the usual way of accessing a service from inside the cluster
-- Node port - which is the most basic way of accessing a service from outside the cluster
-- Load balancer - which uses an external load balancer as a more sophisticated way to access a service from outside the
- cluster.
-
-## Cluster IP services
-
-The default service type is `ClusterIP`. This allows a service to be accessed within the cluster via a virtual IP
-address, known as the service Cluster IP. The Cluster IP for a service is discoverable through Kubernetes DNS. For
-example, `my-svc.my-namespace.svc.cluster-domain.example`. The DNS name and Cluster IP address remain constant for the
-life time of the service, even though the pods backing the service may be created or destroyed, and the number of pods
-backing the service may change over time.
-
-In a typical Kubernetes deployment, kube-proxy runs on every node and is responsible for intercepting connections to
-Cluster IP addresses and load balancing across the group of pods backing each service. As part of this process
-[DNAT](../../networking/training/about-networking.mdx) is used to map the destination IP address from the Cluster IP to the
-chosen backing pod. Response packets on the connection then have the NAT reverse on their way back to the pod that
-initiated the connection.
-
-
-
-Importantly, network policy is enforced based on the pods, not the service Cluster IP. (i.e. Egress network policy is
-enforced for the client pod after the DNAT has changed the connection's destination IP to the chosen service backing
-pod. And because only the destination IP for the connection is changed, ingress network policy for the backing pod sees the
-original client pod as the source of the connection.)
-
-## Node port services
-
-The most basic way to access a service from outside the cluster is to use a service of type `NodePort`. A Node Port is a
-port reserved on each node in the cluster through which the service can be accessed. In a typical Kubernetes deployment,
-kube-proxy is responsible for intercepting connections to Node Ports and load balancing them across the pods backing
-each service.
-
-As part of this process [NAT](../../networking/training/about-networking.mdx#nat) is used to map the destination IP address and
-port from the node IP and Node Port, to the chosen backing pod and service port. In addition the source IP address is
-mapped from the client IP to the node IP, so that response packets on the connection flow back via the original node,
-where the NAT can be reversed. (It's the node which performed the NAT that has the connection tracking state needed to
-reverse the NAT.)
-
-
-
-Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the
-service backing pod does not see the original client IP address. Typically this means that any such policy is limited to
-restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can
-be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using
-$[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address.
-
-## Load balancer services
-
-Services of type `LoadBalancer` expose the service via an external network load balancer (NLB). The exact type of
-network load balancer depends on which public cloud provider or, if on-prem, which specific hardware load balancer integration is
-integrated with your cluster.
-
-The service can be accessed from outside of the cluster via a specific IP address on the network load balancer, which by
-default will load balance evenly across the nodes using the service node port.
-
-
-
-Most network load balancers preserve the client source IP address, but because the service then goes via a node port,
-the backing pods themselves do not see the client IP, with the same implications for network policy. As with node
-ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal)
-or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather
-than kube-proxy) which preserves source IP address.
-
-## Advertising service IPs
-
-One alternative to using node ports or network load balancers is to advertise service IP addresses over BGP. This
-requires the cluster to be running on an underlying network that supports BGP, which typically means an on-prem
-deployment with standard Top of Rack routers.
-
-$[prodname] supports advertising service Cluster IPs, or External IPs for services configured with one. If you are
-not using Calico as your network plugin then [MetalLB](https://github.com/metallb/metallb) provides similar capabilities that work with a variety of different network
-plugins.
-
-
-
-## externalTrafficPolicy:local
-
-By default, whether using service type `NodePort` or `LoadBalancer` or advertising service IP addresses over BGP,
-accessing a service from outside the cluster load balances evenly across all the pods backing the service, independent
-of which node the pods are on. This behavior can be changed by configuring the service with
-`externalTrafficPolicy:local` which specifies that connections should only be load balanced to pods backing the service
-on the local node.
-
-When combined with services of type `LoadBalancer` or with $[prodname] service IP address advertising, traffic is
-only directed to nodes that host at least one pod backing the service. This reduces the potential extra network hop
-between nodes, and perhaps more importantly, to maintain the source IP address all the way to the pod, so network policy
-can restrict specific external clients if desired.
-
-
-
-Note that in the case of services of type `LoadBalancer`, not all Load Balancers support this mode. And in the case of
-service IP advertisement, the evenness of the load balancing becomes topology dependent. In this case, pod anti-affinity
-rules can be used to ensure even distribution of backing pods across your topology, but this does add some complexity to
-deploying the service.
-
-## Calico eBPF native service handling
-
-As an alternative to using Kubernetes standard kube-proxy, $[prodname]'s [eBPF data plane](../../operations/ebpf/enabling-ebpf.mdx)
- supports native service handling. This preserves source IP to
-simplify network policy, offers DSR (Direct Server Return) to reduce the number of network hops for return traffic, and
-provides even load balancing independent of topology, with reduced CPU and latency compared to kube-proxy.
-
-
-
-# Additional resources
-
-- [Video: Everything you need to know about Kubernetes Services networking ](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-services-networking/)
-- [Blog: Introducing the Calico eBPF data plane](https://www.projectcalico.org/introducing-the-calico-ebpf-dataplane/)
-- [Blog: Hands on with Calico eBPF native service handling](https://www.projectcalico.org/hands-on-with-calicos-ebpf-service-handling/)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-network-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-network-policy.mdx
deleted file mode 100644
index cf29dd1eed..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/about-network-policy.mdx
+++ /dev/null
@@ -1,235 +0,0 @@
----
-description: Concepts you need before writing Calico Enterprise policy — how Kubernetes NetworkPolicy, Calico policy, and tiers interact.
----
-
-# What is network policy?
-
-:::note
-
-This guide provides educational material that is not specific to $[prodname].
-
-:::
-
-Kubernetes and $[prodname] provide network policy APIs to help you secure your workloads.
-
-In this guide you will learn:
-
-- What network policy is and why it is important.
-- The differences between Kubernetes and $[prodname] network policies and when you might want to use each.
-- Some best practices for using network policy.
-
-## What is network policy?
-
-Network policy is the primary tool for securing a Kubernetes network. It allows you to easily restrict the network
-traffic in your cluster so only the traffic that you want to flow is allowed.
-
-To understand the significance of network policy, let's briefly explore how network security was typically achieved
-prior to network policy. Historically in enterprise networks, network security was provided by designing a physical
-topology of network devices (switches, routers, firewalls) and their associated configuration. The physical topology
-defined the security boundaries of the network. In the first phase of virtualization, the same network and network
-device constructs were virtualized in the cloud, and the same techniques for creating specific network topologies of
-(virtual) network devices were used to provide network security. Adding new applications or services often required
-additional network design to update the network topology and network device configuration to provide the desired
-security.
-
-In contrast, the [Kubernetes network model](../../networking/training/about-kubernetes-networking.mdx) defines a "flat"
-network in which every pod can communicate with all other pods in the cluster using pod IP addresses. This approach
-massively simplifies network design and allows new workloads to be scheduled dynamically anywhere in the cluster with no
-dependencies on the network design.
-
-In this model, rather than network security being defined by network topology boundaries, it is defined using network
-policies that are independent of the network topology. Network policies are further abstracted from the network by using
-label selectors as their primary mechanism for defining which workloads can talk to which workloads, rather than IP
-addresses or IP address ranges.
-
-## Why is network policy important?
-
-In an age where attackers are becoming more and more sophisticated, network security as a line of defense is more important
-than ever.
-
-While you can (and should) use firewalls to restrict traffic at the perimeters of your network (commonly referred to as
-north-south traffic), their ability to police Kubernetes traffic is often limited to a granularity of the cluster as a
-whole, rather than to specific groups of pods, due to the dynamic nature of pod scheduling and pod IP addresses. In
-addition, the goal of most attackers once they gain a small foothold inside the perimeter is to move laterally (commonly
-referred to as east-west) to gain access to higher value targets, which perimeter based firewalls can't police against.
-
-Network policy on the other hand is designed for the dynamic nature of Kubernetes by following the standard Kubernetes
-paradigm of using label selectors to define groups of pods, rather than IP addresses. And because network policy is
-enforced within the cluster itself it can police both north-south and east-west traffic.
-
-Network policy represents an important evolution of network security, not just because it handles the dynamic nature of
-modern microservices, but because it empowers dev and DevOps engineers to easily define network security themselves,
-rather than needing to learn low-level networking details or raise tickets with a separate team responsible for managing
-firewalls. Network policy makes it easy to define intent, such as "only this microservice gets to connect to the
-database", write that intent as code (typically in YAML files), and integrate authoring of network policies into git
-workflows and CI/CD processes.
-
-:::note
-
-Note: $[prodname] offers capabilities that can help perimeter firewalls integrate
-more tightly with Kubernetes. However, this does not remove the need or value of network policies within the cluster itself.)
-
-:::
-
-## Kubernetes network policy
-
-Kubernetes network policies are defined using the Kubernetes [NetworkPolicy](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/) resource.
-
-The main features of Kubernetes network policies are:
-
-- Policies are namespace scoped (i.e. you create them within the context of a specific namespace just like, for example, pods)
-- Policies are applied to pods using label selectors
-- Policy rules can specify the traffic that is allowed to/from other pods, namespaces, or CIDRs
-- Policy rules can specify protocols (TCP, UDP, SCTP), named ports or port numbers
-
-Kubernetes itself does not enforce network policies, and instead delegates their enforcement to network plugins. Most
-network plugins implement the mainline elements of Kubernetes network policies, though not all implement every feature
-of the specification. ($[prodname] does implement every feature, and was the original reference implementation of Kubernetes
-network policies.)
-
-To learn more about Kubernetes network policies, read the [Get started with Kubernetes network policy](kubernetes-network-policy.mdx)
- guide.
-
-## $[prodname] network policy
-
-In addition to enforcing Kubernetes network policy, $[prodname] supports its own
-namespaced [NetworkPolicy](../../reference/resources/networkpolicy.mdx) and non-namespaced
-[GlobalNetworkPolicy](../../reference/resources/globalnetworkpolicy.mdx) resources, which provide additional
-features beyond those supported by Kubernetes network policy. This includes support for:
-
-- policy ordering/priority
-- deny and log actions in rules
-- more flexible match criteria for applying policies and in policy rules, including matching on Kubernetes ServiceAccounts
-- ability to reference non-Kubernetes workloads in polices, including matching on
- [NetworkSets](../../reference/resources/networkset.mdx) in policy rules
-
-While Kubernetes network policy applies only to pods, $[prodname] network policy can be applied to multiple types of
-endpoints including pods, VMs, and host interfaces.
-
-To learn more about $[prodname] network policies, read the [Get started with $[prodname] network policy](../beginners/calico-network-policy.mdx)
- guide.
-
-## Benefits of using $[prodname] for network policy
-
-### Full Kubernetes network policy support
-
-Unlike some other network policy implementations, $[prodname] implements the full set of Kubernetes network policy features.
-
-### Richer network policy
-
-$[prodname] network policies allow even richer traffic control than Kubernetes network policies if you need it. In addition,
-$[prodname] network policies allow you to create policy that applies across multiple namespaces using GlobalNetworkPolicy
-resources.
-
-### Mix Kubernetes and $[prodname] network policy
-
-Kubernetes and $[prodname] network policies can be mixed together seamlessly. One common use case for this is to split
-responsibilities between security / cluster ops teams and developer / service teams. For example, giving the security /
-cluster ops team RBAC permissions to define $[prodname] policies, and giving developer / service teams RBAC permissions to
-define Kubernetes network policies in their specific namespaces. As $[prodname] policy rules can be ordered to be enforced
-either before or after Kubernetes network policies, and can include actions such as deny and log, this allows the
-security / cluster ops team to define basic higher-level more-general purpose rules, while empowering the developer /
-service teams to define their own fine-grained constraints on the apps and services they are responsible for.
-
-For more flexible control and delegation of responsibilities between two or more teams, $[prodname] Enterprise extends this
-model to provide [hierarchical policy](#hierarchical-policy).
-
-
-
-### Ability to protect hosts and VMs
-
-As $[prodname] policies can be enforce on host interfaces, you can use them to protect your Kubernetes nodes (not
-just your pods), including for example, limiting access to node ports from outside of the cluster. To learn more, check
-out the $[prodname] [policy for hosts](../hosts/index.mdx) guides.
-
-### Extendable with $[prodname]
-
-Calico Enterprise adds even richer network policy capabilities, with the ability
-to specify hierarchical policies, with each team have particular boundaries of trust, and FQDN / domain names in policy
-rules for restricting access to specific external services.
-
-## Best practices for network policies
-
-### Ingress and egress
-
-At a minimum we recommend that every pod is protected by network policy ingress rules that restrict what is allowed
-to connect to the pod and on which ports. The best practice is also to define network policy egress rules that restrict
-the outgoing connections that are allowed by pods themselves. Ingress rules protect your pod from attacks outside of the
-pod. Egress rules help protect everything outside of the pod if the pod gets compromised, reducing the attack surface to
-make moving laterally (east-west) or to prevent an attacker from exfiltrating compromised data from your cluster (north-south).
-
-### Policy schemas
-
-Due to the flexibility of network policy and labelling, there are often multiple different ways of labelling and writing
-policies that can achieve the same particular goal. One of the most common approaches is to have a small number of
-global policies that apply to all pods, and then a single pod specific policy that defines all the ingress and egress
-rules that are particular to that pod.
-
-For example:
-
-```yaml
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
- name: front-end
- namespace: staging
-spec:
- podSelector:
- matchLabels:
- app: back-end
- ingress:
- - from:
- - podSelector:
- matchLabels:
- app: front-end
- ports:
- - protocol: TCP
- port: 443
- egress:
- - to:
- - podSelector:
- matchLabels:
- app: database
- ports:
- - protocol: TCP
- port: 27017
-
-```
-
-### Default deny
-
-One approach to ensuring these best practices are being followed is to define [default deny](../beginners/kubernetes-default-deny.mdx)
- network policies. These ensure that if no other policy is
-defined that explicitly allows traffic to/from a pod, then the traffic will be denied. As a result, anytime a team
-deploys a new pod, they are forced to also define network policy for the pod. It can be useful to use a $[prodname]
-GlobalNetworkPolicy for this (rather than needing to define a policy every time a new namespace is created) and to
-include some exceptions to the default deny (for example to allow pods to access DNS).
-
-For example, you might use the following policy to default-deny all (non-system) pod traffic except for DNS queries to kube-dns/core-dns.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: default-app-policy
-spec:
- namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "calico-apiserver"}
- types:
- - Ingress
- - Egress
- egress:
- - action: Allow
- protocol: UDP
- destination:
- selector: k8s-app == "kube-dns"
- ports:
- - 53
-```
-
-### Hierarchical policy
-
-[Calico Enterprise](../policy-tiers/tiered-policy.mdx) supports hierarchical network policy using policy tiers. RBAC
-for each tier can be defined to restrict who can interact with each tier. This can be used to delegate trust across
-multiple teams.
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/index.mdx
deleted file mode 100644
index 161bd60cf6..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Pick a learning path for Calico Enterprise policy — start with Kubernetes-native NetworkPolicy basics or jump to the richer enterprise resources that build on top.
-hide_table_of_contents: true
----
-
-# Get started with policy
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-demo.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-demo.mdx
deleted file mode 100644
index 7fd1c73c47..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-demo.mdx
+++ /dev/null
@@ -1,101 +0,0 @@
----
-description: Interactive demo for a Calico Enterprise cluster that visualizes how Kubernetes NetworkPolicy allows and denies connections between pods.
----
-
-# Kubernetes policy, demo
-
-The included demo sets up a frontend and backend service, as well as a client service, all
-running on Kubernetes. It then configures network policy on each service.
-
-## Prerequisites
-
-To create a Kubernetes cluster which supports the Kubernetes network policy API, follow
-one of our [getting started guides](../../getting-started/index.mdx).
-
-## Running the stars example
-
-### 1) Create the frontend, backend, client, and management-ui apps.
-
-```shell
-kubectl create -f $[tutorialFilesURL]/00-namespace.yaml
-kubectl create -f $[tutorialFilesURL]/01-management-ui.yaml
-kubectl create -f $[tutorialFilesURL]/02-backend.yaml
-kubectl create -f $[tutorialFilesURL]/03-frontend.yaml
-kubectl create -f $[tutorialFilesURL]/04-client.yaml
-```
-
-Wait for all the pods to enter `Running` state.
-
-```bash
-kubectl get pods --all-namespaces --watch
-```
-
-> Note that it may take several minutes to download the necessary Docker images for this demo.
-
-The management UI runs as a `NodePort` Service on Kubernetes, and shows the connectivity
-of the Services in this example.
-
-You can view the UI by visiting `http://:30002` in a browser.
-
-Once all the pods are started, they should have full connectivity. You can see this by visiting the UI. Each service is
-represented by a single node in the graph.
-
-- `backend` -> Node "B"
-- `frontend` -> Node "F"
-- `client` -> Node "C"
-
-### 2) Enable isolation
-
-Running following commands will prevent all access to the frontend, backend, and client Services.
-
-```shell
-kubectl create -n stars -f $[tutorialFilesURL]/default-deny.yaml
-kubectl create -n client -f $[tutorialFilesURL]/default-deny.yaml
-```
-
-#### Confirm isolation
-
-Refresh the management UI (it may take up to 10 seconds for changes to be reflected in the UI).
-Now that we've enabled isolation, the UI can no longer access the pods, and so they will no longer show up in the UI.
-
-### 3) Allow the UI to access the services using network policy objects
-
-Apply the following YAML files to allow access from the management UI.
-
-```shell
-kubectl create -f $[tutorialFilesURL]/allow-ui.yaml
-kubectl create -f $[tutorialFilesURL]/allow-ui-client.yaml
-```
-
-After a few seconds, refresh the UI - it should now show the Services, but they should not be able to access each other anymore.
-
-### 4) Create the backend-policy.yaml file to allow traffic from the frontend to the backend
-
-```shell
-kubectl create -f $[tutorialFilesURL]/backend-policy.yaml
-```
-
-Refresh the UI. You should see the following:
-
-- The frontend can now access the backend (on TCP port 6379 only).
-- The backend cannot access the frontend at all.
-- The client cannot access the frontend, nor can it access the backend.
-
-### 5) Expose the frontend service to the client namespace
-
-```shell
-kubectl create -f $[tutorialFilesURL]/frontend-policy.yaml
-```
-
-The client can now access the frontend, but not the backend. Neither the frontend nor the backend
-can initiate connections to the client. The frontend can still access the backend.
-
-To use $[prodname] to enforce egress policy on Kubernetes pods, see [the advanced policy demo](kubernetes-policy-advanced.mdx).
-
-### 6) (Optional) Clean up the demo environment
-
-You can clean up the demo by deleting the demo Namespaces:
-
-```bash
-kubectl delete ns client stars management-ui
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-network-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-network-policy.mdx
deleted file mode 100644
index 21a2162639..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-network-policy.mdx
+++ /dev/null
@@ -1,179 +0,0 @@
----
-description: Reference for Kubernetes NetworkPolicy syntax, rules, and features when used with the Calico Enterprise enforcement engine.
----
-
-# Get started with Kubernetes network policy
-
-## Big picture
-
-Kubernetes network policy lets administrators and developers enforce which network traffic is allowed using rules.
-
-## Value
-
-Kubernetes network policy lets developers secure access to and from their applications using the same simple language they use to deploy them. Developers can focus on their applications without understanding low-level networking concepts. Enabling developers to easily secure their applications using network policies supports a shift left DevOps environment.
-
-## Concepts
-
-The Kubernetes Network Policy API provides a standard way for users to define network policy for controlling network traffic. However, Kubernetes has no built-in capability to enforce the network policy. To enforce network policy, you must use a network plugin such as Calico.
-
-### Ingress and egress
-
-The bulk of securing network traffic typically revolves around defining egress and ingress rules. From the point of view of a Kubernetes pod, **ingress** is incoming traffic to the pod, and **egress** is outgoing traffic from the pod. In Kubernetes network policy, you create ingress and egress “allow” rules independently (egress, ingress, or both).
-
-### Default deny/allow behavior
-
-**Default allow** means all traffic is allowed by default, unless otherwise specified.
-**Default deny** means all traffic is denied by default, unless explicitly allowed.
-
-## How to
-
-Before you create your first Kubernetes network policy, you need to understand the default network policy behaviors. If no Kubernetes network policies apply to a pod, then all traffic to/from the pod are allowed (default-allow). As a result, if you do not create any network policies, then all pods are allowed to communicate freely with all other pods. If one or more Kubernetes network policies apply to a pod, then only the traffic specifically defined in that network policy are allowed (default-deny).
-
-You are now ready to start fine-tuning traffic that should be allowed.
-
-- [Create ingress policies](#create-ingress-policies)
-- [Allow ingress traffic from pods in the same namespace](#allow-ingress-traffic-from-pods-in-the-same-namespace)
-- [Allow ingress traffic from pods in a different namespace](#allow-ingress-traffic-from-pods-in-a-different-namespace)
-- [Create egress policies](#create-egress-policies)
-- [Allow egress traffic from pods in the same namespace](#allow-egress-traffic-from-pods-in-the-same-namespace)
-- [Allow egress traffic to IP addresses or CIDR range](#allow-egress-traffic-to-ip-addresses-or-cidr-range)
-- [Best practice: create deny-all default network policy](#best-practice-create-deny-all-default-network-policy)
-- [Create deny-all default ingress and egress network policy](#create-deny-all-default-ingress-and-egress-network-policy)
-
-### Create ingress policies
-
-Create ingress network policies to allow inbound traffic from other pods.
-
-Network policies apply to pods within a specific **namespace**. Policies can include one or more ingress rules. To specify which pods in the namespace the network policy applies to, use a **pod selector**. Within the ingress rule, use another pod selector to define which pods allow incoming traffic, and the **ports** field to define on which ports traffic is allowed.
-
-#### Allow ingress traffic from pods in the same namespace
-
-In the following example, incoming traffic to pods with label **color=blue** are allowed only if they come from a pod with **color=red**, on port **80**.
-
-```yaml
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
- name: allow-same-namespace
- namespace: default
-spec:
- podSelector:
- matchLabels:
- color: blue
- ingress:
- - from:
- - podSelector:
- matchLabels:
- color: red
- ports:
- - port: 80
-```
-
-#### Allow ingress traffic from pods in a different namespace
-
-To allow traffic from pods in a different namespace, use a namespace selector in the ingress policy rule. In the following policy, the namespace selector matches one or more Kubernetes namespaces and is combined with the pod selector that selects pods within those namespaces.
-
-:::note
-
-Namespace selectors can be used only in policy rules. The **spec.podSelector** applies to pods only in the same namespace as the policy.
-
-:::
-
-In the following example, incoming traffic is allowed only if they come from a pod with label **color=red**, in a namespace with label **shape=square**, on port **80**.
-
-```yaml
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
- name: allow-different-namespace
- namespace: default
-spec:
- podSelector:
- matchLabels:
- color: blue
- ingress:
- - from:
- - podSelector:
- matchLabels:
- color: red
- namespaceSelector:
- matchLabels:
- shape: square
- ports:
- - port: 80
-```
-
-### Create egress policies
-
-Create egress network policies to allow outbound traffic from pods.
-
-#### Allow egress traffic from pods in the same namespace
-
-The following policy allows pod outbound traffic to other pods in the same namespace that match the pod selector. In the following example, outbound traffic is allowed only if they go to a pod with label **color=red**, on port **80**.
-
-```yaml
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
- name: allow-egress-same-namespace
- namespace: default
-spec:
- podSelector:
- matchLabels:
- color: blue
- egress:
- - to:
- - podSelector:
- matchLabels:
- color: red
- ports:
- - port: 80
-```
-
-#### Allow egress traffic to IP addresses or CIDR range
-
-Egress policies can also be used to allow traffic to specific IP addresses and CIDR ranges. Typically, IP addresses/ranges are used to handle traffic that is external to the cluster for static resources or subnets.
-
-The following policy allows egress traffic to pods in CIDR, **172.18.0.0/24**.
-
-```yaml
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
- name: allow-egress-external
- namespace: default
-spec:
- podSelector:
- matchLabels:
- color: red
- egress:
- - to:
- - ipBlock:
- cidr: 172.18.0.0/24
-```
-
-### Best practice: create deny-all default network policy
-
-To ensure that all pods in the namespace are secure, a best practice is to create a default network policy. This avoids accidentally exposing an app or version that doesn’t have policy defined.
-
-#### Create deny-all default ingress and egress network policy
-
-The following network policy implements a default **deny-all** ingress and egress policy, which prevents all traffic to/from pods in the **policy-demo** namespace. Note that the policy applies to all pods in the policy-demo namespace, but does not explicitly allow any traffic. All pods are selected, but because the default changes when pods are selected by a network policy, the result is: **deny all ingress and egress traffic**. (Unless the traffic is allowed by another network policy).
-
-```yaml
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
- name: default-deny
- namespace: policy-demo
-spec:
- podSelector:
- matchLabels: {}
- policyTypes:
- - Ingress
- - Egress
-```
-
-## Additional resources
-
-- [Kubernetes Network Policy API documentation](https://v1-21.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-policy-advanced.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-policy-advanced.mdx
deleted file mode 100644
index 292a58f7da..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-policy-advanced.mdx
+++ /dev/null
@@ -1,342 +0,0 @@
----
-description: Write more advanced Kubernetes NetworkPolicy resources in a Calico Enterprise cluster — namespace scoping, allow-all, and deny-all variants.
----
-
-# Kubernetes policy, advanced tutorial
-
-The Kubernetes `NetworkPolicy` API allows users to express ingress and egress policies (starting with Kubernetes 1.8.0) to Kubernetes pods
-based on labels and ports.
-
-This guide walks through using Kubernetes `NetworkPolicy` to define more complex network policies.
-
-## Requirements
-
-- A working Kubernetes cluster and access to it using kubectl
-- Your Kubernetes nodes have connectivity to the public internet
-- You are familiar with [Kubernetes NetworkPolicy](kubernetes-policy-basic.mdx)
-
-## Tutorial flow
-
-1. Create the Namespace and Nginx Service
-1. Deny all ingress traffic
-1. Allow ingress traffic to Nginx
-1. Deny all egress traffic
-1. Allow egress traffic to kube-dns
-1. Cleanup Namespace
-
-## 1. Create the namespace and nginx service
-
-We'll use a new namespace for this guide. Run the following commands to create it and a plain nginx service listening on port 80.
-
-```bash
-kubectl create ns advanced-policy-demo
-kubectl create deployment --namespace=advanced-policy-demo nginx --image=nginx
-kubectl expose --namespace=advanced-policy-demo deployment nginx --port=80
-```
-
-### Verify access - allowed all ingress and egress
-
-Open up a second shell session which has `kubectl` connectivity to the Kubernetes cluster and create a busybox pod to test policy access. This pod will be used throughout this tutorial to test policy access.
-
-```bash
-kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
-```
-
-This should open up a shell session inside the `access` pod, as shown below.
-
-```
-Waiting for pod advanced-policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
-
-If you don't see a command prompt, try pressing enter.
-/ #
-```
-
-Now from within the busybox "access" pod execute the following command to test access to the nginx service.
-
-```bash
-wget -q --timeout=5 nginx -O -
-```
-
-It should return the HTML of the nginx welcome page.
-
-Still within the busybox "access" pod, issue the following command to test access to google.com.
-
-```bash
-wget -q --timeout=5 google.com -O -
-```
-
-It should return the HTML of the google.com home page.
-
-## 2. Deny all ingress traffic
-
-Enable ingress isolation on the namespace by deploying a [default deny all ingress traffic policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic).
-
-```bash
-kubectl create -f - <
-
-
-Welcome to nginx!...
-```
-
-After creating the policy, we can now access the nginx Service.
-
-## 4. Deny all egress traffic
-
-Enable egress isolation on the namespace by deploying a [default deny all egress traffic policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-egress-traffic).
-
-```bash
-kubectl create -f - <
-
-
-Welcome to nginx!...
-```
-
-Next, try to retrieve the home page of google.com.
-
-```bash
-wget -q --timeout=5 google.com -O -
-```
-
-It should return:
-
-```
-wget: download timed out
-```
-
-Access to `google.com` times out because it can resolve DNS but has no egress access to anything other than pods with labels matching `app: nginx` in the `advanced-policy-demo` namespace.
-
-# 7. Clean up namespace
-
-You can clean up after this tutorial by deleting the advanced policy demo namespace.
-
-```bash
-kubectl delete ns advanced-policy-demo
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-policy-basic.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-policy-basic.mdx
deleted file mode 100644
index cd1fce6049..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/get-started/kubernetes-policy-basic.mdx
+++ /dev/null
@@ -1,207 +0,0 @@
----
-description: Apply your first Kubernetes NetworkPolicy in a Calico Enterprise cluster to restrict ingress and egress traffic to and from pods.
----
-
-# Kubernetes policy, basic tutorial
-
-This guide provides a simple way to try out Kubernetes `NetworkPolicy` with $[prodname]. It requires a Kubernetes cluster configured with $[prodname] networking, and expects that you have `kubectl` configured to interact with the cluster.
-
-You can quickly and easily deploy such a cluster by following one of the [installation guides](../../getting-started/install-on-clusters/kubernetes/index.mdx).
-
-## Configure namespaces
-
-This guide will deploy pods in a Kubernetes namespace. Let's create the `Namespace` object for this guide.
-
-```bash
-kubectl create ns policy-demo
-```
-
-## Create demo pods
-
-We'll use Kubernetes `Deployment` objects to easily create pods in the namespace.
-
-1. Create some nginx pods in the `policy-demo` namespace.
-
- ```bash
- kubectl create deployment --namespace=policy-demo nginx --image=nginx
- ```
-
-1. Expose them through a service.
-
- ```bash
- kubectl expose --namespace=policy-demo deployment nginx --port=80
- ```
-
-1. Ensure the nginx service is accessible.
-
- ```bash
- kubectl run --namespace=policy-demo access --rm -ti --image busybox /bin/sh
- ```
-
- This should open up a shell session inside the `access` pod, as shown below.
-
- ```
- Waiting for pod policy-demo/access-472357175-y0m47 to be running, status is Pending, pod ready: false
-
- If you don't see a command prompt, try pressing enter.
-
- / #
- ```
-
-1. From inside the `access` pod, attempt to reach the `nginx` service.
-
- ```bash
- wget -q nginx -O -
- ```
-
- You should see a response from `nginx`. Great! Our service is accessible. You can exit the pod now.
-
-## Enable isolation
-
-Let's turn on isolation in our `policy-demo` namespace. $[prodname] will then prevent connections to pods in this namespace.
-
-Running the following command creates a NetworkPolicy which implements a default deny behavior for all pods in the `policy-demo` namespace.
-
-```bash
-kubectl create -f - <||.||
-```
-
-### Example flow log for applyOnForward policy
-
-Using the tutorial example from this document (SSH traffic to maintenance network), here's what a flow log entry might look like:
-
-```json
-{
- "source_ip": "10.0.0.1",
- "source_name": "client-pods-gkh45",
- "source_name_aggr": "client-pods-*",
- "source_namespace": "client-pods-namespace",
- "dest_ip": "192.168.1.10",
- "dest_name": "maintenance-server-gkh45",
- "dest_name_aggr": "maintenance-server-*",
- "dest_namespace": "maintenance-server-namespace",
- "dest_port": 22,
- "dest_type": "wep",
- "proto": "tcp",
- "action": "allow",
- "reporter": "dst, fwd",
- "policies": {
- "all_policies": [
- "0|__PROFILE__|__PROFILE__.kns.maintenance-server|allow|0"
- ],
- "enforced_policies": [
- "0|__PROFILE__|__PROFILE__.kns.maintenance-server|allow|0"
- ],
- "pending_policies": [
- "0|__PROFILE__|__PROFILE__.kns.maintenance-server|allow|0"
- ],
- "transit_policies": [
- "0|default|default.allow-ssh-maintenance|allow|0"
- ]
- },
- "bytes_in": 1234,
- "bytes_out": 5678,
- "packets_in": 10,
- "packets_out": 8,
- "host": "my-host"
-}
-```
-
-**Key points about this flow log:**
-- `reporter` is `dst, fwd`, indicating this flow was reported by both the destination workload endpoint and the forwarding node. The `enforced_policies` shows policies that applied to the destination workload's ingress traffic, while `transit_policies` shows the host endpoint policy that applied as the traffic was forwarded through the node.
-- The `policies.transit_policies` field shows that the `allow-ssh-maintenance` GlobalNetworkPolicy allowed the traffic
-- The rule index `0` indicates the first rule in the policy matched (the SSH allow rule)
-
-### Example flow log for preDNAT policy
-
-Here's an example of a GlobalNetworkPolicy with `preDNAT: true` that allows HTTP traffic incoming to the cluster from external sources:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: allow-external-http
-spec:
- selector: network = 'maintenance'
- applyOnForward: true
- preDNAT: true
- types:
- - Ingress
- ingress:
- # Allow HTTP from external sources to NodePort services
- - action: Allow
- protocol: TCP
- source:
- nets:
- - 34.0.113.0/24 # External network
- destination:
- ports:
- - 30080 # NodePort
-```
-
-For preDNAT policies, flow logs display the original destination IP and port before DNAT is performed. When traffic originates from outside the cluster (for example, an external client accesses a NodePort service), the flow log captures the pre-DNAT source and destination details. Here's an example:
-
-```json
-{
- "source_ip": "34.0.113.100",
- "source_name": "-",
- "source_name_aggr": "pub",
- "source_namespace": "-",
- "source_type": "net",
- "dest_ip": "66.11.155.1",
- "dest_name": "-",
- "dest_name_aggr": "pub",
- "dest_namespace": "-",
- "dest_type": "net",
- "dest_port": 30080,
- "proto": "tcp",
- "action": "allow",
- "reporter": "fwd",
- "policies": {
- "transit_policies": [
- "0|default|default.allow-external-http|allow|0"
- ]
- },
- "bytes_in": 2048,
- "bytes_out": 4096,
- "packets_in": 15,
- "packets_out": 12,
- "host": "my-host"
-}
-```
-
-**Key points about this preDNAT flow log:**
-- `source_name_aggr` is `pub`, indicating external traffic from outside the cluster
-- `dest_name_aggr` is `pub`, indicating the NodePort's external facing IP
-- `dest_port` shows the original NodePort (30080) before DNAT translation to the service port
-- The `reporter` is `fwd`, indicating this policy acted on forwarded ingress traffic at the host endpoint
-- The `policies.transit_policies` field shows the preDNAT policy that allowed the traffic before DNAT processing
-
-## Additional resources
-
-- [Host endpoint](../../reference/resources/hostendpoint.mdx)
-- [Workload endpoint](../../reference/resources/workloadendpoint.mdx)
-- [Global network policy](../../reference/resources/globalnetworkpolicy.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/index.mdx
deleted file mode 100644
index 04b4321aaf..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Apply Calico Enterprise network policy to host interfaces so the same selector-based model protects bare-metal hosts and VMs alongside pods.
-hide_table_of_contents: true
----
-
-# Policy for hosts and VMs
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/kubernetes-nodes.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/kubernetes-nodes.mdx
deleted file mode 100644
index 8bbcb082ad..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/kubernetes-nodes.mdx
+++ /dev/null
@@ -1,293 +0,0 @@
----
-description: Protect Kubernetes node interfaces with Calico Enterprise host endpoints to extend network policy to the node itself.
----
-
-# Protect Kubernetes nodes
-
-## Big picture
-
-Secure Kubernetes nodes with host endpoints managed by $[prodname].
-
-## Value
-
-$[prodname] can automatically create host endpoints for your Kubernetes nodes. This means $[prodname] can manage the lifecycle of host endpoints as your cluster evolves, ensuring nodes are always protected by policy.
-
-## Concepts
-
-## Host endpoints
-
-Each host has one or more network interfaces that it uses to communicate externally. You can represent these interfaces in $[prodname] using host endpoints and then use network policy to secure them.
-
-$[prodname] host endpoints can have labels, and they work the same as labels on workload endpoints. The network policy rules can apply to both workload and host endpoints using label selectors.
-
-Automatic host endpoints secure all of the host's interfaces (i.e. in Linux, all the interfaces in the host network namespace). They are created by setting `interfaceName: "*"`.
-
-## Automatic host endpoints
-
-$[prodname] creates a wildcard host endpoint for each node, with the host endpoint containing the same labels and IP addresses as its corresponding node.
-$[prodname] will ensure these managed host endpoints maintain the same labels and IP addresses as its node by periodic syncs.
-This means that policy targeting these automatic host endpoints will function correctly with the policy put in place to select those nodes, even if over time the node's IPs or labels change.
-
-$[prodname] is also able to create and manage custom host endpoints for nodes, based on user specified templates.
-This allows you to fine-tune which interfaces should be included in the host endpoint and for which nodes these host endpoints should be created.
-The host endpoint templates can be enabled by updating [KubeControllersConfig](../../reference/resources/kubecontrollersconfig.mdx).
-
-Automatic host endpoints are differentiated from other host endpoints by the label `projectcalico.org/created-by: calico-kube-controllers`.
-Enable or disable automatic host endpoints by configuring the default KubeControllersConfiguration resource.
-
-## Before you begin
-
-**Unsupported**
-
-- GKE
-
-## How to
-
-- [Enable automatic host endpoints](#enable-automatic-host-endpoints)
-- [Apply network policy to automatic host endpoints](#apply-network-policy-to-automatic-host-endpoints)
-
-### Enable automatic host endpoints
-
-To enable automatic host endpoints, edit the default KubeControllersConfiguration instance, and set `spec.controllers.node.hostEndpoint.autoCreate` to `true`:
-
-```bash
-kubectl patch kubecontrollersconfiguration default --patch='{"spec": {"controllers": {"node": {"hostEndpoint": {"autoCreate": "Enabled"}}}}}'
-```
-
-If successful, host endpoints are created for each of your cluster's nodes:
-
-```bash
-kubectl get heps -o wide
-```
-
-The output may look similar to this:
-
-```
-kubectl get heps -o wide
-NAME CREATED AT
-ip-172-16-101-147.us-west-2.compute.internal-auto-hep 2021-05-12T22:16:47Z
-ip-172-16-101-54.us-west-2.compute.internal-auto-hep 2021-05-12T22:16:47Z
-ip-172-16-101-79.us-west-2.compute.internal-auto-hep 2021-05-12T22:16:47Z
-ip-172-16-101-9.us-west-2.compute.internal-auto-hep 2021-05-12T22:16:47Z
-ip-172-16-102-63.us-west-2.compute.internal-auto-hep 2021-05-12T22:16:47Z
-```
-
-### Use custom templates for host endpoints
-
-Template HostEndpoints allow for tailored, automatic HostEndpoint generation. Defined in spec.controllers.node.hostEndpoint.templates, they enable creation based on specific Node or interface criteria, offering greater customization compared to default automatic HostEndpoints.
-
-To enable template host endpoints and disable default host endpoints, edit the default KubeControllersConfiguration instance, and update `spec.controllers.node.hostEndpoint.templates` with your custom templates spec.
-
-1. Create a custom templates spec:
- ```bash
- cat << 'EOF' > hostEndpointTemplate.yaml
- spec:
- controllers:
- node:
- hostEndpoint:
- autoCreate: Enabled
- createDefaultHostEndpoint: Disabled
- templates:
- - generateName: custom-host-endpoint
- interfaceCIDRs:
- - 192.168.0.0/16
- nodeSelector: "!has(node-role.kubernetes.io/control-plane)"
- labels:
- custom-label: template-host-endpoint
- EOF
- ```
-
-2. Merge the templates spec with the `kubecontrollersconfiguration` resource:
-
- ```bash
- kubectl patch kubecontrollersconfiguration default --patch-file hostEndpointTemplate.yaml --type merge
- ```
-
-3. Verify that your `kubecontrollersconfiguration` resource is updated:
-
- ```bash
- kubectl get kubecontrollersconfiguration default -o yaml
- ```
-
- The output should look similar to this:
-
- ```
- apiVersion: projectcalico.org/v3
- kind: KubeControllersConfiguration
- metadata:
- name: default
- spec:
- controllers:
- node:
- hostEndpoint:
- autoCreate: Enabled
- createDefaultHostEndpoint: Enabled
- templates:
- - generateName: custom-host-endpoint
- interfaceCIDRs:
- - 192.168.0.0/16
- labels:
- custom-label: template-host-endpoint
- ```
-
-4. If successful, host endpoints are created for nodes matching your node selector:
-
- ```bash
- kubectl get heps -o=custom-columns='NAME:.metadata.name,NODE:.spec.node,INTERFACES:.spec.interfaceName,IPS:.spec.expectedIPs,PROFILES:.spec.profiles'
- ```
-
- The output may look similar to this:
-
- ```
- NAME NODE INTERFACE IPS PROFILES
- 192.168.83.64.compute.internal-custom-host-endpoint-auto-hep 192.168.83.64.compute.internal 192.168.83.64 projectcalico-default-allow
- 192.168.0.128.compute.internal-custom-host-endpoint-auto-hep 192.168.0.128.compute.internal 192.168.0.128 projectcalico-default-allow
- 192.168.157.128.compute.internal-custom-host-endpoint-auto-hep 192.168.157.128.compute.internal 192.168.157.128 projectcalico-default-allow
- ```
-
-### Apply network policy to automatic host endpoints
-
-To apply policy that targets all Kubernetes nodes, first add a label to the nodes.
-The label will be synced to their automatic host endpoints.
-
-For example, to add the label **kubernetes-host** to all nodes and their host endpoints:
-
-```bash
-kubectl label nodes --all kubernetes-host=
-```
-
-And an example policy snippet:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: all-nodes-policy
-spec:
- selector: has(kubernetes-host)
- #
-```
-
-To select a specific set of host endpoints (and their corresponding Kubernetes nodes), use a policy selector that selects a label unique to that set of host endpoints.
-For example, if we want to add the label **environment=dev** to nodes named node1 and node2:
-
-```bash
-kubectl label node node1 environment=dev
-kubectl label node node2 environment=dev
-```
-
-With the labels in place and automatic host endpoints enabled, host endpoints for node1 and node2 will be updated with the **environment=dev** label.
-We can write policy to select that set of nodes with a combination of selectors:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: some-nodes-policy
-spec:
- selector: has(kubernetes-host) && environment == 'dev'
- #
-```
-
-## Tutorial
-
-This tutorial will lock down Kubernetes node ingress to only allow SSH and required ports for Kubernetes to function.
-We will apply two policies: one for the control plane nodes. and one for the worker nodes.
-
-:::note
-
-Note: This tutorial was tested on a cluster created with kubeadm v1.18.2 on AWS, using a "stacked etcd" [topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/). Stacked etcd topology means the etcd pods are running on the masters. kubeadm uses stacked etcd by default.
-If your Kubernetes cluster is on a different platform, is running a variant of Kubernetes, or is running a topology with an external etcd cluster,
-please review the required ports for control plane and worker nodes in your cluster and adjust the policies in this tutorial as needed.
-
-:::
-
-First, let's restrict ingress traffic to the control plane nodes. The ingress policy below contains three rules.
-The first rule allows access to the API server port from anywhere. The second rule allows all traffic to localhost, which
-allows Kubernetes to access control plane processes. These control plane processes includes the etcd server client API, the scheduler, and the controller-manager.
-This rule also allows localhost access to the kubelet API and calico/node health checks.
-And the final rule allows the etcd pods to peer with each other and allows the masters to access each others kubelet API.
-
-If you have not modified the failsafe ports, you should still have SSH access to the nodes after applying this policy.
-Now apply the ingress policy for the Kubernetes masters:
-
-```
-kubectl apply -f - << EOF
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: ingress-k8s-masters
-spec:
- selector: has(node-role.kubernetes.io/control-plane)
- # This rule allows ingress to the Kubernetes API server.
- ingress:
- - action: Allow
- protocol: TCP
- destination:
- ports:
- # kube API server
- - 6443
- # This rule allows all traffic to localhost.
- - action: Allow
- destination:
- nets:
- - 127.0.0.0/8
- # This rule is required in multi-master clusters where etcd pods are colocated with the masters.
- # Allow the etcd pods on the masters to communicate with each other. 2380 is the etcd peer port.
- # This rule also allows the masters to access the kubelet API on other masters (including itself).
- - action: Allow
- protocol: TCP
- source:
- selector: has(node-role.kubernetes.io/control-plane)
- destination:
- ports:
- - 2380
- - 10250
-EOF
-```
-
-Note that the above policy selects the standard **node-role.kubernetes.io/control-plane** label that kubeadm sets on control plane nodes.
-
-Next, we need to apply policy to restrict ingress to the Kubernetes workers.
-Before adding the policy we will add a label to all of our worker nodes, which then gets added to its automatic host endpoint.
-For this tutorial we will use **kubernetes-worker**. An example command to add the label to worker nodes:
-
-```bash
-kubectl get node -l '!node-role.kubernetes.io/control-plane' -o custom-columns=NAME:.metadata.name | tail -n +2 | xargs -I{} kubectl label node {} kubernetes-worker=
-```
-
-The workers' ingress policy consists of two rules. The first rule allows all traffic to localhost. As with the masters,
-the worker nodes need to access their localhost kubelet API and calico/node healthcheck.
-The second rule allows the masters to access the workers kubelet API. Now apply the policy:
-
-```
-kubectl apply -f - << EOF
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: ingress-k8s-workers
-spec:
- selector: has(kubernetes-worker)
- # Allow all traffic to localhost.
- ingress:
- - action: Allow
- destination:
- nets:
- - 127.0.0.0/8
- # Allow only the masters access to the nodes kubelet API.
- - action: Allow
- protocol: TCP
- source:
- selector: has(node-role.kubernetes.io/control-plane)
- destination:
- ports:
- - 10250
-EOF
-```
-
-## Additional resources
-
-- [Protect hosts tutorial](protect-hosts-tutorial.mdx)
-- [Apply policy to Kubernetes node ports](../beginners/services/kubernetes-node-ports.mdx)
-- [Global network policy](../../reference/resources/globalnetworkpolicy.mdx)
-- [Host endpoints](../../reference/resources/hostendpoint.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/protect-hosts-tutorial.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/protect-hosts-tutorial.mdx
deleted file mode 100644
index 73b35d3969..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/protect-hosts-tutorial.mdx
+++ /dev/null
@@ -1,192 +0,0 @@
----
-description: Tutorial for protecting hosts in a Calico Enterprise cluster — register host endpoints, write rules, and allow controlled access to specific Kubernetes services.
----
-
-# Protect hosts tutorial
-
-Imagine that the administrator of a Kubernetes cluster wants to secure it as much as
-possible against incoming traffic from outside the cluster. But suppose that
-the cluster provides various useful services that are exposed as Kubernetes
-NodePorts, i.e., as well-known TCP port numbers that appear to be available on
-any node in the cluster. The administrator does want to expose some
-of those NodePorts to traffic from outside.
-
-In this example we will use pre-DNAT policy applied to the external interfaces
-of each cluster node:
-
-- to disallow incoming traffic from outside, in general
-
-- but then to allow incoming traffic to particular NodePorts.
-
-We use pre-DNAT policy for these purposes, instead of normal host endpoint
-policy, because:
-
-1. We want the protection against general external traffic to apply regardless
- of where that traffic is destined for - for example, to a locally hosted
- pod, or to a pod on another node, or to a local server process running on
- the host itself. Pre-DNAT policy is enforced in all of those cases - as we
- want - whereas normal host endpoint policy is not enforced for traffic going
- to a local pod.
-
-2. We want to write this policy in terms of the advertised NodePorts, not in
- terms of whatever internal port numbers those may be transformed to.
- kube-proxy on the ingress node will use a DNAT to change a NodePort number
- and IP address to those of one of the pods that backs the relevant Service.
- Our policy therefore needs to take effect _before_ that DNAT - and that
- means that it must be a pre-DNAT policy.
-
-:::note
-
-Note: This tutorial is intended to be used with named host endpoints, i.e. host endpoints with `interfaceName` set to a specific interface name.
-This tutorial does not work, as-is, with host endpoints with `interfaceName: "*"`.
-
-:::
-
-Here is the pre-DNAT policy that we need to disallow incoming external traffic
-in general:
-
-```bash
-kubectl apply -f - <
-```
-
-and then using `host-endpoint==''` as the selector of the
-`allow-nodeport` policy, instead of `has(host-endpoint)`.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/protect-hosts.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/protect-hosts.mdx
deleted file mode 100644
index 8b21aea850..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/hosts/protect-hosts.mdx
+++ /dev/null
@@ -1,186 +0,0 @@
----
-description: Protect Kubernetes hosts and bare-metal nodes with Calico Enterprise policy by writing rules that target host endpoints.
----
-
-# Protect hosts and VMs
-
-## Big picture
-
-Use $[prodname] network policy to restrict traffic to/from hosts and VMs.
-
-## Value
-
-Restricting traffic between hosts and the outside world is not unique to $[prodname]; many solutions provide this capability. However, the advantage of using $[prodname] to protect the host is you can use the same $[prodname] policy configuration as workloads. You only need to learn one tool. Write a cluster-wide policy, and it is immediately applied to every host.
-
-## Concepts
-
-### Hosts and workloads
-
-In the context of $[prodname] configuration, a *workload* is a containerized compute instance running in Kubernetes.
-A *host* is a computer or virtual machine (VM) that acts as a node in a Kubernetes cluster or that runs application workloads outside of Kubernetes.
-$[prodname] is unique in that it can enforce network policy and provide visibility in a consistent way for both workloads and hosts, even if those hosts are on-premises servers or VMs running in the public cloud.
-
-### Host endpoints
-
-Each host has one or more network interfaces that it uses to communicate externally. You can use $[prodname] network policy to secure these interfaces (called host endpoints). $[prodname] host endpoints can have labels, and they work the same as labels on workload endpoints. The network policy rules can apply to both workload and host endpoints using label selectors.
-
-### Failsafe rules
-
-It is easy to inadvertently cut all host connectivity because of nonexistent or misconfigured network policy. To avoid this, $[prodname] provides failsafe rules with default/configurable ports that are open on all host endpoints.
-
-### Default behavior of workload to host traffic
-
-By default, $[prodname] blocks all connections from a workload to its local host. You can control whether connections from a workload endpoint to its local host are dropped, returned, or accepted using a simple parameter.
-
-$[prodname] allows all connections from processes running on the host to guest workloads on the host. This allows host processes to run health checks and debug guest workloads.
-
-### Default behavior of external traffic to/from host
-
-If a host endpoint is added and network policy is not in place, the $[prodname] default is to deny traffic to/from that endpoint (except for traffic allowed by failsafe rules). For host endpoints, $[prodname] blocks traffic only to/from interfaces that it’s been explicitly told about in network policy. Traffic to/from other interfaces is ignored.
-
-### Other host protection
-
-In terms of design consistency in $[prodname], you may wonder about the following use cases.
-
-**Does $[prodname] protect a local host from workloads?**
-Yes. DefaultEndpointToHostAction controls whether or not workloads can access their local host.
-
-**Does $[prodname] protect a workload from the host it is running on?**
-No. $[prodname] allows connections the host makes to the workloads running on that host. Some orchestrators like Kubernetes depend on this connectivity for health checking the workload. Moreover, processes running on the local host are often privileged enough to override local $[prodname] policy. Be very cautious with the processes that you allow to run in the host's root network namespace.
-
-## Before you begin...
-
-If you are already running $[prodname] for Kubernetes, you are good to go. If you want to install $[prodname] on a non-cluster machine for host protection only, see [Non-cluster hosts](../../getting-started/bare-metal/index.mdx).
-
-## How to
-
-- [Avoid accidentally cutting all host connectivity ](#avoid-accidentally-cutting-all-host-connectivity)
-- [Use policy to restrict host traffic](#use-policy-to-restrict-host-traffic)
-- [Control default behavior of workload endpoint to host traffic](#control-default-behavior-of-workload-endpoint-to-host-traffic)
-
-### Avoid accidentally cutting all host connectivity
-
-To avoid inadvertently cutting all host connectivity because of nonexistent or misconfigured network policy, $[prodname] uses failsafe rules that open specific ports and CIDRs on all host endpoints.
-
-Review the following table to determine if the defaults work for your implementation. If not, change the default ports using the parameters, **FailsafeInboundHostPorts** and **FailsafeOutboundHostPorts** in [Configuring Felix](../../reference/component-resources/node/felix/configuration.mdx#environment-variables).
-
-| Port | Protocol | CIDR | Direction | Purpose |
-| ---- | -------- | --------- | ------------------ | ------------------------------------ |
-| 22 | TCP | 0.0.0.0/0 | Inbound | SSH access |
-| 53 | UDP | 0.0.0.0/0 | Outbound | DNS queries |
-| 67 | UDP | 0.0.0.0/0 | Outbound | DHCP access |
-| 68 | UDP | 0.0.0.0/0 | Inbound | DHCP access |
-| 179 | TCP | 0.0.0.0/0 | Inbound & Outbound | BGP access ($[prodname] networking) |
-| 2379 | TCP | 0.0.0.0/0 | Inbound & Outbound | etcd access |
-| 2380 | TCP | 0.0.0.0/0 | Inbound & Outbound | etcd access |
-| 6443 | TCP | 0.0.0.0/0 | Inbound & Outbound | Kubernetes API server access |
-| 6666 | TCP | 0.0.0.0/0 | Inbound & Outbound | etcd self-hosted service access |
-| 6667 | TCP | 0.0.0.0/0 | Inbound & Outbound | etcd self-hosted service access |
-
-### Use policy to restrict host traffic
-
-#### Step 1: Create policy to restrict host traffic
-
-Although failsafe rules provide protection from removing all connectivity to a host, you should create a GlobalNetworkPolicy policy that restricts host traffic.
-
-In the following example, we use a **GlobalNetworkPolicy** that applies to all worker nodes (defined by a label). Ingress SSH access is allowed from a defined "management" subnet.
-
-**Ingress traffic** is also allowed for ICMP, and on TCP port 10250 (default kubelet port). **Egress** traffic is allowed to etcd on a particular IP, and UDP on port 53 and 67 for DNS and DHCP.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: k8s-worker
-spec:
- selector: "role == 'k8s-worker'"
- order: 0
- ingress:
- - action: Allow
- protocol: TCP
- source:
- nets:
- - ''
- destination:
- ports: [22]
- - action: Allow
- protocol: ICMP
- - action: Allow
- protocol: TCP
- destination:
- ports: [10250]
- egress:
- - action: Allow
- protocol: TCP
- destination:
- nets:
- - '/32'
- ports: [2379]
- - action: Allow
- protocol: UDP
- destination:
- ports: [53, 67]
-```
-
-#### Step 2: Create host endpoints
-
-For each host point that you want to secure with policy, you must create a **HostEndpoint** object. To do that, you need the name of the $[prodname] node on the host that owns the interface; in most cases, it is the same as the hostname of the host.
-
-In the following example, we create a HostEndpoint for the host named **my-host** with the interface named **eth0**, with **IP 10.0.0.1**. Note that the value for **node:** must match the hostname used on the $[prodname] node object.
-
-When the HostEndpoint is created, traffic to or from the interface is dropped unless policy is in place.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: HostEndpoint
-metadata:
- name: my-host-eth0
- labels:
- role: k8s-worker
- environment: production
-spec:
- interfaceName: eth0
- node: my-host
- expectedIPs: ['10.0.0.1']
-```
-
-### Control default behavior of workload endpoint to host traffic
-
-The default $[prodname] behavior blocks all connections from workloads to their local host (after traffic passes any egress policy applied to the workload). You can change this behavior using the **DefaultEndpointToHostAction** parameter in Felix configuration.
-
-This parameter works at the IP table level, where you can specify packet behavior to **Drop** (default), **Accept**, or **Return**.
-
-To change this parameter for all hosts, edit the **FelixConfiguration** object named “default.”
-
-1. Get a copy of the object to edit.
-
- ```bash
- kubectl get felixconfiguration default -o yaml > default-felix-config.yaml
- ```
-
-1. Open the file in a text editor and add the parameter, **defaultEndpointToHostAction**. For example:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: FelixConfiguration
- metadata:
- name: default
- spec:
- ipipEnabled: true
- logSeverityScreen: Info
- reportingInterval: 0s
- defaultEndpointToHostAction: Accept
- ```
-
-1. Update the FelixConfiguration on the cluster.
- ```bash
- kubectl apply -f default-felix-config.yaml
- ```
-
-## Additional resources
-
-- [Apply policy to Kubernetes node ports](../beginners/services/kubernetes-node-ports.mdx)
-- [Protect Kubernetes nodes with host endpoints managed by $[prodname]](kubernetes-nodes.mdx)
-- [Defend against DoS attacks](../extreme-traffic/defend-dos-attack.mdx)
-- [Global network policy](../../reference/resources/globalnetworkpolicy.mdx)
-- [Host endpoint](../../reference/resources/hostendpoint.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/index.mdx
deleted file mode 100644
index 2d5431ebf0..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/index.mdx
+++ /dev/null
@@ -1,65 +0,0 @@
----
-description: Secure Kubernetes workloads and hosts with Calico Enterprise network policy — extends Kubernetes NetworkPolicy with tiers, recommendations, and observability.
----
-
-import { DocCardLink, DocCardLinkLayout } from '/src/___new___/components';
-
-# Network policy
-
-Writing network policies is how you restrict traffic to pods in your Kubernetes cluster.
-$[prodname] extends the standard `NetworkPolicy` object to provide advanced network policy features, such as policies that apply to all namespaces.
-
-## Getting started
-
-
-
-
-
-
-
-
-
-
-
-## Policy rules
-
-
-
-
-
-
-
-
-
-
-## Policy for hosts and VMs
-
-
-
-
-
-
-
-
-## Policy tiers
-
-
-
-
-
-
-
-
-## Policy for services
-
-
-
-
-
-
-## Policy for extreme traffic
-
-
-
-
-
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/networksets.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/networksets.mdx
deleted file mode 100644
index e70b0b5b4b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/networksets.mdx
+++ /dev/null
@@ -1,267 +0,0 @@
----
-description: Use Calico Enterprise network sets to package frequently reused IP ranges or domains into named selectors that policies can reference.
----
-
-# Get started with network sets
-
-## Visualize traffic to/from your cluster
-
-Modern applications often integrate with third-party APIs and SaaS services that live outside Kubernetes clusters. To securely enable access to those integrations, you must be able to limit IP ranges for egress and ingress traffic to workloads. Limiting IP lists or ranges is also used to deny-list bad actors or embargoed countries. To limit IP ranges, you need to use the $[prodname] resource called **network sets**.
-
-## What are network sets?
-
-**Network sets** are a grouping mechanism that allows you to create an arbitrary set of IP subnetworks/CIDRs or domains that can be matched by standard label selectors in Kubernetes or $[prodname] network policy. Like IP pools for pods, they allow you to reuse/scale sets of IP addresses in policies.
-
-A **network set** is a namespaced resource that you can use with Kubernetes or $[prodname] network policies; a **global network set** is a cluster-wide resource that you can use with $[prodname] network policies.
-
-Like network policy, you manage user access to network sets using standard Kubernetes RBAC.
-
-## Why are network sets powerful?
-
-If you are familiar with Service Graph in the web console, you know the value of seeing pod-to-pod traffic within your cluster. But what about traffic external to your cluster?
-
-$[prodname] automatically detects IPs for pods and nodes that fall into the standard IETF “public network” and “private network” designations, and displays those as icons in Service Graph. So you get some visibility into external traffic without using any network sets.
-
-
-
-However, when you create network sets, you can get more granular visibility into what's leaving the cluster to public networks. Because you control the grouping, the naming, and labeling, you create visibility that is customized to your organization. This is why they are so powerful.
-
-Here are just a few examples of how network sets can be used:
-
-- **Egress access control**
-
- Network sets are a key resource for defining egress access controls; for example, securing ingress to microservices/apps or egress from workloads outside the cluster.
-
-- **Troubleshooting**
-
- Network sets appear as additional metadata in flow logs and Kibana, Flow Visualizer, and Service Graph.
-
-- **Efficiency and scaling**
-
- Network sets are critical when scaling your deployment. You may have only a few CIDRs when you start. But as you scale out, it is easier to update a handful of network sets than update each network policy individually. Also, in a Kubernetes deployment, putting lots of anything (CIDRs, ports, policy rules) directly into policies causes inefficiencies in traffic processing (iptables/eBPF).
-
-- **Microsegmentation and shift left**
-
- Network sets provide the same microsegmentation controls as network policy. For example, you can allow specific users to create policies (that reference network sets), but allow only certain users to manage network sets.
-
-- **Threat defense**
-
- Network sets are key to being able to manage threats by blocking bad IPs with policy in a timely way. Imagine having to update individual policies when you find a bad IP you need to quickly block. You can even give access to a controller that automatically updates CIDRs in a network set when a bad IP is found.
-
-## Create a network set and use it in policy
-
-In this section, we’ll walk through how to create a namespaced network set in the web console. You can follow along using your cluster or tigera-labs cluster.
-
-In this example, you will create a network set named, `google`. This network set contains a list of trusted google endpoints for a microservice called, `hipstershop`. As a service owner, you want to be able to see traffic leaving the microservices in Service Graph. Instead of matching endpoints on IP addresses, we will use domain names.
-
-1. From the left navbar, click **Network Sets**.
-1. Click **Add Network Set**, and enter these values.
- - For Name: `google`
- - For Scope: Select **Namespace** and select, `hipstershop`
-1. Under Labels, click **Add label**.
- - In the Select key field, enter `destinations` and click the green bar to add this new entry.
- - In the Value field, enter `google`, click the green bar to add the entry, and save.
-1. For Domains, click **+Add Domain** and these URLs: `clouddebugger.googleapis.com`, `cloudtrace.googleapis.com`, `metadata.google.internal`, `monitoring.googleapis.com`.
-1. Click **Create Network Set**.
-
-You’ve created your first network set.
-
-
-
-The YAML looks like this:
-
-```yaml
-kind: NetworkSet
-apiVersion: projectcalico.org/v3
-metadata:
- name: google
- labels:
- destinations: google
- namespace: hipstershop
-spec:
- nets: []
- allowedEgressDomains:
- - clouddebugger.googleapis.com
- - cloudtrace.googleapis.com
- - metadata.google.internal
- - monitoring.googleapis.com
-```
-
-Next, we write a DNS policy for hipstershop that allows egress traffic to the trusted google sites. The following network policy allows egress access for all destination selectors labeled, `google`. Note that putting domains in a network set referencing it in policy is the best practice. Also, note that using `selector: all()` should only be used if all pods in the namespace can access all of the domains in the network set; if not, you should create separate policies accordingly.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: application.allow-egress-domain
- namespace: hipstershop
-spec:
- tier: application
- order: 0
- selector: all()
- serviceAccountSelector: ''
- egress:
- - action: Allow
- source: {}
- destination:
- selector: destinations == "google"
- types:
- - Egress
-```
-
-## Network sets in Service Graph
-
-Continuing with our `hipstershop` example, if you go to Service Graph, you see hipstershop (highlighted in yellow).
-
-
-
-If we double-click `hipstershop` to drill down, we now see the `google` network set icon (highlighted in yellow). We now have visibility to traffic external from google sites to hipstershop. (If you are using the tigera-labs cluster, note that the network set will not be displayed as shown below.)
-
-
-
-Service Graph provides a view into how services are interconnected in a consumable view, along with easy access to flow logs. However, you can also see traffic associated with network sets in volumetric display with Flow Visualizer, and query flow log data associated with network sets in Kibana.
-
-## Tutorial
-
-In the following example, we create a global network set resource for a trusted load-balancer that can be used with microservices and applications. The label, `trusted-ep: load-balancer` is how this global network set can be referenced in policy.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkSet
-metadata:
- name: load-balancer
- labels:
- trusted-ep: "load-balancer"
-spec:
- nets:
- # Modify the ip addresses to refer to the ip addresses of load-balancers in your environment
- - 10.0.0.1/32
- - 10.0.0.2/32
-```
-
-The following network policy uses the `selector: trusted-ep == "load balancer"` to reference the above GlobalNetworkSet. All applications in the `app2-ns` namespace, that match `app2` and `svc1` are allowed ingress traffic from the trusted load balance on port 1001.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: application.app2-svc1
- namespace: app2-ns
-spec:
- tier: application
- order: 500
- selector: (app == "app2"&&svc == "svc1")
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: trusted-ep == "load-balancer"
- destination:
- ports:
- - '10001'
- types:
- - Ingress
-```
-
-### Advanced policy rules with network sets
-
-When you combine $[prodname] policy rules with network sets, you have powerful ways to fine-tune. The following example combines network sets with specific rules in a global network policy to deny access more quickly.
-We start by creating a $[prodname] GlobalNetworkSet that specifies a list of CIDR ranges we want to deny: 192.0.2.55/32 and 203.0.113.0/24.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkSet
-metadata:
- name: ip-protect
- labels:
- ip-deny-list: 'true'
-spec:
- nets:
- - 192.0.2.55/32
- - 203.0.113.0/24
-```
-
-Next, we create two $[prodname] GlobalNetworkPolicy resources. The first is a high "order" policy that allows traffic as a default for things that don’t match our second policy, which is low "order" and uses the GlobalNetworkSet label as a selector to deny ingress traffic (IP-deny-list in the previous step). In the label selector, we also include the term, `!has(projectcalico.org/namespace)`, which prevents this policy from matching pods or NetworkSets that also have this label. To more quickly enforce the denial of forwarded traffic to the host at the packet level, use the `doNotTrack` and `applyOnForward` options.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: forward-default-allow
-spec:
- selector: apply-ip-protect == 'true'
- order: 1000
- doNotTrack: true
- applyOnForward: true
- types:
- - Ingress
- ingress:
- - action: Allow
----
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: ip-protect
-spec:
- selector: apply-ip-protect == 'true'
- order: 0
- doNotTrack: true
- applyOnForward: true
- types:
- - Ingress
- ingress:
- - action: Deny
- source:
- selector: ip-deny-list == 'true' && !has(projectcalico.org/namespace)
-```
-
-## Best practices for using network sets
-
-- Create network sets as soon as possible after getting started
-
- This allows you to quickly realize the benefits of seeing custom metadata in flow logs and visualizing traffic in Service Graph and Flow Visualizer.
-
-- Create a network set label and name schema
-
- It is helpful to think: what names would be meaningful and easy to understand when you look in Service Graph? Flow Viz? Kibana? What labels will be easy to understand when used in network policies – especially if you are separating users who manage network sets from those who consume them in network policies.
-
-- Do not put large sets of CIDRs and domains directly in policy
-
- Network sets allow you to specify CIDRs and/or domains. Although you can add CIDRs and domains directly in policy, it doesn't scale.
-
-- Do not put thousands of rules into a policy, each with a different CIDR
-
- If your set of /32s can be easily aggregated into a few broader CIDRs without compromising security, it’s a good thing to do; whether you’re putting the CIDRs in the rule or using a network set.
-
-- If you want to match thousands of endpoints, write one or two rules and use selectors to match the endpoints.
-
- Having one rule per port, per host is inefficient because each rule ends up being rendered as an iptables/eBPF rule instead of making good use of IP sets.
-
-- Avoid overlapping IP addresses/subnets in networkset/globalnetworkset definitions
-
-## Efficient use of network sets
-
-If you have a large number of things to match, using a network set is more efficient both in the control plane (for example, Felix CPU), and for the packet path (latency/per packet CPU). If you use network sets and you add/remove an IP from the network set, this doesn't require changing iptables rules at all. It only requires updating the ipset, which is efficient. If you also change the policy rules, then iptables must be updated too. Using network sets is efficient for all of the following use cases:
-
-- The system applying the iptables rules to incoming connections (to decide whether to allow or deny the traffic)
-- iptables rules updates whenever one of the policies and/or network sets change
-- The Kubernetes APIserver handling changes to the policy and/or networkset CRDs
-
-Follow these guidelines for efficient use of network sets.
-
-| Policy | Network set | Results |
-| ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
-| source: selector: foo="bar" | With handful of broad CIDRs | **Efficient** **-** 1 iptables/eBPF rule - 1 IP set with handful of CIDRs |
-| source: nets: [ ... handful ...] | Not used | **Efficient** - Handful of iptables/eBPF rules - 0 IP sets |
-| source: selector: foo="bar" | One network set with 2000 x /32s | **`*`Most efficient** - 1 iptables/eBPF rule - 1 IP sets with 2000 entries |
-| | Two network sets with 1000 each x /32s | **Efficient** - 2 iptables/eBPF rules - 2 IP set with 1000 entries |
-| source: nets: [... 2000 /32s ...] - source: nets: [1 x /32] - source: nets: [1 x /32] - ... x 2000 | Not used | **Inefficient** Results in programming 2k iptables/eBPF rules - 2000+ iptables/eBPF rules - 0 IP sets |
-
-`*` Updating **ipsets** is fast and efficient. Adding/removing a single entry is an O(1) operation no matter the number of IPs in the set. Updating **iptables** is generally slow and gets slower the more rules you have in total (including rules created by kube-proxy, for example). Less than 10K rules are generally fine, but noticeable latency occurs when updating rules above that number (increasing as the number of rules grows). (The newer nftables may scale more efficiently but those results are not included here.)
-
-Similarly, hitting many iptables (or eBPF) rules adds latency to the first packet in a flow. For iptables, it measures around 250ns per rule. Although a single rule is negligible, hitting 10K rules add >1ms to the first packet in the flow. Packets only hit the rules for the particular interface that they arrive on; if you have 10K rules on one interface and 10 rules on another, the packet processed by the first interface will have more latency.
-
-## Additional resources
-
-- [Network set](../reference/resources/networkset.mdx)
-- [Global network set](../reference/resources/globalnetworkset.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-best-practices.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-best-practices.mdx
deleted file mode 100644
index 43ff34fd2a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-best-practices.mdx
+++ /dev/null
@@ -1,356 +0,0 @@
----
-description: Best practices for Calico Enterprise policy — security posture, scalability with tiers, and performance tuning under load.
----
-
-# Policy best practices
-
-## Big picture
-
-Policy best practices for run-time security starts with $[prodname]’s robust network security policy, but other $[prodname] resources play equally important roles in security, scalability, and performance.
-
-Learn $[prodname] policy best practices and resources that support a zero trust network model:
-
-- [Prepare for policy authoring](#prepare-for-policy-authoring)
-- [Policy best practices for day-one zero trust](#policy-best-practices-for-day-one-zero-trust)
-- [Policy design for efficiency and performance](#policy-design-for-efficiency-and-performance)
-- [Policy life cycle tools](#policy-life-cycle-tools)
-
-## Prepare for policy authoring
-
-### Determine who can write policy
-
-Any team familiar with deploying microservices in Kubernetes can easily master writing network policies. The challenge in many organizations is deciding who will be given permission to write policy across teams. Although there are different approaches, $[prodname] policy tools have the flexibility and guardrails to accommodate different approaches.
-
-Let’s review two common approaches.
-
-- **Microservices teams write policy**
-
- In this model, network policy is treated as code, built into and tested during the development process, just like any other critical part of a microservice’s code. The team responsible for developing a microservice has a good understanding of other microservices they consume and depend on, and which microservices consume their microservice. With a defined, standardized approach to policy and label schemas, there is no reason that the teams cannot implement network policies for their microservice as part of the development of the microservice. With visibility in Service Graph, teams can even do basic troubleshooting.
-
-- **Dev/Ops writes policy, microservice team focuses on internals**
- An equally valid approach is to have development teams focus purely on the internals of the microservices they are responsible for, and leave responsibility for operating the microservices with DevOps teams. A Dev/ops team needs the same understanding as the microservices team above. However, network security may come much later in the organization’s processes, or even as an afterthought on a system already in production. This can be more challenging because getting network policies wrong can have significant production impacts. But using $[prodname] tools, this approach is still achievable.
-
-When you get clarity on who can write policies, you can move to creating tiers. $[prodname] tiers, along with standard Kubernetes RBAC, provide the infrastructure to meet security concerns across teams.
-
-### Understand the depth of $[prodname] network policy
-
-Because $[prodname] policy goes well beyond the features in Kubernetes policy, we recommend that you have a basic understanding of [network policy and global network policy](beginners/calico-network-policy.mdx) and how they provide workload access controls. And even though you may not implement the following policies, it is helpful to know the depth of defense that is available in $[prodname].
-
-- [Policy for services](beginners/services/index.mdx)
-- [Policy integration for firewalls](policy-firewalls/index.mdx)
-- [Policy for hosts](hosts/index.mdx)
-
-### Create policy tiers
-
-**Tiers** are a hierarchical construct used to group policies and enforce higher precedence policies that cannot be circumvented by other teams. As part of your microsegmentation strategy, tiers let you apply identity-based protection to workloads and hosts.
-
-Before creating policies, we recommend that you create your tier structure. This often requires internal debates and discussions. As noted previously, $[prodname] policy workflow has the guardrails you need to allow diverse teams to participate in policy writing.
-
-To understand how tiered policy works and best practices, see [Get started with tiered policies](policy-tiers/tiered-policy.mdx).
-
-### Create label standards
-
-Creating a label standard is often an overlooked step. But if you skip this step, it will cost you in troubleshooting down the road; especially given visibility/troubleshooting is already a challenge in a Kubernetes deployment.
-
-**Why are label standards important?**
-
-Network policies in Kubernetes depend on **labels and selectors** (not IP addresses and IP ranges) to determine which workloads can talk to each other. As pods dynamically scale up and down, network policy is enforced based on the labels and selectors that you define. So workloads and host endpoints need unique, identifiable labels. If you create duplicate label names, or labels are not intuitive, troubleshooting network policy issues and authoring network policies becomes more difficult.
-
-**Recommendations**:
-
-- Follow the [Kubernetes guidelines for labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). If the Kubernetes guidelines do not cover your use cases, we recommend this blog from Tigera Support: [Label standard and best practices for Kubernetes security](https://www.helpnetsecurity.com/2021/05/26/kubernetes-security/).
-- Develop a comprehensive set of labels that meets the deployment, reporting, and security requirements of different stakeholders in your organization.
-- Standardize the way you label your pods and write your network policies using a consistent schema or design pattern.
-- Labels should be defined to achieve a specific and explicit purpose
-- Use an intuitive language in your label definition that enables a quick and simple identification of labeled Kubernetes objects.
-- Use label key prefixes and suffixes to identify attributes required for asset classification.
-- Ensure the right labels are applied to Kubernetes objects by implementing label governance checks in your CI/CD pipeline or at runtime.
-
-### Create network sets
-
-Network sets and global network sets are grouping mechanisms for arbitrary sets of IPs/subnets/CIDRs or domains. They are key resources for efficient policy design. The key use cases for network sets are:
-
-- **Use/reuse in policy to support scaling**
-
- You reference network sets in policies using selectors (rather than updating individual policies with CIDRs or domains).
-
-- **Visibility to traffic to/from a cluster**
-
- For apps that integrate with third-party APIs and SaaS services, you get enhanced visibility to this traffic in Service Graph.
-
-- **Global deny lists**
-
- Create a “deny-list” of CIDRs for bad actors or embargoed countries in policy.
-
-**Recommendation**: Create network sets **and labels** before writing policy.
-
-For network set tutorial and best practices, see [Get started with network sets](networksets.mdx).
-
-## Policy best practices for day-one zero trust
-
-### Create a global default deny policy
-
-A global default deny network policy provides an enhanced security posture – so pods without policy (or incorrect policy) are not allowed traffic until appropriate network policy is defined. We recommend creating a global default deny, regardless of whether you use Calico Enterprise and/or Kubernetes network policy.
-
-But, be sure to understand the [best practices for creating a default deny policy](default-deny.mdx) to avoid breaking your cluster.
-
-Here are sample [default deny policies](beginners/kubernetes-default-deny.mdx).
-
-### Define both ingress and egress network policy rules for every pod in the cluster
-
-Although defining network policy for traffic external to clusters (north-south) is certainly important, it is equally important to defend against attacks for east-west traffic. Simply put, **every connection from/to every pod in every cluster should be protected**. Although having both doesn’t guarantee protection against other attacks and vulnerabilities, one innocuous workload can lead to exposure of your most critical workloads.
-
-For examples, see [basic ingress and egress policies](beginners/calico-network-policy.mdx).
-
-## Policy design for efficiency and performance
-
-Teams can write policies that work, but ultimately you want policies that also scale, and do not negatively impact performance.
-
-If you follow a few simple guidelines, you’ll be well on your way to writing efficient policy.
-
-### Use global network policy only when all rules apply globally
-
-- **Do**
-
- Use global network policy for cluster-wide scope when all rules apply to multiple namespaces or host endpoints. For example, use a global network policy to create a deny-list of CIDRs for embargoed countries, or for global default deny everywhere, even for new namespaces.
-
- Why? Although at the level of packet processing there is no difference between network policy and global network, for CPU usage, one global network policy is faster than a large number of network policies.
-
-- **Avoid**
-
- Using a global network policy as a way to combine diverse, namespaced endpoints with different connectivity requirements. Although creating such a policy can work, appears efficient and is easier to view than several separate network policies, it is inefficient and should be avoided.
-
- Why? Putting a lot of anything in policy (rules, CIDRs, ports) that are manipulated by selectors is inefficient. iptables/eBPF rules depend on minimizing executions and updates. When a selector is encountered in a policy rule, it is converted into one iptables rule that matches on an IP set. Then, different code keeps the IP sets up to date; this is more efficient than updating iptables rules. Also, because iptables rules execute sequentially in order, having many rules results in longer network latencies for the first packet in a flow (approximately 0.25-0.5us per rule). Finally, having more rules slows down programming of the data plane, making policy updates take longer.
-
-**Example: Inefficient global network policy**
-
-The following policy is a global network policy for a microservice that limits all egress communication external to the cluster in the security tier. Does this policy work? Yes. And logically, it seems to cleanly implement application controls.
-
-```yaml noValidation
-1 apiVersion: projectcalico.org/v3
-2 kind: GlobalNetworkPolicy
-3 metadata:
-4 name: security.allow-egress-from-pods
-5 spec:
-6 tier: security
-7 order: 1
-8 selector: all()
-9 egress:
-10 - action: Deny
-11 source:
-12 namespaceSelector: projectcalico.org/namespace starts with "tigera"
-13 destination:
-14 selector: threatfeed == "feodo"
-15 - action: Allow
-16 protocol: TCP
-17 source:
-18 namespaceSelector: projectcalico.org/name == "sso"
-19 ports:
-20 - '443'
-21 - '80'
-22 destination:
-23 domains:
-24 - '*.googleapis.com'
-25 - action: Allow
-26 protocol: TCP
-27 source:
-28 selector: psql == "external"
-29 destination:
-30 ports:
-31 - '5432'
-32 domains:
-33 - '*.postgres.database.azure.com'
-34 - action: Allow
-35 protocol: TCP
-36 source: {}
-37 destination:
-38 ports:
-39 - '443'
-40 - '80'
-41 domains:
-42 - '*.logic.azure.com'
-43 - action: Allow
-44 protocol: TCP
-45 source: {}
-46 destination:
-47 ports:
-48 - '443'
-49 - '80'
-50 domains:
-51 - '*.azurewebsites.windows.net'
-52 - action: Allow
-53 protocol: TCP
-54 source:
-55 selector: 'app in { "call-archives-api" }||app in { "finwise" }'
-56 destination:
-57 domains:
-58 - '*.documents.azure.com'
-59 - action: Allow
-60 protocol: TCP
-61 source:
-62 namespaceSelector: projectcalico.org/name == "warehouse"
-63 destination:
-64 ports:
-65 - '1433'
-66 domains:
-67 - '*.database.windows.net'
-68 - action: Allow
-69 protocol: TCP
-70 source: {}
-71 destination:
-72 nets:
-73 - 65.132.216.26/32
-74. - 10.10.10.1/32
-75 ports:
-76 - '80'
-77 - '443'
-78 - action: Allow
-79 protocol: TCP
-80 source:
-81 selector: app == "api-caller"
-82 destination:
-83 ports:
-84 - '80'
-85 - '443'
-86 domains:
-87 - api.example.com
-88 - action: Allow
-89 source:
-90 selector: component == "tunnel"
-91 - action: Allow
-92 destination:
-93 selector: all()
-94 namespaceSelector: all()
-95 - action: Deny
-96 types:
-97 - Egress
-```
-
-**Why this policy is inefficient**
-
-First, the policy does not follow guidance on use for global network policy: that all rules apply to the endpoints. So the main issue is inefficiency, although the policy works.
-
-The main selector `all()` (line 8) means the policy will be rendered on every endpoint (workload and host endpoints). The selectors in each rule (for example, lines 12 and 14) control traffic that are matched by that rule. So, even if the host doesn’t have any workloads that match `"selector: app == "api-caller"`, you’ll still get the iptables/eBPF rule rendered on every host to implement that rule. If this sample policy had 100 pods, that’s a 10 - 100x increase in the number of rules (depending on how many local endpoints match each rule). In short, it adds:
-
-- Memory and CPU to keep track of all the extra rules
-- Complexity to handle changes to endpoint labels, and to re-render all the policies too.
-
-### Avoid policies that may select unwanted endpoints
-
-The following policy is for an application in a single namespace, `app1-ns` namespace. There are two microservices that are all labeled appropriately:
-
-- microservice 1 has `app: app1`, `svc: svc1`
-- microservice 2 has `app: app1`, `svc: svc2`
-
-The following policy works correctly and does not incur a huge performance hit. But it could select additional endpoints that were not intended.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: application.app1
- namespace: app1-ns
-spec:
- tier: application
- order: 10
- selector: app == "app1"
- types:
- - Ingress
- ingress:
- - action: Allow
- source:
- selector: trusted-ip == "load-balancer"
- destination:
- selector: svc == "svc1"
- ports:
- - 10001
- protocol: TCP
- - action: Allow
- source:
- selector: svc == "svc1"
- destination:
- selector: svc == "svc2"
- ports:
- - 10002
- protocol: TCP
-```
-
-The policy incorrectly assumes that the main policy selector (`app == "app1"`) will be combined (ANDed) with the endpoint selector, and only for certain policy types. In this case,
-
-- **Ingress** - combines policy selector and _destination endpoint selector_
- or
-- **Egress** - combines policy selector and _source endpoint selector_
-
-But if the assumptions behind the labels are not understood by other policy authors and are not correctly assigned, the endpoint selector may select _additional endpoints that were not intended_. For ingress policy, this can open up the endpoint to more IP addresses than necessary. This unintended consequence would be exacerbated if the author used a global network policy.
-
-### Put multiple relevant policy rules together in the same policy
-
-As discussed previously, it is better to create separate policies for different endpoint connectivity rules, than a single global network policy. However, you may interpret this to mean that the best practice is to make unique policies that do not aggregate any rules. But that is not the case. Why? When $[prodname] calculates and enforces policy, it updates the iptables/eBPF and reads policy changes and pod/workload endpoints from the datastore. The more policies in memory, the more work it takes determine which policies match a particular endpoint. If you group more rules into one policy, there are fewer policies to match against.
-
-### Understand effective use of label selectors
-
-Label selectors abstract network policy from the network. Misuse of selectors can slow things down. As discussed previously, the more selectors you create, the harder $[prodname] works to find matches.
-
-The following policy shows an inefficient use of selectors. Using `selector: all()` renders the policy on all nodes for all workloads. If there are 10,000 workloads, but only 10 match label==foo, that is very inefficient at the data plane level.
-
-```yaml
-selector: all()
-ingress:
- source:
- selector: label == 'bar'
- destination:
- selector: label == 'foo'
-```
-
-The best practice policy below allows the same traffic, but is more efficient and scalable. Why? Because the policy will be rendered only on nodes with workloads that match the selector `label==foo`.
-
-```yaml
-selector: label == 'foo'
-ingress:
- source:
- selector: label == 'bar'
-```
-
-Another common mistake is using `selector: all()` when you don’t need to. `all()` means _all workloads_ so that will be a large IP set. Whenever there's a source/destination selector in a rule, it is rendered as an IP set in the data plane.
-
-```yaml
-source:
- selector: all()
-```
-
-### Put domains and CIDRs in network sets rather than policy
-
-Network sets allow you to specify CIDRs and/or domains. As noted in [Network set best practices](policy-best-practices.mdx), we do not recommend putting large CIDRs or domains directly in policy. Although nothing stops you from do this in policy, using network sets is more efficient and supports scaling.
-
-## Policy life cycle tools
-
-### Preview, stage, deploy
-
-A big obstacle to adopting Kubernetes is not having confidence that you can effectively prevent, detect, and mitigate across diverse teams. The following policy life cycle tools in the web console (**Policies** tab) can help.
-
-- **Policy recommendations**
-
- Get a policy recommendation for unprotected workloads. Speeds up learning, while supporting zero trust.
-
-- **Policy impact preview**
-
- Preview the impacts of policy changes before you apply them to avoid unintentionally exposing or blocking other network traffic.
-
-- **Policy staging and audit modes**
-
- Stage network policy so you can monitor traffic impact of both Kubernetes and $[prodname] policy as if it were actually enforced, but without changing traffic flow. This minimizes misconfiguration and potential network disruption.
-
-For details, see [Policy life cycle tools](staged-network-policies.mdx).
-
-### Do not trust anything
-
-Zero trust means that you do not trust anyone or anything. $[prodname] handles authentication on a per request basis. Every action is either authorized or restricted, and the default is everything is restricted. To apply zero trust to policy and reduce your attack surface and risk, we recommend the following:
-
-- Ensure that all expected and allowed network flows are explicitly allowed; any connection not explicitly allowed is denied
-
-- Create a quarantine policy that denies all traffic that you can quickly apply to workloads when you detect suspicious activity or threats
-
-## Additional resources
-
-- [Troubleshoot policies](policy-troubleshooting.mdx)
-- [Security and policy best practices blog](https://www.tigera.io/blog/kubernetes-security-policy-10-critical-best-practices/)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/firewall-integration.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/firewall-integration.mdx
deleted file mode 100644
index 51a53d6542..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/firewall-integration.mdx
+++ /dev/null
@@ -1,254 +0,0 @@
----
-description: Use a FortiGate firewall to control egress traffic from Kubernetes workloads in a Calico Enterprise cluster.
----
-
-# Extend Kubernetes to Fortinet firewall devices
-
-:::warning[deprecation and removal notice]
-
-The Fortinet integration is deprecated and will be removed in a future release.
-If you want to use $[prodname] with Fortinet or any other firewall, we recommend instead using an [egress gateway](../../../networking/egress/egress-gateway-on-prem.mdx).
-
-:::
-
-## Big picture
-
-Use $[prodname] network policy to control traffic from Kubernetes clusters in your FortiGate firewalls.
-
-## Value
-
-As platform and security engineers, you want your apps to securely communicate with the external world. But you also want to secure the network traffic from the Kubernetes clusters using your FortiGate firewalls. Using the Fortinet/$[prodname] integration, security teams can retain firewall responsibility, secure traffic using $[prodname] network policy, which frees up time for ITOps.
-
-## Concepts
-
-## Integration at a glance
-
-This $[prodname]/Fortinet integration workflow lets you control egress traffic leaving the Kubernetes cluster. You create perimeter firewall policies in FortiManager and FortiGate that reference Kubernetes workloads. $[prodname] acts as a conduit, using the `tigera-firewall-controller` and global network policies to pass Kubernetes workload information to FortiManager and FortiGate devices where policies are applied and enforced.
-
-The basic workflow is:
-
-1. Determine the Kubernetes pods that are allowed access outside the perimeter firewall.
-1. Create $[prodname] global network policies with selectors that match those pods. Each global network policy maps to an address group in the FortiGate firewall.
-1. Deploy the `tigera firewall controller` in the Kubernetes cluster.
-1. Create a ConfigMap with Fortinet firewall information.
- The `tigera firewall controller` reads the ConfigMap, gets the FortiGate firewall IP address, API token, and source IP address selection with `node` or `pod`. In your Kubernetes cluster, the controller populates pod IPs or Kubernetes node IPs of selector matching pods in FortiGate address group objects.
-
-## Before you begin
-
-**Supported versions**
-
-- FortiGate v6.2
-- FortiManager v6.4
-
-**Required**
-
-- Pull secret that you used during [$[prodname] installation](../../../getting-started/install-on-clusters/index.mdx)
-- IPv4 CIDR’s or IP addresses of all Kubernetes nodes; this is required for FortiManager to treat Kubernetes nodes as trusted hosts.
-
-**Recommended**
-
-- Experience creating and administering FortiGate/FortiManager firewall policies
-- Experience using [$[prodname] tiers](../../../reference/resources/tier.mdx) and [Global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
-
-## How to
-
-- [Create tier and global network policy](#create-tier-and-global-network-policy)
-- [Configure FortiGate firewall to communicate with firewall controller](#configure-fortigate-firewall-to-communicate-with-firewall-controller)
-- [Configure FortiManager to communicate with firewall controller](#configure-fortimanager-to-communicate-with-firewall-controller)
-- [Create a config map for address selection in firewall controller](#create-a-config-map-for-address-selection-in-firewall-controller)
-- [Create a config map with FortiGate and FortiManager information](#create-a-config-map-with-fortigate-and-fortimanager-information)
-- [Install FortiGate ApiKey and FortiManager password as secrets](#install-fortigate-apikey-and-fortimanager-password-as-secrets)
-- [Deploy firewall controller in the Kubernetes cluster](#deploy-firewall-controller-in-the-kubernetes-cluster)
-
-### Create tier and global network policy
-
-1. Create a tier for organizing global network policies.
-
- Create a new [Tier](../../policy-tiers/tiered-policy.mdx) to organize all FortiGate firewall global network policies in a single location.
-
-1. Note the tier name to use in a later step for the FortiGate firewall information config map.
-
-1. Create a GlobalNetworkPolicy for address group mappings.
-
- For example, a GlobalNetworkPolicy can select a set of pods that require egress access to external workloads. In the following GlobalNetworkPolicy, the firewall controller creates an address group named, `default.production-microservice1` in the FortiGate firewall. The members of `default.production-microservice1` address group include IP addresses of nodes. Each node can host one or more pods whose label selector match with `env == 'prod' && role == 'microservice1'`. Each GlobalNetworkPolicy maps to an address group in FortiGate firewall.
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: GlobalNetworkPolicy
- metadata:
- name: default.production-microservice1
- spec:
- selector: "env == 'prod' && role == 'microservice1'"
- types:
- - Egress
- egress:
- - action: Allow
- ```
-
-### Configure FortiGate firewall to communicate with firewall controller
-
-1. Determine and note the CIDR's or IP addresses of all Kubernetes nodes that can run the `tigera-firewall-controller`.
- Required to explicitly allow the `tigera-firewall-controller` to access the FortiGate API.
-1. Create an Admin profile with read-write access to Address and Address Group Objects.
- For example: `tigera_api_user_profile`
-1. Create a REST API Administrator, associate this user with the `tigera_api_user_profile` profile, and add the CIDR or IP address of your Kubernetes cluster nodes as trusted hosts.
- For example: `calico_enterprise_api_user`
-1. Note the API key.
-
-### Configure FortiManager to communicate with firewall controller
-
-1. Determine and note the CIDR's or IP addresses of all Kubernetes nodes that can run the `tigera-firewall-controller`.
- Required to explicitly allow the tigera-firewall-controller to access the FortiManager API.
-1. From system settings, create an Admin profile with Read-Write access for `Policy & Objects`.
- For example: `tigera_api_user_profile`
-1. Create a JSON API administrator, associate this user with the `tigera_api_user_profile` profile, and add the CIDR or IP address of your Kubernetes cluster nodes as `Trusted Hosts`.
-1. Note the username and password.
-
-### Create a config map for address selection in firewall controller
-
-1. Create a namespace for tigera-firewall-controller.
-
- ```bash
- kubectl create namespace tigera-firewall-controller
- ```
-
-1. Create a config map with FortiGate firewall information.
-
- For example:
-
- ```bash
- kubectl -n tigera-firewall-controller create configmap tigera-firewall-controller \
- --from-literal=tigera.firewall.policy.selector="projectcalico.org/tier == 'default'" \
- --from-literal=tigera.firewall.addressSelection="node"
- ```
-
- **ConfigMap values**
-
- | Field | Enter values... |
- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
- | tigera.firewall.policy.selector | The tier name with the global network policies with the FortiGate address group mappings. For example, this selects the global network policies in the `default` tier: `tigera.firewall.policy.selector: "projectcalico.org/tier == 'default'" |
- | tigera.firewall.addressSelection | The addressSelection for outbound traffic leaving the cluster. For example, if outgoingNat is enabled in cluster and compute Node IP address is used "tigera.firewall.addressSelection == `node` or If pod IP address used then "tigera.firewall.addressSelection == `pod`" |
-
-### Create a config map with FortiGate and FortiManager information
-
-1. In the [FortiGate ConfigMap manifest]($[filesUrl]/manifests/fortinet-device-configmap.yaml), add your FortiGate firewall information in the data section, `tigera.firewall.fortigate`.
-
- Where:
-
- | Field | Description |
- | ------------------------ | --------------------------------------------------------------------------- |
- | name | FortiGate device name |
- | ip | FortiGate Management Ip address |
- | apikey | Secret in tigera-firewall-controller namespace, to store FortiGate's APIKey |
- | apikey.secretKeyRef.name | Name of the secret to store APIKey |
- | apikey.secretKeyRef.key | Key name in the secret, which stores APIKey |
- | vdom | FortiGate VDOM name |
-
- For example:
-
- ```yaml
- - name: prod-eastcoast-1
- ip: 1.2.3.1
- apikey:
- secretKeyRef:
- name: fortigate-east1
- key: apikey-fortigate-east1
- vdom: fortigate-vdom1
- - name: prod-eastcoast-2
- ip: 1.2.3.2
- apikey:
- secretKeyRef:
- name: fortigate-east2
- key: apikey-fortigate-east2
- vdom: fortigate-vdom2
- ```
-
-1. In the [FortiManager ConfigMap manifest]($[filesUrl]/manifests/fortinet-device-configmap.yaml), add your FortiManager information in the data section, `tigera.firewall.fortimgr`.
-
- Where:
-
- | Field | Description |
- | -------------------------- | ------------------------------------------------------------------------------ |
- | name | FortiManager device name |
- | ip | FortiManager Management Ip address |
- | adom | FortiManager ADOM name to manage kubernetes cluster. |
- | username | JSON api access account name to Read/Write FortiManager address objects. |
- | password | Secret in tigera-firewall-controller namespace, to store FortiManager password |
- | password.secretKeyRef.name | Name of the secret to store password. |
- | password.secretKeyRef.key | Key name in the secret, which stores password. |
-
- For example:
-
- ```yaml
- - name: prod-east1
- ip: 1.2.4.1
- username: api_user
- adom: root
- password:
- secretKeyRef:
- name: fortimgr-east1
- key: pwd-fortimgr-east1
- ```
-
-:::note
-
-If you are not using FortiManager in the integration, include only the following field in the ConfigMap data section. `tigera.firewall.fortimgr: |`
-
-:::
-
-1. Apply the manifest.
-
- ```
- kubectl apply -f $[filesUrl]/manifests/fortinet-device-configmap.yaml
- ```
-
-### Install FortiGate ApiKey and FortiManager password as secrets
-
-1. Store each FortiGate API key as a secret in the `tigera-firewall-controller` namespace.
- For example, the FortiGate device, `prod-east1`, store its ApiKey as a secret name as `fortigate-east1`, with key as `apikey-fortigate-east1`.
-
- ```
- kubectl create secret generic fortigate-east1 \
- -n tigera-firewall-controller \
- --from-literal=apikey-fortigate-east1=
- ```
-
-1. Store each FortiManager password as secret in the `tigera-firewall-controller` namespace.
- For example, for FortiMgr `prod-east1`, store its password as a secret name as `fortimgr-east1`, with key as `pwd-fortimgr-east1`.
-
- ```
- kubectl create secret generic fortimgr-east1 \
- -n tigera-firewall-controller \
- --from-literal=pwd-fortimgr-east1=
- ```
-
-### Deploy firewall controller in the Kubernetes cluster
-
-1. Install your pull secret.
-
- ```
- kubectl create secret generic tigera-pull-secret \
- --from-file=.dockerconfigjson= \
- --type=kubernetes.io/dockerconfigjson -n tigera-firewall-controller
- ```
-
-1. Apply the manifest.
-
- ```
- kubectl apply -f $[filesUrl]/manifests/fortinet.yaml
- ```
-
-## Verify the integration
-
-1. Log in to the FortiGate firewall user interface.
-1. Under **Policy & Objects**, click **Addresses**.
-1. Verify that your Kubernetes-related address objects and address group objects are created with the following comments "Managed by Tigera $[prodname]".
-
-For all FortiManagers that are configured to work with firewall-controller, log in to each FortiManager UI with the correct ADOM.
-
-1. Click **Policy & Objects**, **Object Configuration**, \*\*Addresses.
-1. Verify that your Kubernetes-related address objects and address group objects are created with the following comments "Managed by Tigera $[prodname]".
-
-## Additional resources
-
-- [Extend FortiManager firewall policies to Kubernetes](fortimgr-integration.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/fortimgr-integration.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/fortimgr-integration.mdx
deleted file mode 100644
index 4a1ffa3776..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/fortimgr-integration.mdx
+++ /dev/null
@@ -1,161 +0,0 @@
----
-description: Extend FortiManager firewall policies into Kubernetes workloads in a Calico Enterprise cluster.
----
-
-# Extend FortiManager firewall policies to Kubernetes
-
-:::warning[deprecation and removal notice]
-
-The Fortinet integration is deprecated and will be removed in a future release.
-If you want to use $[prodname] with Fortinet or any other firewall, we recommend instead using an [egress gateway](../../../networking/egress/egress-gateway-on-prem.mdx).
-
-:::
-
-## Big picture
-
-Use FortiManager firewall policies to secure workloads in your Kubernetes cluster.
-
-## Value
-
-The $[prodname]/Fortinet integration lets you control Kubernetes clusters directly and apply policy
-using the FortiManager UI as the primary interface. This allows firewall administrators to leverage existing
-tools and workflows as they learn and adopt Kubernetes orchestration at their own pace.
-
-## Concepts
-
-### Integration at a glance
-
-This $[prodname]/Fortinet solution lets you directly control Kubernetes policies using FortiManager.
-
-The basic workflow is:
-
-1. Determine the Kubernetes pods that you want to securely communicate with each other.
-1. Label these pods using a key-value pair where key is the `tigera.io/address-group`, and value is the pod matching a label name.
-1. In the FortiManager, select the cluster’s ADOM, and create an address group using the key-value pair associated with the pods.
-1. Create firewall policies using the address groups for IPv4 Source address and IPv4 Destination Address, and select services and actions as you normally would to allow or deny the traffic. Under the covers, the $[prodname] integration controller periodically reads the FortiManager firewall policies for your Kubernetes cluster, converts them to $[prodname] global network policies, and applies them to clusters.
-1. Use the $[prodname] web console to verify the integration, and then FortiManager UI to make all updates to policy rules.
-
-:::note
-
-The default value for reading FortiManager firewall policies is three seconds. To change the value, modify environment variable FW_FORTIMGR_EW_POLL_INTERVAL in FortiManager integration manifest; units are in seconds.
-
-:::
-
-## Before you begin
-
-**Supported version**
-
-- FortiManager v6.4
-
-**Required**
-
-- Pull secret that you used during [$[prodname] installation](../../../getting-started/install-on-clusters/index.mdx)
-- IPv4 CIDR’s or IP addresses of all Kubernetes nodes; this is required for FortiManager to treat Kubernetes nodes as trusted hosts.
-- Login access to [the $[prodname] web console](../../../operations/cnx/access-the-manager.mdx)
-
-**Recommended**
-
-- Experience with [ tiered policy](../../policy-tiers/tiered-policy.mdx) and [ global network policy](../../../reference/resources/globalnetworkpolicy.mdx)
-- Experience creating and administering FortiGate/FortiManager firewall policies
-
-## How to
-
-- [Create a tier](#create-a-tier)
-- [Configure FortiManager to communicate with firewall controller](#configure-fortimanager-to-communicate-with-firewall-controller)
-- [Create a FortiManager config map](#create-a-fortimanager-config-map)
-- [Install FortiManager password as secrets](#install-fortimanager-password-as-secrets)
-- [Deploy the firewall controller in the Kubernetes cluster](#deploy-the-firewall-controller-in-the-kubernetes-cluster)
-- [Verify the integration](#verify-the-integration)
-
-### Create a tier
-
-Create a [$[prodname] tier](../../policy-tiers/tiered-policy.mdx) in the $[prodname] web console for each Kubernetes cluster you want to secure. We recommend that you create a new tier (rather than reusing an existing tier) for all global network policies created by the $[prodname] integration controller.
-
-## Configure FortiManager to communicate with firewall controller
-
-1. Determine and note the CIDR’s or IP addresses of all Kubernetes nodes that can run the `tigera-firewall-controller`.
- This is required to explicitly allow the `tigera-firewall-controller` to access the FortiManager API.
-1. From system settings, create an Admin profile with Read-Write access for `Policy & Objects`.
- For example: `tigera_api_user_profile`
-1. Create a JSON API administrator and associate this user with the `tigera_api_user_profile` profile and add CIDR or IP address of your Kubernetes cluster nodes as `trusted hosts`.
-1. Note the username and password.
-
-## Create a FortiManager config map
-
-1. Create a namespace for the tigera-firewall-controller.
-
- ```bash
- kubectl create namespace tigera-firewall-controller
- ```
-
-1. In this [FortiManager ConfigMap manifest]($[filesUrl]/manifests/fortimanager-device-configmap.yaml), add your FortiManager device information in the data section: `tigera.firewall.fortimanager-policies`. For example:
-
- ```yaml noValidation
- tigera.firewall.fortimanager-policies: |
- - name: prod-east1
- ip: 3.2.1.4
- username: api_user
- adom: root
- tier:
- packagename: sacramento
- password:
- secretKeyRef:
- name: fortimgr-east1
- key: pwd-fortimgr-east1
- ```
-
- Where:
-
- | Field | Description |
- | -------------------------- | ---------------------------------------------------------------------------------------------------------------- |
- | name | FortiManager device name. |
- | ip | FortiManager Management IP address. |
- | adom | FortiManager ADOM name that manages Kubernetes cluster. |
- | packagename | FortiManager Firewall package. All firewall rules targeted for Kubernetes cluster are packed under this package. |
- | username | JSON api access account name to Read/Write FortiManager address objects. |
- | password | Secret in tigera-firewall-controller namespace, to store FortiManager password |
- | tier | Tier name you created in the web console |
- | password.secretKeyRef.name | Name of the secret to store password. |
- | password.secretKeyRef.key | Key name in the secret, which stores password. |
-
-1. Apply the manifest.
-
- ```bash
- kubectl apply -f $[filesUrl]/manifests/fortimanager-device-configmap.yaml
- ```
-
-## Install FortiManager password as secrets
-
-Store each FortiManager password as a secret in the `tigera-firewall-controller` namespace.
-
-For example, in the ConfigMap for FortiMgr `prod-east1`, store its password as a secret name as `fortimgr-east1`, with key as `pwd-fortimgr-east1`.
-
-```bash
-kubectl create secret generic fortimgr-east1 \
--n tigera-firewall-controller \
---from-literal=pwd-fortimgr-east1=
-```
-
-### Deploy the firewall controller in the Kubernetes cluster
-
-1. Install your pull secret.
-
- ```bash
- kubectl create secret generic tigera-pull-secret \
- --from-file=.dockerconfigjson= \
- --type=kubernetes.io/dockerconfigjson -n tigera-firewall-controller
- ```
-
-1. Apply the manifest.
-
- ```bash
- kubectl apply -f $[filesUrl]/manifests/fortimanager.yaml
- ```
-
-## Verify the integration
-
-1. Log in to FortiManager with the correct ADOM.
-2. Select **Policy & Objects**, **Object Configuration**, and create new **Address Groups**.
-3. Click **Policy packages** and select the Package assigned to your Kubernetes cluster.
-4. Create a test firewall policy with the following fields: Name, IPv4 Source Address, IPv4 Destination Address, Service and Action.
-5. Log in to the $[prodname] web console, and under the tier that you specified in the ConfigMap, verify that the GlobalNetworkPolicies are created.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/index.mdx
deleted file mode 100644
index 0dd535e026..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/index.mdx
+++ /dev/null
@@ -1,18 +0,0 @@
----
-description: Calico Enterprise integrations with Fortinet firewalls — FortiGate for traffic enforcement and FortiManager for policy management.
-hide_table_of_contents: true
----
-
-# Fortinet firewall integrations
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-:::warning[deprecation and removal notice]
-
-The Fortinet integration is deprecated and will be removed in a future release.
-If you want to use $[prodname] with Fortinet or any other firewall, we recommend instead using an [egress gateway](../../../networking/egress/egress-gateway-on-prem.mdx).
-
-:::
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/overview.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/overview.mdx
deleted file mode 100644
index 41850d76c4..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/fortinet-integration/overview.mdx
+++ /dev/null
@@ -1,45 +0,0 @@
----
-description: Integrate Kubernetes clusters with existing Fortinet firewall workflows using Calico Enterprise — architecture, components, and what each side enforces.
----
-
-# Determine the best Calico Enterprise/Fortinet solution
-
-:::warning[deprecation and removal notice]
-
-The Fortinet integration is deprecated and will be removed in a future release.
-If you want to use $[prodname] with Fortinet or any other firewall, we recommend instead using an [egress gateway](../../../networking/egress/egress-gateway-on-prem.mdx).
-
-:::
-
-## Big picture
-
-Determine the best $[prodname]/Fortinet solution to integrate Kubernetes clusters with your existing Fortinet firewall workflows.
-
-## Value
-
-Many security teams must work within the confines of their existing IT security architecture, even though perimeter firewalls do not meet the needs of Kubernetes clusters. The $[prodname]/Fortinet integration allows firewall administrators to leverage existing Fortinet security tools and workflows, continue meeting compliance requirements, while adopting Kubernetes orchestration using $[prodname] at their own pace.
-
-### Concepts
-
-The $[prodname]/Fortinet integration provides the following solutions. You can you use them separately, or together without contention.
-
-### Solution 1: Extend Kubernetes to Fortinet firewall devices
-
-**Use case**: Control egress traffic for Kubernetes clusters.
-
-**Problem**: Perimeter firewalls do not have the necessary information to act on traffic that leaves the cluster for Kubernetes workloads.
-
-**Solution**: The $[prodname]/Fortinet integration leverages the power of $[prodname] policy selectors to provide Kubernetes workload information to FortiManager and FortiGate devices. You create perimeter firewall policies in FortiManager and FortiGate that reference Kubernetes workloads. Policies are applied and enforced by FortiGate devices. And Firewall administrators can write cluster egress policies that reference Kubernetes workloads directly in Fortinet devices.
-
-### Solution 2: Extend FortiManager firewall policies to Kubernetes
-
-**Use case**: Control Kubernetes clusters directly and apply policy.
-
-**Problem**: To avoid disruption, teams need to leverage existing FortiManager as the primary user interface.
-
-**Solution**: Use FortiManager to create firewall policies that are applied as $[prodname] network policies on Kubernetes workloads. Use the power of a $[prodname] “higher-order tier” so Kubernetes policy is evaluated early in the policy processing order, but update policy using FortiManager UI. Use the $[prodname] web console as a secondary interface to verify the integration and troubleshoot using logs.
-
-## Next steps
-
-- [Extend Kubernetes to Fortinet firewall devices](firewall-integration.mdx)
-- [Extend FortiManager firewall policies to Kubernetes](fortimgr-integration.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/index.mdx
deleted file mode 100644
index 4409f579a7..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-firewalls/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Integrate Calico Enterprise policy with existing perimeter firewalls — extend rule scope from Kubernetes workloads out to the network edge.
-hide_table_of_contents: true
----
-
-# Policy for firewalls
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-impact-preview.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-impact-preview.mdx
deleted file mode 100644
index b663051161..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-impact-preview.mdx
+++ /dev/null
@@ -1,34 +0,0 @@
----
-description: Preview the impact of a Calico Enterprise policy on existing flows before enforcing it in production.
----
-
-# Preview policy impacts
-
-## Big picture
-
-Preview the impacts of policy changes before you apply them.
-
-## Value
-
-Create, update, and delete policy with confidence knowing you will not unintentionally expose or block other network traffic.
-
-## Before you begin...
-
-You must have a running kubernetes cluster with $[prodname] installed.
-
-You must have permissions to make policy changes. Users can only preview a change if RBAC allows them to make the change. Note that the `tigera-ui-user` role does not have permission to modify policy, and therefore will not allow users to preview changes.
-
-## How to
-
-1. From the Edit Policy page on the web console, modify any attribute of the policy.
-1. Before applying it, click the "preview" button at the top right.
- This launches the flow log visualizer.
-1. Click the "changes applied" toggle to see how flows would change if the changes are applied.
-1. Click the "only changed flows" to hide all flows that remained the same before and after the change.
-1. Click the left arrow at the top-right corner of the view to return to the edit policy page.
-
-:::note
-
-There may be some flows that $[prodname] will not be able to predict. Those flows will appear as "Uncertain" as per the legend at the bottom right.
-
-:::
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/allow-tigera.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/allow-tigera.mdx
deleted file mode 100644
index 6d8bce1110..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/allow-tigera.mdx
+++ /dev/null
@@ -1,75 +0,0 @@
----
-description: Customize the behavior of the allow-tigera tier that Calico Enterprise installs by default to keep its own components reachable.
----
-
-# Change allow-tigera tier behavior
-
-:::warning
-The `allow-tigera` tier contains policies that secure $[prodname] components and is critical to cluster integrity. It is controlled by the Tigera Operator, and policies in the tier should not be edited, and the tier should not be moved. Although you can change the behavior of allow-tigera using adjacent tiers, you can inadvertently break critical cluster traffic. We highly recommend that you work with Support to implement changes around `allow-tigera` to prevent service disruption.
-
-:::
-
-## Big picture
-
-Change traffic behavior of the tier that secures $[prodname] components.
-
-## Value
-
-Although the tier that secures $[prodname] components cannot be changed, you can create policies in adjacent tiers to change its behavior.
-
-## Concepts
-
-$[prodname] automatically creates the `allow-tigera` tier during installation with network policies that select traffic to and from Tigera components. These policies ensure that traffic required for $[prodname] operation is allowed, and that any unnecessary traffic involving Tigera components is denied. This tier prevents disruption of $[prodname] functionality in case of network policy misconfiguration impacting Tigera components, and denies unexpected traffic in case of defect or compromise.
-
-### Ownership and management of allow-tigera
-
-Tigera defines the `allow-tigera` tier and manages the policies within it. The Tigera Operator installs and monitors these policies, ensuring they always match the state defined by Tigera. Management by the Operator also ensures integrity for upgrades.
-
-:::note
-
-The `allow-tigera` tier and its policies should not be edited, and the tier should not be moved. However, if you inadvertently make changes they are automatically reverted by the Operator to ensure your cluster is always protected.
-
-:::
-
-## Tutorial
-
-### Change behavior of allow-tigera
-
-If you want to change the way traffic is enforced by the `allow-tigera` tier, you must create policy in an adjacent tier to meet your needs. For example, if a policy in the `allow-tigera` tier allows or denies traffic, and you want to change how that traffic is enforced, you can create a policy in a tier before `allow-tigera` that selects the same traffic to make your desired changes. Similarly, if a policy in the `allow-tigera` tier passes or does not select traffic that you want to enforce, you can create a policy in a tier after `allow-tigera` to select this traffic to meet the desired behavior.
-
-### Example: use preceding tier to tighten security
-
-Let's say an `allow-tigera` policy allows ingress traffic from a $[prodname] component that you do not use, and you want to tighten enforcement to not allow this traffic.
-
-Within a tier that comes before `allow-tigera`, you can create a policy that selects the same endpoint and contains ingress rules that deny traffic from that component and pass to `allow-tigera` for traffic from other components.
-
-```yaml
-# allow-tigera.es-gateway-access allows ingress from deep packet inspection, a feature not utilized for the purpose of this example.
-# This policy tightens the scope of allowed ingress to es-gateway without modifying the allow-tigera policy directly.
-
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: preceding-tier.es-gateway-access
- namespace: tigera-elasticsearch
-spec:
- # Place in a tier prior to allow-tigera.
- tier: preceding-tier
-
- # Select the same endpoint as the original policy.
- selector: k8s-app == 'tigera-secure-es-gateway'
- ingress:
- # Select the same component ingress.
- - source:
- selector: k8s-app == 'tigera-dpi'
- namespaceSelector: name == 'tigera-dpi'
- # Enact different behavior (originally: Allow)
- action: Deny
-
- # Defer to allow-tigera for other ingress/egress decisions for this endpoint.
- - action: Pass
-```
-
-This example shows how you can change the impact of the `allow-tigera` tier on traffic without modifying the tier itself. This makes your changes more maintainable, and allows the allow-tigera tier to continue to receive updates as $[prodname] evolves without you needing to reconcile your changes each release.
-
-For help to manage or change the behavior of the `allow-tigera` tier, contact Tigera Support.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/index.mdx
deleted file mode 100644
index c88064481f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Use Calico Enterprise policy tiers to let platform, security, and app teams author and order policy independently within shared clusters.
-hide_table_of_contents: true
----
-
-# Policy tiers
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/policy-tutorial-ui.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/policy-tutorial-ui.mdx
deleted file mode 100644
index cf2e418374..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/policy-tutorial-ui.mdx
+++ /dev/null
@@ -1,244 +0,0 @@
----
-description: Tutorial for the Calico Enterprise policy management UI — author, order, and stage policies inside tiers from the web console.
----
-
-# Network policy tutorial
-
-## What you will learn:
-
-- How to create a policy in the web console
-- How labels and selectors work
-- Basics of policy ordering and tiers
-
-## Scenario
-
-Let's start with a sample Kubernetes cluster.
-
-
-
-| Item | Description |
-| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Kubernetes cluster | A Kubernetes cluster with four namespaces and three nodes that run the pods in the cluster. |
-| Namespace | Four namespaces named blue, red, green, and purple represent different applications running in the cluster. |
-| Pod | Pods with meaningful labels for our applications: - FE (frontend pods) - BE (backend pods) |
-| NetworkSet | An arbitrary set of IP subnetworks/CIDRs or domains that can be matched by standard label selectors in Kubernetes or $[prodname] network policy. Network sets are a $[prodname] namespaced resource. |
-| GlobalNetwork Set | An arbitrary set of IP subnetworks/CIDRs or domains that can be matched by standard label selectors in Kubernetes or $[prodname] network policy. Global network sets are a $[prodname] global resource. |
-| ServiceAccount | Provides an identity for processes that run in a pod. Service accounts are a Kubernetes namespaced resource. |
-| HostEndpoint (HEP) | Physical or virtual interfaces attached to a host that runs $[prodname]. HEPs enforce $[prodname] policy on the traffic that enters or leaves the host’s default network namespace through the interfaces. HEPs are a $[prodname] global resource. |
-| External component | A machine (physical or virtual) that runs outside of the Kubernetes cluster. |
-
-## Create a network policy
-
-To follow along in the web console, click **Policies**.
-
-There are three main parts to every $[prodname] policy:
-
-- **Scope** - namespace or global
-- **Applies to** - objects within the above scope to which policy rules will be applied using labels and selectors
-- **Type** - whether this policy affects ingress, egress, or both
- - Ingress - policy rules to apply to connections inbound to the selected objects
- - Egress - policy rules to apply to connections outbound from the selected objects
-
-
-
-Let's look at each part.
-
-## Scope
-
-Scope defines the reach of your policy. Use this dropdown to determine whether your policy applies globally or to a specific namespace. Think of scope as the "top-level scope" that can be further specified using the "Applies to" selection that follows.
-
-- **Global**
-
- If you select global, but do not add entries in the **Applies to** field to further limit scope, _every pod and host endpoint (HEP) in our cluster would be in scope_. The following example uses the global option to limit the scope to all pods and HEPs (noted by check marks).
-
- 
-
-- **Namespace**
-
- If you select namespace, but do not add entries in the **Applies to** field to further limit scope, _every pod in this policy's namespace would be in scope_. The following example uses the namespace option to limit the scope to pods in the RED namespace.
-
- 
-
-### Applies to
-
-As discussed above, selecting **Applies to** lets you further limit pods in a policy. You can think of it as the "top-level endpoint selector". You define labels on your endpoints, namespaces, and service accounts, then use label selectors to limit connections by matching the following object types:
-
-- **Endpoints**
-
- Specify one or more label selectors to match specific endpoints, or select all endpoints
-
-- **Namespaces** (available only when the Scope is global)
-
- Specify one or more label selectors to match specific namespaces, or select all namespaces
-
-- **Service Accounts**
-
- Specify or more label selectors to match specific service accounts, or select all service accounts
-
-For example, if we select the BLUE namespace and apply it to only pods with the label, `app/tier == FE`,
-
-
-
-the resulting scope in our diagram would be only the pods labeled, `FE`:
-
-
-
-### Type
-
-In the Type section, you specify whether the policy impacts ingress, egress, or both.
-
-Note that ingress and egress are defined from the point of view of the _scoped endpoints_ (pods or host endpoints). In the previous diagram, the scoped endpoints are the three pods labeled, `app/tier:FE`.
-
-- Ingress rules filter traffic _coming to_ the scoped endpoints
-- Egress rules filter traffic _leaving_ the scoped endpoints
-
-Select the **Ingress** rule, and click **+ Add ingress rule** to access the **Create New Policy rules** page.
-
-### Endpoint selector
-
-The endpoint selector lets you select the endpoint traffic that is matched within the scope you've defined in the policy.
-
-In our example, the policy is scoped to endpoints that have the `app/tier == FE` label in the BLUE namespace. In the context of an egress rule, when we add the `app/tier == BE` endpoint selector, all TCP traffic from endpoints that have the`app/tier == BE` label will be allowed to the `app/tier == FE` endpoints.
-
-
-
-Note that endpoints that have the `app/tier == BE` label in other namespaces are not matched because the policy is namespace scoped.
-
-### Namespace selector
-
-This is where things can get interesting. In the previous example, we did not select anything in the namespace selector. Let's change the namespace selector to have both the BLUE and GREEN namespaces.
-
-
-
-Although the overall policy is scoped to the BLUE namespace, we can match endpoints in other namespaces on a per-rule basis. Note that the top-level scope that you select remains unchanged, meaning that the policy is still applied only to endpoints in the BLUE namespace.
-
-
-
-### Network selector
-
-Using the Nets selector, we can add CIDR addresses to be matched by the policy rule.
-
-
-
-### Service account selector
-
-Network policies can be also applied to the endpoint’s service account.
-
-Using the service account selector, we can apply rules to traffic from any endpoint whose service account matches the name or label selector.
-
-
-
-### Use Match All for wider matches in policy rules
-
-The **Match All** policy rule (`all()` in YAML) matches traffic for:
-
-- All endpoints in a namespace (if the policy scope is namespace)
-- All endpoints (if the policy scope is global)
-
-Let's look at an example of using **Match All** traffic in a namespaced policy:
-
-- Scope is namespaced (BLUE)
-- Applies to `app/tier == FE`
-
-Suppose we want to match traffic to the pod labeled `BE`, and the $[prodname] `networkset-1`.
-
-
-
-To do this, we can use the policy rule endpoint selector, **Match All**.
-
-
-
-Not only is the pod labeled `BE` included, but also the $[prodname] `networkset-1`.
-
-
-
-Note that we could have created individual selectors to match pods labeled, `BE` and for the `network-set-1`.
-
-**Match All traffic with namespace selectors**
-
-In the following example, if we select **Match All** endpoints, but in the **Namespace selector**, we select both the BLUE and GREEN namespaces, the results for matching are: all pods and network sets in the BLUE and GREEN namespaces.
-
-
-
-**Global selector**
-
-Let's see what happens when we select the **Global** selector.
-
-
-
-In our example, the Global selector selects HEPs and global network sets are selected. You might think that Global (`global()` in YAML) would select all endpoints, but it doesn't. Global means "do not select any namespaced resources" (which includes namespaced network set resources). Another way to express it is, do not select any workload endpoints.
-
-
-
-**Endpoint selector, unspecified**
-
-Next, let's see what happens when the policy rule does not specify any selection criteria. In this example, the rule selects all workloads, network sets, endpoints, and host endpoints within scope of the policy, including external components (the VM database).
-
-
-
-Now that you know the basic elements of a network policy, let's move on to policy ordering and tiers.
-
-## Policy ordering
-
-$[prodname] policies can have order values that control the order of precedence. For both network policies and global network policies, $[prodname] applies the policy with the lowest value first.
-
-
-
-### Mixing Kubernetes and $[prodname] policies
-
-Kubernetes and $[prodname] policies work side by side without a problem. However, Kubernetes network policies cannot assign an order value, so $[prodname] will set an implicit order value of 1000 to any Kubernetes network policies.
-
-:::note
-Policies are immediately applied to any new connections. However, for existing connections that are already open, the policy changes will only take effect after the connection has been reestablished. This means that any ongoing sessions may not immediately reflect policy changes until they are initiated again.
-:::
-
-### $[prodname] policies with no order value
-
-$[prodname] policies with order values take precedence. Policies without order values take lesser precedence and are processed alphabetically.
-
-## Tiers
-
-Tiers are a hierarchical construct used to group policies and enforce higher precedence policies that cannot be circumvented by other teams. Access to tiers is controlled using user role permissions. For example, a security team can implement high-level policy (for example, blocking access to/from IP ranges in particular countries), while developers in a later tier can control specific rules for the microservices of an app running in the cluster.
-
-### Policy processing overview
-
-When a new connection is processed by $[prodname], each tier that contains a policy that selects the endpoint processes the connection. Tiers are sorted by their order - the smallest number first. Policies in each tier are then processed in order from lowest to highest. For example, a policy of 800 is ordered before a policy of order 1000.
-
-- If a network policy or global network policy in the tier allows or denies the connection, then evaluation is done: the connection is handled accordingly.
-
-- If a network policy or global network policy in the tier passes the connection, the next tier containing a policy that selects the endpoint processes the connection
-
-After a Pass action, if no subsequent tier contains any policies that apply to the pod, the connection is allowed.
-
-If the tier contains policies that apply to the endpoint, but the policies take no action on the connection, the connection is dropped by an implicit deny.
-
-If no tiers contain policies that apply to the endpoint, the connection is allowed by an implicit allow.
-
-### Policies with no order value
-
-You can create policies without an order value. When a policy with no order value is placed in a tier with other policies that do have an order value, the policies are processed as follows:
-
-- Policies are evaluated from smallest to largest order value within the tier
-- Policies with no order value are processed last in the tier, but before the implicit deny
-- When multiple policies without an order value are present in a tier, they are processed in alphabetical order. However, we do not recommended relying on alphabetical ordering because it hard to operationalize.
-
-### How policy action rules affect traffic processing
-
-It is also important to understand that $[prodname] policy action rules affect how traffic and connections are processed. Let's go back to the drop-down menu on the Create New Policy Rule page.
-
-Action defines what should happen when a connection matches this rule.
-
-
-
-- **Allow or Deny** - traffic is allowed or denied and the connection is handled accordingly. No further rules are processed.
-- **Pass** - skips to the next tier that contains a policy that applies to the endpoint, and processes the connection. If the tier applies to the endpoint but no action is taken on the connection, the connection is dropped.
-- **Log** - creates a log, and evaluation continues processing to the next rule
-
-## Additional resources
-
-The following topics go into further detail about concepts described in this tutorial:
-
-- [Get started with network policy](../beginners/calico-network-policy.mdx)
-- [Service account selectors](../beginners/policy-rules/service-accounts.mdx)
-- [Get started with tiered network policy](tiered-policy.mdx)
-- [Get started with network sets](../networksets.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/rbac-tiered-policies.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/rbac-tiered-policies.mdx
deleted file mode 100644
index 684e7b4783..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/rbac-tiered-policies.mdx
+++ /dev/null
@@ -1,518 +0,0 @@
----
-description: Configure Kubernetes RBAC to control which users can edit Calico Enterprise policies in each tier.
----
-
-# Configure RBAC for tiered policies
-
-## Big picture
-
-Configure fine-grained user access controls for tiered policies.
-
-## Value
-
-Self-service is an important part of CI/CD processes for containerization and microservices. $[prodname] provides fine-grained access control (RBAC) for:
-
-- $[prodname] policy and tiers
-- Kubernetes network policy
-
-## Concepts
-
-### Standard Kubernetes RBAC
-
-$[prodname] implements the standard **Kubernetes RBAC Authorization APIs** with `Role` and `ClusterRole` types. The $[prodname] API server integrates with Kubernetes RBAC Authorization APIs as an extension API server.
-
-### RBAC for policies and tiers
-
-In $[prodname], global network policy and network policy resources are associated with a specific tier. Admins can configure access control for these $[prodname] policies using standard Kubernetes `Role` and `ClusterRole` resource types. This makes it easy to manage RBAC for both Kubernetes network policies and $[prodname] tiered network policies. RBAC permissions include managing resources using the $[prodname] web console, and `kubectl`.
-
-### Fine-grained RBAC for policies and tiers
-
-RBAC permissions can be split by resources ($[prodname] and Kubernetes), and by actions (CRUD). Tiers should be created by administrators. Full CRUD operations on tiers is synonymous with full management of network policy. Full management to network policy and global network policy also requires `GET` permissions to 1) any tier a user can view/manage, and 2) the required access to the tiered policy resources.
-
-Here are a few examples of how you can fine-tune RBAC for tiers and policies.
-
-| **User** | **Permissions** |
-| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Admin | The default **tigera-network-admin** role lets you create, update, delete, get, watch, and list all $[prodname] resources (full control). Examples of limiting Admin access:
List tiers only
List only specific tiers
|
-| Non-Admin | The default **tigera-ui-user** role allows users to only list $[prodname] policy and tier resources. Examples of limiting user access:
Read-only access to all policy resources across all tiers, but only write access for NetworkPolicies with a specific tier and namespace.
Perform any operations on NetworkPolicies and GlobalNetworkPolicies.
List tiers only.
List or modify any policies in any tier. Fully manage only Kubernetes network policies in the **default** tier, in the **default** namespace, with read-only access for all other tiers.
|
-
-### RBAC definitions for Calico Enterprise network policy
-
-To specify per-tier RBAC for the $[prodname] network policy and $[prodname] global network policy, use pseudo resource kinds and names in the `Role` and `ClusterRole` definitions. For example,
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tier-default-reader
-rules:
- - apiGroups: ['projectcalico.org']
- resources: ['tiers']
- resourceNames: ['default']
- verbs: ['get']
- - apiGroups: ['projectcalico.org']
- resources: ['tier.networkpolicies', 'networkpolicies']
- resourceNames: ['default.*']
- verbs: ['get', 'list']
-```
-
-Where:
-
-- **resources**: both `tier.globalnetworkpolicies` and `globalnetworkpolicies` for global network policies, and both `tier.networkpolicies` and `networkpolicies` for namespaced network policies.
-- **resourceNames**:
- - Blank - any policy of the specified kind across all tiers.
- - `.*` - any policy of the specified kind within the named tier.
- - `` - the specific policy of the specified kind. Because the policy name is prefixed with the tier name, this also specifies the tier.
-
-## Before you begin...
-
-**Required**
-
-A **cluster-admin** role with full permissions to create and modify resources.
-
-**Recommended**
-
-A rough idea of your tiered policy workflow, and who should access what. See [Configure tiered policies](tiered-policy.mdx).
-
-## How to
-
-- [Create Admin users, full permissions](#create-admin-users-full-permissions)
-- [Create minimum permissions for all non-Admin users](#create-minimum-permissions-for-all-non-admin-users)
-
-:::note
-
-` kubectl auth can-i` cannot be used to check RBAC for tiered policy.
-
-:::
-
-### Create Admin users, full permissions
-
-Create an Admin user with full access to the $[prodname] web console (as well as everything else in the cluster) using the following command. See the Kubernetes documentation to identify users based on your chosen [authentication method](https://kubernetes.io/docs/reference/access-authn-authz/authentication/), and how to use the [RBAC resources](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
-
-```bash
-kubectl create clusterrolebinding permissive-binding \
- --clusterrole=cluster-admin \
- --user=
-```
-
-### Create minimum permissions for all non-Admin users
-
-All users using the $[prodname] web console should be able to create authorizationreviews and authorizationrequests as well as access
-license information through the services/proxy https:calico-api:8080.
-
-1. Download the [min-ui-user-rbac.yaml manifest]($[tutorialFilesURL]/min-ui-user-rbac.yaml).
- The roles and bindings in this file provide a minimum starting point for setting up RBAC for your users according to your specific security requirements.
- This manifest provides basic RBAC to view some statistical data in the UI but does not provide permissions to
- view or modify any network policy related configuration.
-
-1. Run the following command to replace `` with the name or email of the user you are providing permissions to:
-
- ```bash
- sed -i -e 's///g' min-ui-user-rbac.yaml
- ```
-
-1. Use the following command to install the bindings:
-
- ```bash
- kubectl apply -f min-ui-user-rbac.yaml
- ```
-
-## Tutorial
-
-This tutorial shows how to use RBAC to control access to resources and CRUD actions for a non-Admin user, John, with the username **john**.
-
-The RBAC examples shown will include:
-
-- [User cannot read policies in any tier](#user-cannot-read-policies-in-any-tier)
-- [User can view all policies, and modify policies in the default namespace and tier](#user-can-view-all-policies-and-modify-policies-in-the-default-namespace-and-tier)
-- [User can read policies only in both the default tier and namespace](#user-can-read-policies-only-in-both-the-default-tier-and-namespace)
-- [User can read policies only in both a specific tier and in the default namespace](#user-can-read-policies-only-in-both-a-specific-tier-and-in-the-default-namespace)
-- [User can only view a specific tier](#user-can-only-view-a-specific-tier)
-- [User can read all policies across all tiers and namespaces](#user-can-read-all-policies-across-all-tiers-and-namespaces)
-- [User has full control over policies only in both a specific tier and in the default namespace](#user-has-full-control-over-policies-only-in-both-a-specific-tier-and-in-the-default-namespace)
-
-### User cannot read policies in any tier
-
-User 'john' is forbidden from reading policies in any tier (**default** tier, and **net-sec** tier).
-
-When John issues the following command:
-
-```bash
-kubectl get networkpolicies.p
-```
-
-It returns:
-
-```
-Error from server (Forbidden): networkpolicies.projectcalico.org is forbidden: User "john" cannot list networkpolicies.projectcalico.org in tier "default" and namespace "default" (user cannot get tier)
-```
-
-Similarly, when John issues this command:
-
-```bash
-kubectl get networkpolicies.p -l projectcalico.org/tier==net-sec
-```
-
-It returns:
-
-```
-Error from server (Forbidden): networkpolicies.projectcalico.org is forbidden: User "john" cannot list networkpolicies.projectcalico.org in tier "net-sec" and namespace "default" (user cannot get tier)
-```
-
-:::note
-
-The .p' extension (`networkpolicies.p`) is short
-for "networkpolicies.projectcalico.org" and used to
-differentiate it from the Kubernetes NetworkPolicy resource and
-the underlying CRDs (if using the Kubernetes Datastore Driver).
-
-:::
-
-:::note
-
-The label for selecting a tier is `projectcalico.org/tier`.
-When a label selector is not specified, the server defaults the selection to the
-`default` tier. Alternatively, a field selector (`spec.tier`) may be used to select
-a tier.
-
-```bash
-kubectl get networkpolicies.p --field-selector spec.tier=net-sec
-```
-
-:::
-
-### User can view all policies, and modify policies in the default namespace and tier
-
-1. Download the [`read-all-crud-default-rbac.yaml` manifest]($[tutorialFilesURL]/read-all-crud-default-rbac.yaml).
-
-1. Run the following command to replace `` with the `name or email` of
- the user you are providing permissions to:
-
- ```bash
- sed -i -e 's///g' read-all-crud-default-rbac.yaml
- ```
-
-1. Use the following command to install the bindings:
-
- ```bash
- kubectl apply -f read-all-crud-default-rbac.yaml
- ```
-
-The roles and bindings in this file provide the permissions to read all policies across all tiers and to fully manage
-policies in the **default** tier and **default** namespace. This file includes the minimum required `ClusterRole` and `ClusterRoleBinding` definitions for all UI users (see `min-ui-user-rbac.yaml` above).
-
-### User can read policies only in both the default tier and namespace
-
-In this example, we give user 'john' permission to read policies only in both the **default** tier and namespace.
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-get-default-tier
-rules:
- # To access Calico policy in a tier, the user requires "get" access to that tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tiers"]
- resourceNames: ["default"]
- verbs: ["get"]
-
----
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-read-policies-in-default-tier
-rules:
- # This allows "get" and "list" of the Calico NetworkPolicy resources in the default tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tier.networkpolicies"]
- resourceNames: ["default.*"]
- verbs: ["get", "list"]
-
----
-
-# tigera-example-get-default-tier is applied globally
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-get-default-tier
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-get-default-tier
- apiGroup: rbac.authorization.k8s.io
-
----
-
-# tigera-example-read-policies-in-default-tier is applied per-namespace
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-read-policies-in-default-tier-and-namespace
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-read-policies-in-default-tier
- apiGroup: rbac.authorization.k8s.io
-```
-
-With the above, user john is able to list all NetworkPolicy resources in the **default** tier:
-
-```bash
-kubectl get networkpolicies.p --all-namespaces
-```
-
-With some example policies on the cluster, returns:
-
-```
-NAMESPACE NAME CREATED AT
-blue default.calico-np-blue-ns-default-tier 2021-07-26T09:05:11Z
-default default.calico-np-default-ns-default-tier 2021-07-26T09:05:11Z
-green default.calico-np-green-ns-default-tier 2021-07-26T09:05:13Z
-red default.calico-np-red-ns-default-tier 2021-07-26T09:05:12Z
-yellow default.calico-np-yellow-ns-default-tier 2021-07-26T09:05:13Z
-```
-
-As intended, user john can only examine those in the **default** namespace:
-
-```bash
-kubectl get networkpolicies.p default.calico-np-green-ns-default-tier -o yaml -n=green
-```
-
-Correctly returns:
-
-```
-Error from server (Forbidden): networkpolicies.projectcalico.org "default.calico-np-green-ns-default-tier" is forbidden: User "john" cannot get networkpolicies.projectcalico.org in tier "default" and namespace "green"
-```
-
-John also still cannot access tier **net-sec**, as intended:
-
-```bash
-kubectl get networkpolicies.p -l projectcalico.org/tier==net-sec
-```
-
-This returns:
-
-```
-Error from server (Forbidden): networkpolicies.projectcalico.org is forbidden: User "john" cannot list networkpolicies.projectcalico.org in tier "net-sec" and namespace "default" (user cannot get tier)
-```
-
-### User can read policies only in both a specific tier and in the default namespace
-
-Let's assume that the kubernetes-admin gives user 'john' the permission to list the policies in tier **net-sec**, but only examine the detail of the policies that are also in the **default** namespace.
-To provide these permissions to user 'john', use the following `ClusterRoles`,`ClusterRoleBinding` and `RoleBinding`.
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-get-net-sec-tier
-rules:
- # To access Calico policy in a tier, the user requires "get" access to that tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tiers"]
- resourceNames: ["net-sec"]
- verbs: ["get"]
-
----
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-read-policies-in-net-sec-tier
-rules:
- # This allows "get" and "list" of the Calico NetworkPolicy resources in the net-sec tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tier.networkpolicies"]
- resourceNames: ["net-sec.*"]
- verbs: ["get", "list"]
-
----
-
-# tigera-example-get-net-sec-tier is applied globally
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-get-net-sec-tier
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-get-net-sec-tier
- apiGroup: rbac.authorization.k8s.io
-
----
-
-# tigera-example-read-policies-in-net-sec-tier is applied per-namespace
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-read-policies-in-net-sec-tier-and-namespace
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-read-policies-in-net-sec-tier
- apiGroup: rbac.authorization.k8s.io
-```
-
-### User can only view a specific tier
-
-In this example, the following `ClusterRole` and `ClusterRoleBinding` can be used to provide 'get' access to the **net-sec**
-tier. This has the effect of making the **net-sec** tier visible in the $[prodname] web console (including listing the names of the policies it contains).
-
-However, to modify or view the details of policies within the **net-sec** tier, additional RBAC permissions would be required.
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-make-net-sec-tier-visible
-rules:
- # To access Calico policy in a tier, the user requires "get" access to that tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tiers"]
- resourceNames: ["net-sec"]
- verbs: ["get"]
-
----
-
-# tigera-example-make-net-sec-tier-visible is applied globally
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-view-the-net-sec-tier
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-make-net-sec-tier-visible
- apiGroup: rbac.authorization.k8s.io
-```
-
-### User can read all policies across all tiers and namespaces
-
-In this example, a single `ClusterRole` is used to provide read access to all policy resource types across all tiers. In this case, there is no need to use both `ClusterRoleBindings` and `RoleBindings` to map these abilities to the target user, because the intention is to for the policy to apply to all current and future namespaces on the cluster, so a `ClusterRoleBinding` provides the desired granularity.
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-all-tiers-and-namespaces-policy-reader
-rules:
- # To access Calico policy in a tier, the user requires "get" access to that tier.
- # Not specifying any specific "resourceNames" provides access to all tiers.
-- apiGroups: ["projectcalico.org"]
- resources: ["tiers"]
- verbs: ["get"]
- # This allows read access to the Kubernetes NetworkPolicy resources (these are always in the default tier).
-- apiGroups: ["networking.k8s.io", "extensions"]
- resources: ["networkpolicies"]
- verbs: ["get","watch","list"]
- # This allows read access to the Calico NetworkPolicy and GlobalNetworkPolicies.
- # Not specifying any specific "resourceNames" provides access to them in all tiers.
-- apiGroups: ["projectcalico.org"]
- resources: ["tier.networkpolicies","tier.globalnetworkpolicies"]
- verbs: ["get","watch","list"]
-
----
-
-# tigera-example-all-tiers-and-namespaces-policy-reader is applied globally, with a single ClusterRoleBinding,
-# since all the rules it contains apply to all current and future namespaces on the cluster.
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: read-all-tier
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-all-tiers-and-namespaces-policy-reader
- apiGroup: rbac.authorization.k8s.io
-```
-
-### User has full control over policies only in both a specific tier and in the default namespace
-
-In this example, two `ClusterRole` objects are used to provide full access control of Calico NetworkPolicy
-resource types in the **net-sec** tier:
-
-- The `tiers` resource is bound to a user using a `ClusterRoleBinding`, because it is a global resource.
- This results in the user having the ability to read the contents of the tier across all namespaces.
-- The `networkpolicies` resources are bound to a user using a `RoleBinding`, because the aim in this
- case was to make them CRUD-able only in the default namespace.
- You only need this one `ClusterRole` to be defined, but it can be applied to different namespaces
- using additional `RoleBinding` objects. If the intention was to apply it to all current and future namespaces,
- a `ClusterRoleBinding` could be used.
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-get-net-sec-tier
-rules:
- # To access Calico policy in a tier, the user requires "get" access to that tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tiers"]
- resourceNames: ["net-sec"]
- verbs: ["get"]
-
----
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tigera-example-crud-policies-in-net-sec-tier
-rules:
- # This allows full CRUD access to the Calico NetworkPolicy resources in the net-sec tier.
-- apiGroups: ["projectcalico.org"]
- resources: ["tier.networkpolicies"]
- resourceNames: ["net-sec.*"]
- verbs: ["*"]
-
----
-
-# tigera-example-get-net-sec-tier is applied globally
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-get-net-sec-tier
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-get-net-sec-tier
- apiGroup: rbac.authorization.k8s.io
-
----
-
-# tigera-example-crud-policies-in-net-sec-tier is applied per-namespace
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: john-can-crud-policies-in-net-sec-tier-and-namespace
-subjects:
-- kind: User
- name: john
- apiGroup: rbac.authorization.k8s.io
-roleRef:
- kind: ClusterRole
- name: tigera-example-crud-policies-in-net-sec-tier
- apiGroup: rbac.authorization.k8s.io
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/tiered-policy.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/tiered-policy.mdx
deleted file mode 100644
index 59cbd67d87..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-tiers/tiered-policy.mdx
+++ /dev/null
@@ -1,241 +0,0 @@
----
-description: How tiered policy works in Calico Enterprise — evaluation order, pass actions, and using tiers to enforce microsegmentation across teams.
----
-
-# Get started with policy tiers
-
-## Seamless network policy integration
-
-**Network policy** is the primary tool for securing a Kubernetes network. It lets you restrict network traffic in your cluster so only the traffic that you want to flow is allowed. $[prodname] provides more robust policy than Kubernetes, but you can use them together -- seamlessly. $[prodname] supports:
-
-- $[prodname] network policy, (namespaced)
-- $[prodname] global network policy (non-namespaced, global)
-- Kubernetes network policy
-
-## Tiers: what and why?
-
-**Tiers** are a hierarchical construct used to group policies and enforce higher precedence policies that cannot be circumvented by other teams. As you will learn in this tutorial, tiers have built-in features that support workload microsegmentation.
-
-All $[prodname] and Kubernetes network policies reside in tiers. You can start "thinking in tiers" by grouping your teams and types of policies within each group. For example, we recommend these three tiers (platform, security, and application).
-
-
-
-Next, you can determine the priority of policies in tiers (from top to bottom). In the following example, the platform and security tiers use $[prodname] global network policies that apply to all pods, while developer teams can safely manage pods within namespaces using Kubernetes network policy for their applications and microservices.
-
-
-
-## Create a tier and policy
-
-To create a tier and policy in the web console:
-
-1. In the left navbar, click **Policies**.
-1. On the **Policies Board**, click **Add Tier**.
-1. Name the tier, select **Order, Add after** `tigera-security`, and save.
-1. To create a policy in the tier, click **+ Add policy**.
-
-You can export all policies or a single policy to a YAML file.
-
-Here is a sample YAML that creates a security tier and uses `kubectl` to apply it.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: Tier
-metadata:
- name: security
-spec:
- order: 300
-```
-
-```bash
-kubectl apply -f security.yaml
-```
-
-## The default tier:
-
-The default tier is created during installation and has the order of 1,000,000. This value is fixed, and cannot be changed. The desire is to evaluate policies in the default tier as last.
-
-
-
-The default tier is where:
-
-- You manage all Kubernetes network policies
-- Network and global network policies are placed when you upgrade from Project Calico to $[prodname]
-- Recommended policies are placed when you use the **Recommend a policy** feature
-
-## The admin network policy tier:
-
-The `Tier` with name `adminnetworkpolicy` is where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created
-during installation and has the order of 1,000 and a default action of `Pass`. This is fixed, and should not be changed.
-
-In addition to `AdminNetworkPolicy` resources, you can also add $[prodname] `NetworkPolicy`/`GlobalNetworkPolicy` resources
-to the admin network policy `Tier`. The `AdminNetworkPolicy` `priority` field maps to the `order` field in the $[prodname]
-`NetworkPolicy`/`GlobalNetworkPolicy` resources so that the two types of policy can be ordered together.
-
-## The baseline admin network policy tier:
-
-The `Tier` with name `baselineadminnetworkpolicy` is where the singleton [Kubernetes baseline admin network policy](https://network-policy-api.sigs.k8s.io/reference/examples/) resides. It is automatically created
-during installation and has the order of 10,000,000 and a default action of `Pass`. This is fixed, and should not be changed.
-
-In addition to the `BaselineAdminNetworkPolicy` resource, you can also add $[prodname] `NetworkPolicy`/`GlobalNetworkPolicy` resources
-to the baseline admin network policy `Tier`. The `BaselineAdminNetworkPolicy` is treated as if it had an `order` of 1,000, allowing $[prodname]
-`NetworkPolicy`/`GlobalNetworkPolicy` resources to be inserted with higher/lower precedence than the `BaselineAdminNetworkPolicy`.
-
-## System tiers
-
-System tiers are added during installation and are hidden by default.
-
-- **allow-tigera** tier contains policies to secure $[prodname] components and are controlled by the Tigera Operator. These policies should not be edited, and the tier should not be moved. Inadvertent changes are automatically reverted by the Operator to ensure your cluster is always protected.
-
-:::warning
-
-Although it is possible to change the behavior of the `allow-tigera` using adjacent tiers, it is not a trivial task. You can break critical cluster traffic and impact the operation of $[prodname]. To prevent loss of cluster services, see [Change allow-tigera tier behavior](allow-tigera.mdx), and contact Support for help.
-
-:::
-
-## Moving tiers
-
-You can move tiers by dragging and moving them in the graphical sequence, but all tiers must be visible first before you reorder tiers.
-
-To show all tiers, click **View** and select all of the tiers in the Show tiers list.
-
-
-
-Now you can reorder tiers by dragging and moving them.
-
-## Tier order
-
-Tiers are sorted by their orders (from left to right), starting from the lowest order (the highest priority) tiers.
-
-
-
-In the example above, tier priorities are as follows:
-
-- **security tier** - is higher priority than platform tier
-- **platform tier** - is higher priority than default tier
-- **default tier** - is the lowest priority
-
-The tier you put as the highest priority (after system tiers), depends on your environment. In compliance-driven environments, the security tier may be the highest priority (as shown above). There is no one-size-fits-all order.
-
-## Policy processing
-
-Policies are processed in sequential order from lowest order (highest priority) to highest order (lowest priority), which is from top to bottom in the following diagram.
-
-
-
-Two mechanisms drive how traffic is processed across tiered policies:
-
-- Labels and selectors
-- Policy action rules
-
-It is important to understand the roles they play.
-
-### Labels and selectors
-
-Instead of IP addresses and IP ranges, network policies in Kubernetes depend on labels and selectors to determine which workloads can talk to each other. Workload identity is the same for Kubernetes and $[prodname] network policies: as pods dynamically come and go, network policy is enforced based on the labels and selectors that you define.
-
-The following diagrams show the relationship between all of the elements that affect traffic flow:
-
-- **Tiers** group and order policies
-- **Policy action rules** define how to process traffic in and across tiers, and policy labels and selectors specify how groups of pods are allowed to communicate with each other and other network endpoints
-- The **CNI**, **$[prodname] components**, and underlying **data plane** (iptables/eBPF) all make use of labels and selectors as part of routing traffic.
-
-
-
-### Policy action rules
-
-$[prodname] network policy uses action rules to specify how to process traffic/packets:
-
-- **Allow or Deny** - traffic is allowed or denied and the packet is handled accordingly. No further rules are processed.
-- **Pass** - skips to the next tier that contains a policy that applies to the endpoint, and processes the packet. If the tier applies to the endpoint but no action is taken on the packet, the packet is dropped.
-- **Log** - creates a log, and evaluation continues processing to the next rule
-
-### Implicit default deny
-
-As shown in the following diagram, at the end of each tier is an implicit default deny. This is a safeguard that helps mitigate against unsecured policy.
-Because of this safeguard, you must either explicitly update tier's default action to **Pass** or apply a Pass action rule when you want traffic evaluation to continue.
-In the following example, the Pass action in a policy ensures that traffic evaluation continues, and overrides the implicit default deny.
-
-
-
-Let’s look at a Dev/Ops global network policy in a high precedence tier (Platform). The policy denies ingress and egress traffic to workloads that match selector, `env == "stage"`. To ensure that policies continue to evaluate traffic after this policy, the policy adds a Pass action for both ingress and egress.
-
-**Pass action rule example**
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: GlobalNetworkPolicy
-metadata:
- name: devops.stage-env
-spec:
- tier: devops
- order: 255
- selector: env == "stage"
- ingress:
- - action: Deny
- source:
- selector: env != "stage"
- - action: Pass
- egress:
- - action: Deny
- destination:
- selector: env != "stage"
- - action: Pass
- types:
- - Ingress
- - Egress
-```
-
-The other option, is to update tier's default action to **Pass** to override the implicit default deny.
-
-**Pass default action tier example**
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: Tier
-metadata:
- name: devops
-spec:
- order: 300
- defaultAction: Pass
-```
-
-### Policy endpoint matching across tiers
-
-Whoever is responsible for tier creation, also needs to understand how policy selects matching endpoints across tiers. For normal policy processing (without apply-on-forward, pre-DNAT, and do-not-track), if no policies within a tier apply to endpoints, the tier is skipped, and the tier's implicit deny behavior is not executed.
-
-In the following example, **policy D** in the Security tier includes a Pass action rule because we want traffic evaluation to continue to the next tier in sequence. In the Platform tier, there are no selectors in policies that match endpoints so the tier is skipped, including the end of tier deny. Evaluation continues to the Application tier. **Policy J** is the first policy with a matching endpoint.
-
-
-
-### Default endpoint behavior
-
-Also, tier managers need to understand the default behavior for endpoints based on whether the endpoint is known or unknown, and the endpoint type. As shown in the following table:
-
-- **Known endpoints** - $[prodname] resources that are managed by Felix
-- **Unknown endpoints** - interfaces/resources not recognizable as part of our data model
-
-| Endpoint type | Default behavior for known endpoints | Default behavior for unknown endpoints (outside of our data model) |
-| ---------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------ |
-| Workload, $[prodname] | Deny | Deny |
-| Workload, Kubernetes | Allow ingress from same Kubernetes namespace; allow all egress | Deny |
-| Host | Deny. With exception of auto host endpoints, which get `default-allow`. | Fall through and use iptables rules |
-
-## Best practices for tiered policy
-
-To control and authorize access to $[prodname] tiers, policies, and Kubernetes network policies, you use Kubernetes RBAC. Security teams can prevent unauthorized viewing or modification of higher precedence (lower order) tiers, while still allowing developers or service owners to manage the detailed policies related to their workloads.
-
-We recommend:
-
-- Limit tier creation permissions to Admin users only; creating and reordering tiers affects your policy processing workflow
-
-- Limit full CRUD operations on tiers and policy management to select Admin users
-
-- Review your policy processing whenever you add/reorder tiers
-
- For example, you may need to update Pass action rules to policies before or after the new tier. Intervening tiers may require changes to policies before and after, depending on the endpoints.
-
-- Use the **policy preview** feature to see effects of policy in action before enforcing it, and use the **staged network policy** feature to test the entire tier workflow before pushing it to production
-
-## Additional resources
-
-- For details on using RBAC for fine-grained access to tiers and policies, see [Configure RBAC for tiered policies](rbac-tiered-policies.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-troubleshooting.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-troubleshooting.mdx
deleted file mode 100644
index 76923504c1..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/policy-troubleshooting.mdx
+++ /dev/null
@@ -1,42 +0,0 @@
----
-description: Troubleshooting guide for common Calico Enterprise policy implementation problems — denied traffic, missing rules, and tier-evaluation surprises.
----
-
-# Troubleshoot policies
-
-### Problem
-
-I created my first egress policy with default deny behavior, but now I’ve blocked other traffic.
-
-### Solution
-
-In Kubernetes, when there are no egress policies that apply to an endpoint, all egress traffic is allowed. However, as soon as you add the first egress policy to an endpoint, $[prodname] switches to default deny and blocks everything else; this is part of our zero trust network policy model. For new users of $[prodname], this is unexpected behavior (but it’s required by both Kubernetes and $[prodname] policy specs.)
-
-For egress policy in particular, you may not be used to worrying about “system-level” egress traffic that is now suddenly blocked. For example, most workloads rely on DNS, but you may not have thought of this when writing your policy. So you end up with this problem loop: you allow HTTP traffic, but then your DNS traffic gets blocked, but then HTTP traffic stops working because it relies on DNS to function.
-
-A natural response to this issue is to add an egress rule to allow DNS(!). For example, you add an egress rule “allow UDP to port 53 to namespace kube-system”. In some systems (OpenShift), the DNS pod actually listens on port 5353, not port 53. However, the DNS Service DNATs the traffic from port 53 to port 5353, hiding that detail from the DNS client. $[prodname] then blocks the traffic because it sees the traffic after the DNAT. So $[prodname] sees port 5353, not the expected port 53.
-
-The solution is to define policy for workload services, not for ports used by workloads. For help, see [Policy for services](beginners/services/index.mdx).
-
-### Problem
-
-Traffic is blocked, even though I allow it in a policy.
-
-### Solution
-
-The problem of blocking traffic can reside in your tier, or a different tier.
-
-1. **Check policies in your tier**
-
- Go to your policy and see if there is a higher precedent policy in the tier that is blocking processing.
-
- - If that is not the problem, go to step 2.
- - If that is the problem, and if it makes sense for the traffic, you can reorder the policies in the tier. If you cannot, you must change the policy that is dropping traffic to allow your traffic flow using a Pass action rule.
-
-2. **Check policies in other tiers**
-
- Go to the next applicable higher precedent tier for your workload to see if a policy in that tier is blocking traffic. The policy at the end of the tier could be blocking traffic because the default behavior at the end of a tier is to drop traffic as part of zero trust. To unblock traffic, add a **Pass action rule** to the policy, or create a **Pass policy**.
-
-For help with visibility, use Service Graph to see how traffic is passed. Click on your flow, and view details in the right panel.
-
-For help with Pass action rules, see [Get started with tiered policy](policy-tiers/tiered-policy.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/index.mdx
deleted file mode 100644
index 17d9fdc3b9..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Use Calico Enterprise policy recommendations to generate baseline network policy for unprotected namespaces from observed flow logs.
-hide_table_of_contents: true
----
-
-# Policy recommendations
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/learn-about-policy-recommendations.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/learn-about-policy-recommendations.mdx
deleted file mode 100644
index 9dda0735af..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/learn-about-policy-recommendations.mdx
+++ /dev/null
@@ -1,136 +0,0 @@
----
-description: Tutorial walkthrough of the Calico Enterprise policy recommendations engine — what it generates, how to review it, and how to promote it to enforced.
----
-
-# Policy recommendations tutorial
-
-## Big picture
-
-In this tutorial, we show you how recommendations are generated using flow logs in your cluster for traffic to/from namespaces, network sets, private network IPs and public domains.
-
-### Create resources for the tutorial
-
-Because the policy recommendation feature requires traffic between endpoints, this step provides these resources for this hands-on tutorial. If your cluster is already generating traffic for policy recommendations, you can skip this step and follow along using your own cluster.
-
-1. Configure felix for fast flow logs collection
-
- ```bash
- kubectl patch felixconfiguration.p default -p '{"spec":{"flowLogsFlushInterval":"10s"}}'
- ```
-
-1. Download the [policy recommendation tutorial deployment]($[tutorialFilesURL]/policy-recommendation-deployments.yaml) YAML.
-
-1. Use the following command to create the necessary resources:
-
- ```bash
- kubectl apply -f policy-recommendation-deployments.yaml
- ```
-
-### Enable policy recommendation
-
-1. In the web console left navbar, click the **Policies** icon.
-1. Select **Recommendations**.
-1. Click on **Enable Policy Recommendations**.
-
-Wait for the recommendations to be generated. Unless otherwise configured, recommendations will take at least 2m30s to be generated, which is default time for the [Processing Interval](../../reference/resources/policyrecommendations.mdx#spec) setting.
-
-Once ready, the recommendations will be listed in the main page, under the **Recommendations** tab.
-
-### Understand the policy recommendation
-
-You should find a recommendation named `curl-ns` (appended with a five character suffix, like `-vfzgh`) with policy selector:
-```
-Policy Label selector: [[projectcalico.org/namespace == 'curl-ns']]
-```
-meaning that this policy pertains to the traffic originating from or destined for the `curl-ns` namespace.
-
-The policy will display a list of ingress rules:
-```
-Allow:Protocol is TCP
-From: Namespaces [[projectcalico.org/name == 'service-ns']]
-To:Ports [Port is 80 ]
-```
-allows ingress traffic, for protocol TCP, on port 80, from the `service-ns` namespace.
-
-A list of egress rules:
-```
-Allow:Protocol is TCP
-To:Ports [Port is 8080 ] Domains [www.tigera.io]
-```
-allows egress traffic, for protocol TCP, on port 8080, to domain `www.tigera.io`.
-
-```
-Allow:Protocol is TCP
-To:Ports [Port is 80 ] Namespaces [[projectcalico.org/name == 'service-ns']]
-```
-allows egress traffic, for protocol TCP, on port 80, to the `service-ns` namespace.
-
-```
-Allow:Protocol is UDP
-To:Ports [Port is 53 ] Namespaces [[projectcalico.org/name == 'kube-system']]
-```
-allows egress traffic, for protocol UDP, on port 53, to the `kube-system` namespace.
-
-```
-Allow:Protocol is TCP
-To:Ports [Port is 80 ] Endpoints [[projectcalico.org/name == 'public-ips' and projectcalico.org/kind == 'NetworkSet']] Namespaces global()
-```
-allows egress traffic, for protocol TCP, on port 80, to IPs defined in the global network set named: `public-ips`.
-
-```
-Allow:Protocol is TCP
-To:Ports [Port is 8080 ] Nets [Is 10.0.0.0/8 OR Is 172.16.0.0/12 OR Is 192.168.0.0/16 ]
-```
-allows egress traffic, for protocol TCP, on port 8080, to private range IPs.
-
-```
-Allow:Protocol is TCP
-To:Ports [Port is 80 ]
-```
-allows egress traffic, for protocol TCP, on port 80, to public range IPs.
-
-### Investigate the flows that are used to generate the policy rules
-
-To view flow logs in Service Graph:
-
-1. In the web console left navbar, click **Service Graph**.
-1. Select **Default** under the VIEWS option.
-1. In the bottom pane you will see flow logs in the Flows tab.
-
-To generate rules, the recommendation engine queries for flow logs that are not addressed by any other policy in the cluster. Subsequently, it builds the missing policies necessary for allowing that traffic.
-
-### Understand the flow logs used in policy recommendations
-
-To get a better understanding of which flows contributed to generating the rules in your policy, select **Filter Flows**
-
-* To find the flows that were used to generate the egress to global network set rule, add:
-```
-source_namespace = "curl-ns" AND dest_name_aggr = "public-ips"
-```
-
-* To find the flows that generated the egress rule to namespace `kube-system`, define query:
-```
-source_namespace = "curl-ns" AND dest_namespace = "kube-system"
-```
-
-You'll notice that each of the flow logs contains a field named, `policies` with a entry like:
-```
-1|__PROFILE__|__PROFILE__.kns.curl-ns|allow|0
-```
-meaning that the particular flow was not addressed by any other policy within your cluster.
-
-You will also find input like:
-```
-0|namespace-isolation|curl-ns/namespace-isolation.staged:curl-ns-vfzgh|allow|3
-```
-indicating that the 3rd rule defined in policy **curl-ns-vfzgh**, will allow traffic defined by this flow, once the policy is enforced.
-
-### Examine policy traffic
-
-Examine the **Allowed Bytes** field in the **Recommendations** tab for the `curl-ns-recommendation` policy to get a sense of the total bytes allowed by the policy.
-
-Examine the **Allowed/sec** of each rule in the policy to get a sense of the quantity of traffic allowed per second by the rule in question.
-
-### When policy recommendations are not generated
-
-You may wonder why you are not getting policy recommendations, even though there is traffic between endpoints. This is because policy recommendations are generated only for flows that are not captured by any other policy in your cluster. To see if policy is already enforcing the traffic in question, search for the flow log in question, examine the `policies` field, and verify that no other enforced policy allows or denies traffic for that flow.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/policy-recommendations.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/policy-recommendations.mdx
deleted file mode 100644
index d9a2599225..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/recommendations/policy-recommendations.mdx
+++ /dev/null
@@ -1,195 +0,0 @@
----
-description: Run continuous Calico Enterprise policy recommendations so unprotected namespaces and workloads pick up baseline policy automatically.
----
-
-# Enable policy recommendations
-
-## Big picture
-
-Use policy recommendations to automatically isolate namespaces with network policy.
-
-## Value
-
-One of the best practices for improving the security posture of your Kubernetes cluster is to implement namespace isolation with network policy. Namespace isolation helps to implement a zero-trust and least-privileged security model, where only required communication between namespaces is authorized and everything else is blocked. This helps mitigate the risk of lateral movement within a cluster in the event of an attack.
-
-$[prodname] makes it easy for platform operators to implement namespace isolation without experience in authoring network policy or detailed knowledge of how application workloads are communicating. $[prodname] analyzes the flow logs that are generated from workloads, and automatically recommends and stages policies for each namespace that can be used for isolation.
-
-## Before you begin
-
-**Unsupported**
-- Windows nodes
-
-**Required RBAC**
-
-To enable/disable and use policy recommendations, you must have the **tigera-network-admin** role or permissions to **update**, **patch**, **get**, **list**, **watch** `projectcalico.org` resources:
-* tiers
-* policyrecommendationscopes
-* stagednetworkpolicies
-* tier.stagednetworkpolicies
-* networkpolicies
-* tier.networkpolicies
-* globalnetworksets
-
-Specifically, you will need access to the `namespace-isolation` tier and to staged and network policies in the `namespace-isolation` tier.
-
-**Recommended**
-
-Basic knowledge of policies in the web console and tiers:
-- [Get started with tiered network policy](../../network-policy/policy-tiers/tiered-policy)
-- [Network policy tutorial](../../network-policy/policy-tiers/policy-tutorial-ui)
-
-**Limitations**
-
-Creating and managing policy recommendations is available only in the web console.
-
-## How to
-
-- [Enable policy recommendations](#enable-policy-recommendations)
-- [Activate and review policy recommendations](#activate-and-review-policy-recommendations)
-- [Review global settings for workloads](#review-global-settings-for-workloads)
-- [Update policy recommendations](#update-policy-recommendations)
-- [Private network recommendations](#private-network-recommendations)
-- [Troubleshoot policy recommendations](#troubleshoot-policy-recommendations)
-- [Disable the policy recommendations feature](#disable-the-policy-recommendations-feature)
-
-### Enable policy recommendations **using the web console**
-
-1. In the left navbar in the web console, click **Policies**, **Recommendations**.
-1. On the opt-in page, click **Enable Policy Recommendations**.
-
-The **Policy Recommendations** board is automatically displayed.
-
-
-
-**Notes**:
-
-- A policy recommendation is generated for every namespace in your cluster (unless namespaces are filtered out by an Admin using the [selector](../../reference/resources/policyrecommendations.mdx#namespaceSpec#selector) in the PolicyRecommendationScope resource).
-- Flow logs are continuously monitored for policy recommendations.
-- Recommended policies are continuously updated until you **Add to policy board** or **Dismiss policy** using the Actions menu.
-- Policy recommendations are created as **staged network policies** so you can safely observe the traffic before enforcing them.
-- Traffic originating from the recommended policy's namespace is used to generate egress rules, and traffic destined for the namespace is used to define ingress rules.
-- To stop policy recommendations from being processed and updated for a namespace, click the **Action** menu, **Dismiss policy**.
-
-### Enable policy recommendations **using kubectl**.
-
-To enable the policy recommendations feature, set the **RecStatus** parameter to `Enabled`, in the [Policy recommendations resource](../../reference/resources/policyrecommendations.mdx).
-
-```bash
-kubectl patch PolicyRecommendationScope default --type='json' -p='[{"op": "replace", "path": "/spec/namespaceSpec/recStatus", "value": "Enabled"}]'
-```
-
-### Activate and review policy recommendations
-
-Policy recommendations are not enabled until you activate them and move them to the **Active** board.
-
-From the Policy Recommendation board, select a policy recommendation (or bulk select) and select, **Add to policy board**. Click on the **Active tab**.
-
-You can now view the activated policies in the **Policies Board**. In the left navbar, click **Policies**.
-
-Policy recommendations are added to the **namespace-isolation** tier. Note the following:
-
-- Staged network policy recommendations work like any other staged network policy.
-- You cannot move recommended staged policies in the `namespace-isolation` tier.
-- The name of the `namespace-isolation` tier is fixed and cannot be changed
-
-You are now ready to observe traffic flows in Policies board to verify that the policy is authorizing traffic as expected. When a policy works as expected, you can safely enforce it. See [Stage, preview impacts, and enforce policy](network-policy/staged-network-policies.mdx) for help.
-
-### Review global settings for workloads
-
-The default global settings for capturing flows for policy recommendations are based on application workloads with *frequent communication with other namespaces in your cluster*.
-
-Global settings are found on the Policy Recommendations board, **Action** menu.
-
-
-
-- **Stabilization Period** is the learning time to capture flow logs so that a recommendation accurately reflects the cluster's traffic patterns.
-
-- **Processing Interval** is the frequency to process new flow logs and refine recommendations.
-
-:::tip
-For application workloads with less frequent communication, the stabilization period setting may not be long enough to get accurate traffic flows, so you’ll want to increase the time. We recommend that you review your workloads immediately after you enable policy recommendations and adjust the settings accordingly.
-:::
-
-Changes to all other policy recommendations parameters require Admin permissions and can be changed using the [Policy recommendations resource](../../reference/resources/policyrecommendations.mdx).
-
-### Update policy recommendations
-
-This section describes common changes you may want to make to policy recommendations.
-
-#### Relearn activated recommendations
-
-As new namespace and components are added to a cluster, your activated policy recommendation may need to be updated to reflect those changes. If a policy recommendation has not been enforced, you’ll need to update it to allow traffic.
-
-1. On the **Policies Recommendations** board, click the **Active tab**, which lists the active staged network policies.
-1. Select the Actions menu associated with the policy in question, and click **Dismiss policy**.
-1. Click the **Dismissed tab**, select the Actions menu, and **Reactivate** the policy.
-
-#### Rerun policy recommendations for an enforced policy
-
-To generate a new recommendation for an enforced policy, delete the network policy on the **Policy** board.
-
-#### Stop policy recommendation updates for a namespace
-
-1. On the Policy Recommendations board, click the **Recommendations** tab, which lists the recommendations.
-1. Select the recommendation, click the **Actions** menu, and click **Dismiss policy**.
-
-To reactivate a policy recommendation for a namespace, select the dismissed staged policy, and from the Actions menu, select **Reactivate**.
-
-### Private network recommendations
-
-If any flow to a private network in your cluster is found, a private rule is automatically created that contains RFC 1918 subnets, which will allow traffic to/from those endpoints. If you need to apply a more restrictive approach, create a [GlobalNetworkSet](../../reference/resources/globalnetworkset.mdx) and update it with the desired CIDR blocks. The recommendation engine will identify flows to your private IPs and generate the appropriate NetworkSet Rule.
-
-**Notes**:
-Exclude any CIDR ranges used by the cluster for nodes and pods.
-
-### Troubleshoot policy recommendations
-
-To view policy-recommendation logs:
-
-```batch
-kubectl logs -n calico-system -l k8s-app=tigera-policy-recommendation
-```
-
-**Notes**:
-This option is not available on managed clusters if you have implemented the multi-cluster-management feature.
-
-**Problem**: I’m not seeing policy recommendations on the Policy Recommendations board.
-
-**Solution/workaround**: Policy recommendations are based on historical flow logs that match a request, and are generated only for flows that have not been addressed by any other policy. As such, there are times when policy recommendations will not be generated:
-
-- Not enough traffic history
-
- If you recently installed $[prodname], you may not have enough traffic history. Workloads must run for some time (around 5 days) to get “typical network traffic” for applications.
-
-- Traffic is covered by existing policy
-
- Even if your cluster has been running for a long time with traffic, the flows may already be covered by existing policies.
-
-To verify why there may not be any recommendations, follow these steps:
-
-1. Go to **Service Graph**, **Default**.
-1. Filter flow logs for your namespace.
-1. Investigate the content within the `policies` field for the flow logs in question.
-1. Validate that no other enforced policy already addresses the flow.
-
-**Problem**: Why are egress-to-domain rules being generated for a Kubernetes service?
-
-**Solution/workaround**: The policy recommendation controller can only read the cluster domain of the cluster it runs in. If you have managed clusters with a non-default domain (`cluster.local`), the controller will treat egress traffic as though it is to a domain.
-
-### Disable policy recommendations
-
-To disable the policy recommendations feature, set the **RecStatus** parameter to `Disabled`, in the [Policy recommendations resource](../../reference/resources/policyrecommendations.mdx).
-
-```bash
-kubectl patch PolicyRecommendationScope default --type='json' -p='[{"op": "replace", "path": "/spec/namespaceSpec/recStatus", "value": "Disabled"}]'
-```
-
-:::note
-
-When disabled, non-active staged policies in the **Policies Recommendations** board are no longer updated. Existing activated and enforced staged network policies are not affected by disabling policy recommendations.
-
-:::
-
-## Additional resources
-
-- [Policy best practices](../../network-policy/policy-best-practices.mdx)
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/staged-network-policies.mdx b/calico-enterprise_versioned_docs/version-3.23-1/network-policy/staged-network-policies.mdx
deleted file mode 100644
index 6076608439..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/network-policy/staged-network-policies.mdx
+++ /dev/null
@@ -1,181 +0,0 @@
----
-description: Stage and preview Calico Enterprise network policies in the management UI to observe traffic impact before enforcing.
----
-
-# Stage, preview impacts, and enforce policy
-
-## Big picture
-
-Stage and preview impacts on traffic before enforcing policy.
-
-## Value
-
-$[prodname] staged network policy resources lets you test the traffic impact of the policy as if it were enforced, but without changing traffic flow. You can also preview the impacts of a staged policy on existing traffic. By verifying that correct flows are allowed and denied before enforcement, you can minimize misconfiguration and potential network disruption.
-
-## Concepts
-
-### About staged policies
-
-The following staged policy resources have the same structure (i.e. the resource spec has the same fields) as their “enforced” counterpart.
-
-- Staged global network policy
-- Staged network policy
-- Staged Kubernetes network policy
-
-### Review permissions
-
-The default `tigera-network-admin` cluster role has the required permissions to manage the different enforced
-and staged network policies. Adjust permissions for your environment. As with $[prodname] network policy and global network policies, the RBAC for $[prodname] staged network policy and staged global network policy is tier-dependent.
-
-## How to
-
-- [Create a policy recommendation](#create-a-policy-recommendation)
-- [Stage a policy](#stage-a-policy)
-- [Preview policy impact](#preview-policy-impact)
-- [Enforce a staged policy](#enforce-a-staged-policy)
-- [Stage updates to an enforced policy](#stage-updates-to-an-enforced-policy)
-
-### Create a policy recommendation
-
-One of the first things developers need to do is secure unprotected workloads with network policy. (For example, by default, Kubernetes pods accept traffic from any source.) The **Recommend policy** feature allows developers with minimal experience writing policy to secure workloads.
-
-Because **Recommend policy** looks at historical flow log entries that match your request, you should run your workloads for a reasonable amount of time to get "typical network traffic" for your application.
-
-1. In the left navbar, click **Policies**.
-1. Click **Recommend a policy**.
-1. Enter time range, Namespace, Name, and click **Recommend**.
-1. If relevant flow logs are found within the time range for the workload endpoint, click **Preview** to assess the impact of the recommended policy, or **Stage**.
-
-
-
-### Stage a policy
-
-Stage a policy to test it in a near replica of a production environment. A best practice is to stage a policy before enforcing it to avoid unintentionally exposing or blocking other network traffic.
-
-1. In the left navbar, click **Policies**.
-1. In a tier, click **Add Policy**.
-1. Create your policy and click **Stage** to save and stage it.
-
-
-
-### Enforce a staged policy
-
-1. From **Policies Board**, click a staged policy.
-1. Click **Edit policy**, make changes and click **Enforce**. The staged policy is deleted and the enforced policy is created/updated (depending on whether it already exists).
-
-### Preview policy impact
-
-The policy preview impact feature assesses traffic impact only on _enforced staged policies_.
-
-1. From the **Policies Board**, select a staged policy and click **Edit policy**.
-1. Make some edits and click **Preview**.
-
-
-
-### Stage updates to an enforced policy
-
-1. From the **Policies Board**, open an enforced policy.
-1. In **View Policy**, click **Edit policy**.
-1. Make your changes, and click **Preview**. Depending on the results, you can click **Stage** or **Enforce**.
-
-You can also use custom resources to stage Kubernetes and $[prodname] policies, and apply them using `kubectl`. Here are sample YAML files.
-
-**Example: StagedGlobalNetworkPolicy**
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: StagedGlobalNetworkPolicy
-metadata:
- name: default.allow-tcp-6379
-spec:
- tier: default
- selector: role == 'database'
- types:
- - Ingress
- - Egress
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: role == 'frontend'
- destination:
- ports:
- - 6379
- egress:
- - action: Allow
-```
-
-**Example: StagedNetworkPolicy**
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: StagedNetworkPolicy
-metadata:
- name: default.allow-tcp-6379
- namespace: default
-spec:
- tier: default
- selector: role == 'database'
- types:
- - Ingress
- - Egress
- ingress:
- - action: Allow
- protocol: TCP
- source:
- selector: role == 'frontend'
- destination:
- ports:
- - 6379
- egress:
- - action: Allow
-```
-
-**Example: StagedKubernetesNetworkPolicy**
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: StagedKubernetesNetworkPolicy
-metadata:
- name: test-network-policy
- namespace: default
-spec:
- podSelector:
- matchLabels:
- role: db
- policyTypes:
- - Ingress
- - Egress
- ingress:
- - from:
- - ipBlock:
- cidr: 172.17.0.0/16
- except:
- - 172.17.1.0/24
- - namespaceSelector:
- matchLabels:
- project: myproject
- - podSelector:
- matchLabels:
- role: frontend
- ports:
- - protocol: TCP
- port: 6379
- egress:
- - to:
- - ipBlock:
- cidr: 10.0.0.0/24
- ports:
- - protocol: TCP
- port: 5978
-```
-
-## Additional resources
-
-- [Staged global network policy](../reference/resources/stagedglobalnetworkpolicy.mdx)
-- [Staged network policy](../reference/resources/stagednetworkpolicy.mdx)
-- [Staged Kubernetes network policy](../reference/resources/stagedkubernetesnetworkpolicy.mdx)
-- For details on how to configure RBAC for staged policy resources, see [Configuring RBAC for tiered policy](policy-tiers/rbac-tiered-policies.mdx)
-- For details on staged policy metrics, see
- - [Flow logs](../observability/elastic/flow/datatypes.mdx)
- - [Prometheus metrics](../operations/monitor/metrics/index.mdx#content-main)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/add-maglev-load-balancing.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/add-maglev-load-balancing.mdx
deleted file mode 100644
index 8377fd9573..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/add-maglev-load-balancing.mdx
+++ /dev/null
@@ -1,92 +0,0 @@
----
-description: Switch a Kubernetes service to Maglev consistent-hash load balancing on the Calico Enterprise eBPF data plane for stable backend selection across nodes.
----
-
-# Add Maglev load balancing to a service
-
-This guide shows you how to enable Maglev load balancing for external traffic to a service.
-
-Maglev load balancing opens up the possibility of using $[prodname] as a distributed, horizontally
-scalable load balancer for external connections, and allows for such connections to fail over from
-one load balancing node to another during a node outage.
-
-One case where you might enable Maglev for your service is when you wish to advertise the service IP out to your broader network as an ECMP route.
-$[prodname] nodes can be used as the nexthops for such a route. These nexthops allow external connections to that service to survive
-nexthop downtime and churn, say, in the case where a node must be taken down for maintenance.
-This is because traffic may failover onto another path when the normal path stops working.
-
-
-## Limitations
-
-Note Maglev load balancing cannot be used with the following:
-* Internal (pod-to-service) traffic.
-* NodePorts - as NodePort connections are always tied to a single node, and cannot failover to another.
-* Kubernetes External Traffic Policy. Maglev chooses from a lookup table of all valid backends when performing backend selection.
-
-
-## Prerequisites
-
-* Your cluster uses the eBPF data plane with [direct server return mode](../../operations/ebpf/enabling-ebpf.mdx#try-out-direct-server-return-mode).
-* All your nodes are running on Linux.
-* You have a service with a VIP/External-IP, possibly allocated by $[prodname] [LB IPAM](../ipam/service-loadbalancer.mdx), which you are advertising outside of your cluster.
-
-
-## Enable Maglev load balancing for a service
-
-To enable Maglev load balancing for a service, add the following annotation:
-
-```yaml
-lb.projectcalico.org/external-traffic-strategy: "maglev"
-```
-
-Or annotate a pre-existing service with:
-
-```bash
-kubectl -n annotate service 'lb.projectcalico.org/external-traffic-strategy=maglev'
-```
-
-Replace the following:
-* ``: The namespace of the service.
-* ``: The name of the service.
-
-
-## Verify that $[prodname] has configured Maglev load balancing for the service
-
-After annotating the service in-question, check any $[noderunning] container for an entry
-in the $[prodname] eBPF NAT table with the "maglev" flag.
-
-```bash title='Example NAT table dump'
-kubectl -n calico-system exec -- calico-node -bpf nat dump
-```
-
-Replace `` with the name of any calico-node pod.
-
-Check the command output for an entry with your service's IP, and the "maglev" flag mentioned in the same line:
-
-```
-10.101.205.28 port 80 proto 6 id 7 count 4 local 1 flags maglev
- 7:0 192.168.95.210:9000
- 7:1 192.168.163.6:9000
- 7:2 192.168.221.69:9000
- 7:3 192.168.28.136:9000
-```
-
-
-## Additional notes
-
-### BPF map sizing for large deployments
-
-In order to evenly distribute traffic, consistent-hash-based load balancing algorithms like Maglev must allocate large lookup-tables (LUTs),
-leading to a larger memory footprint than basic algorithms e.g. random-selection, round-robin. For this reason, the feature is enabled on a
-per-service basis, rather than globally applying to all services.
-
-In $[prodname], we program these LUTs to the eBPF data plane as maps which can grow up to a maximum size.
-If you plan to provision more than 100 services, or if you plan for any one service to have more than 100 endpoints, then the $[prodname]
-FelixConfiguration should be updated to reflect that:
- - [BPFMaglevMaxEndpointsPerService](../../reference/resources/felixconfig.mdx#bpfMaglevMaxEndpointsPerService)
- - [BPFMaglevMaxServices](../../reference/resources/felixconfig.mdx#bpfMaglevMaxServices)
-
-
-## Additional resources
-* [FelixConfiguration](../../reference/resources/felixconfig.mdx)
-* [Enable the eBPF data plane](../../operations/ebpf/enabling-ebpf.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/advertise-service-ips.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/advertise-service-ips.mdx
deleted file mode 100644
index a859a9b707..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/advertise-service-ips.mdx
+++ /dev/null
@@ -1,275 +0,0 @@
----
-description: Advertise Kubernetes service cluster IPs and external IPs out of the cluster over BGP with Calico Enterprise so upstream routers can reach them directly.
----
-
-# Advertise Kubernetes service IP addresses
-
-## Big picture
-
-Enable $[prodname] to advertise Kubernetes service IPs outside a cluster. $[prodname] supports advertising a service’s cluster IPs and external IPs.
-
-## Value
-
-Typically, Kubernetes service cluster IPs are accessible only within the cluster, so external access to the service requires a dedicated load balancer or ingress controller. In cases where a service’s cluster IP is not routable, the service can be accessed using its external IP.
-
-Just as $[prodname] supports advertising **pod IPs** over BGP, it also supports advertising Kubernetes **service IPs** outside a cluster over BGP. This avoids the need for a dedicated load balancer. This feature also supports equal cost multi-path (ECMP) load balancing across nodes in the cluster, as well as source IP address preservation for local services when you need more control.
-
-## Concepts
-
-### BGP makes it easy
-
-In Kubernetes, all requests for a service are redirected to an appropriate endpoint (pod) backing that service. Because $[prodname] uses BGP, external traffic can be routed directly to Kubernetes services by advertising Kubernetes service IPs into the BGP network.
-
-If your deployment is configured to peer with BGP routers outside the cluster, those routers (plus any other upstream places the routers propagate to) can send traffic to a Kubernetes service IP for routing to one of the available endpoints for that service.
-
-### Advertising service IPs: quick glance
-
-$[prodname] implements the Kubernetes **externalTrafficPolicy** using kube-proxy to direct incoming traffic to a correct pod. Advertisement is handled differently based on the service type that you configure for your service.
-
-| **Service mode** | **Cluster IP advertisement** | **Traffic is...** | Source IP address is... |
-| ----------------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------- |
-| Cluster (default) | All nodes in the cluster statically advertise a route to the service CIDR. | Load balanced across nodes in the cluster using ECMP, then forwarded to appropriate pod in the service using SNAT. May incur second hop to another node, but good overall load balancing. | Obscured by SNAT |
-| Local | The nodes with a pod backing the service advertise a specific route (/32 or /128) to the service's IP. | Load balanced across nodes with endpoints for the service. Avoids second hop for LoadBalancer and NodePort type services, traffic may be unevenly load balanced. (Other traffic is load balanced across nodes in the cluster.) | Preserved |
-
-If your $[prodname] deployment is configured to peer with BGP routers outside the cluster, those routers - plus any further upstream places that those routers propagate to - will be able to send traffic to a Kubernetes service cluster IP, and that traffic is routed to one of the available endpoints for that service.
-
-### Tips for success
-
-- Generally, we recommend using “Local” for the following reasons:
- - If any of your network policy uses rules to match by specific source IP addresses, using Local is the obvious choice because the source IP address is not altered, and the policy will still work.
- - Return traffic is routed directly to the source IP because “Local” services do not require undoing the source NAT (unlike “Cluster” services).
-- Cluster IP advertisement works best with a ToR that supports ECMP. Otherwise, all traffic for a given route is directed to a single node.
-
-## Before you begin...
-
-**Required**
-
-- Calico CNI
-- [Configure BGP peering](bgp.mdx) between $[prodname] and your network infrastructure
-- For ECMP load balancing to services, the upstream routers must be configured to use BGP multipath.
-- You need at least one external node outside the cluster that acts as a router, route reflector, or ToR that is peered with calico nodes inside the cluster.
-- Services must be configured with the correct service mode (“Cluster” or “Local”) for your implementation. For `externalTrafficPolicy: Local`, the service must be type `LoadBalancer` or `NodePort`.
-
-**Limitations**
-
-- Supported in EKS and AWS, but only if you are using Calico CNI
-- OpenShift, versions 4.5 and 4.6
- There is a [bug](https://github.com/kubernetes/kubernetes/issues/91374) where the source IP is not preserved by NodePort services or traffic via a Service ExternalIP with externalTrafficPolicy:Local.
-
- OpenShift users on v4.5 or v4.6 can use this [workaround to avoid SNAT with ExternalIP](https://docs.openshift.com/container-platform/4.7/nodes/clusters/nodes-cluster-enabling-features.html):
-
- ```
- oc edit featuregates.config.openshift.io cluster
- spec:
- customNoUpgrade:
- enabled:
- - ExternalPolicyForExternalIP
- ```
-
- Kubernetes users on version v1.18 or v1.19 can enable source IP preservation for NodePort services using the ExternalPolicyForExternalIP feature gate.
-
- Source IP preservation for NodePort and services and ExternalIPs is enabled by default in OpenShift v4.7+, and Kubernetes v1.20+.
-
-## How to
-
-- [Advertise service cluster IP addresses](#advertise-service-cluster-ip-addresses)
-- [Advertise service external IP addresses](#advertise-service-external-ip-addresses)
-- [Advertise service load balancer IP addresses](#advertise-service-load-balancer-ip-addresses)
-- [Exclude certain nodes from advertisement](#exclude-certain-nodes-from-advertisement)
-
-### Advertise service cluster IP addresses
-
-1. Determine the service cluster IP range. (Or ranges, if your cluster is [dual stack](../ipam/ipv6.mdx).)
-
- The range(s) for your cluster can be inferred from the `--service-cluster-ip-range` option passed to the Kubernetes API server. For help, see the [Kubernetes API server reference guide](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/).
-
-1. Check to see if you have a default BGPConfiguration.
-
- ```bash
- kubectl get bgpconfiguration.projectcalico.org default
- ```
-
-1. Based on above results, update or create a BGPConfiguration.
-
- **Update default BGPConfiguration**.
-
- Patch the BGPConfiguration using the following command, using your own service cluster IP CIDR in place of "10.0.0.0/24":
-
- ```bash
- kubectl patch bgpconfiguration.projectcalico.org default -p '{"spec":{"serviceClusterIPs": [{"cidr": "10.0.0.0/24"}]}}'
- ```
-
- **Create default BGPConfiguration**.
-
- Use the following sample command to create a default BGPConfiguration. Add your CIDR blocks, covering the cluster IPs to be advertised, in the `serviceClusterIPs` field, for example:
-
- ```bash
- kubectl create -f - <
- asNumber:
- filters:
- - export-to-tor
-```
-
-:::note
-
-If the parent cluster peers with the top-of-rack router(s) over iBGP, add `nextHopMode: Self` to the `node-tor-peer` resource.
-This ensures that nodes in the parent cluster rewrite the next hop of routes learned from workloads to their own local IP address.
-
-:::
-
-### Configure BGP peering with workloads
-
-In the parent cluster, create a `BGPPeer` resource to peer with the workloads.
-
-- The `localWorkloadSelector` field is used to select which workloads to peer with.
- In this example, we select workloads with the label `color=red`.
-
-- Include the `BGPFilter` resources defined above in the `BGPPeer` resource to control
- which routes are imported and exported.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: BGPPeer
-metadata:
- name: peer-to-workloads
-spec:
- localWorkloadSelector: color == 'red'
- asNumber:
- filters:
- - no-export
- - accept-nested-ip-pools
-```
-
-Both per-node and global `BGPPeer` resources are supported. To limit the peering to certain nodes, use the `nodeSelector` field.
-
-:::note
-
-`localWorkloadSelector` is scoped to all workloads and it does not currently have a corresponding
-"namespace selector". To match on namespace labels, you can prefix the label name with `pcns.`.
-
-:::
-
-In the child cluster,
-
-- Ensure that the node-to-node mesh is disabled in the `BGPConfiguration` resource and
- that the workload cluster's AS number is set:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: BGPConfiguration
- metadata:
- name: default
- spec:
- nodeToNodeMeshEnabled: false
- asNumber:
- ```
-
-- Create a `BGPPeer` resource (per desired IP version) that peers with the
- parent clusters' virtual IP:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: BGPPeer
- metadata:
- name: peer-to-parent-cluster
- spec:
- peerIP: 169.254.0.179
- asNumber:
- ---
- apiVersion: projectcalico.org/v3
- kind: BGPPeer
- metadata:
- name: peer-to-parent-cluster-v6
- spec:
- peerIP: "fdc9:9723:09bc::1"
- asNumber:
- ```
-
-### Configure more than one nested cluster
-
-You can configure more than one nested cluster by:
-
-- Choosing a unique non-overlapping IP pool for each nested cluster.
-- In the parent cluster: creating a new import `BGPFilter` resource for each cluster to import its routes.
-- In the parent cluster: creating a new, uniquely-named `BGPPeer` resource for each cluster to peer with the
- parent cluster. You can re-use the shared "no-export" `BGPFilter` resource with every nested cluster peering.
-- In the parent cluster: updating the `export-to-tor` `BGPFilter` resource to include the new cluster's CIDRs.
-- In the nested cluster: adding a copy of the `peer-to-parent-cluster` `BGPPeer`(s). These should
- be the same in all nested clusters since a parent cluster always uses the same virtual IP for all
- nested clusters.
-
-:::note
-
-If you plan to use many nested clusters consider allocating their IP pools from a single larger
-CIDR. Then the `export-to-tor` filter can be simplified to match on the larger CIDR only.
-
-If you trust the nested clusters, similarly, you could also re-use a single `accept-nested-ip-pools` filter
-for all child clusters.
-
-:::
-
-## Additional resources
-
-- [BGP guide](./bgp.mdx)
-- [BGP L3 interconnect guide](../../reference/architecture/design/l3-interconnect-fabric.mdx)
-- [Node resource](../../reference/resources/node.mdx)
-- [BGP configuration resource](../../reference/resources/bgpconfig.mdx)
-- [BGP peer resource](../../reference/resources/bgppeer.mdx)
-- [BGP filter resource](../../reference/resources/bgpfilter.mdx)
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/bgp.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/bgp.mdx
deleted file mode 100644
index 2e11b7548b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/bgp.mdx
+++ /dev/null
@@ -1,374 +0,0 @@
----
-description: Set up BGP peering for Calico Enterprise — full mesh, per-node peers, top-of-rack switches, and route reflectors — using BGPPeer and BGPConfiguration resources.
----
-
-# Configure BGP peering
-
-## Big picture
-
-Configure BGP (Border Gateway Protocol) between Calico nodes or peering with network infrastructure to distribute routing information.
-
-## Value
-
-$[prodname] nodes can exchange routing information over BGP to enable reachability for $[prodname] networked workloads (Kubernetes pods or OpenStack VMs). In an on-premises deployment this allows you to make your workloads first-class citizens across the rest of your network. In public cloud deployments, it provides an efficient way of distributing routing information within your cluster, and is often used in conjunction with IPIP overlay or cross-subnet modes.
-
-## Concepts
-
-### BGP
-
-**BGP** is a standard protocol for exchanging routing information between routers in a network. Each router running BGP has one or more **BGP peers** - other routers which they are communicating with over BGP. You can think of $[prodname] networking as providing a virtual router on each of your nodes. You can configure $[prodname] nodes to peer with each other, with route reflectors, or with top-of-rack (ToR) routers.
-
-### Common BGP topologies
-
-There are many ways to configure a BGP network depending on your environment. Here are some common ways it is done with $[prodname].
-
-### Full-mesh
-
-When BGP is enabled, $[prodname]’s default behavior is to create a **full-mesh** of internal BGP (iBGP) connections where each node peers with each other. This allows $[prodname] to operate over any L2 network, whether public cloud or private cloud, or, if IPIP is [configured](vxlan-ipip.mdx), to operate as an overlay over any network that does not block IPIP traffic. $[prodname] does not use BGP for VXLAN overlays.
-
-:::note
-
-Most public clouds support IPIP. The notable exception is Azure, which blocks IPIP traffic. So if you want to run Calico as an overlay network in Azure, you must [configure $[prodname] to use VXLAN](vxlan-ipip.mdx).
-
-:::
-
-Full-mesh works great for small and medium-size deployments of say 100 nodes or less, but at significantly larger scales full-mesh becomes less efficient, and we recommend using route reflectors.
-
-### Route reflectors
-
-To build large clusters of internal BGP (iBGP), **BGP route reflectors** can be used to reduce the number of BGP peerings used on each node. In this model, some nodes act as route reflectors and are configured to establish a full mesh amongst themselves. Other nodes are then configured to peer with a subset of those route reflectors (typically 2 for redundancy), reducing the total number BGP peering connections compared to full-mesh.
-
-### Top of Rack (ToR)
-
-In **on-premises deployments**, you can configure $[prodname] to peer directly with your physical network infrastructure. Typically, this involves disabling $[prodname]’s default full-mesh behavior, and instead peer $[prodname] with your L3 ToR routers. There are many ways to build an on-premises BGP network. How you configure your BGP is up to you - $[prodname] works well with both iBGP and eBGP configurations, and you can effectively treat $[prodname] like any other router in your network design.
-
-Depending on your topology, you may also consider using BGP route reflectors within each rack. However, this is typically needed only if the number of nodes in each L2 domain is large (> 100).
-
-For a deeper look at common on-premises deployment models, see [Calico over IP Fabrics](../../reference/architecture/design/l2-interconnect-fabric.mdx).
-
-## Before you begin...
-
-**Required**
-
-- Calico CNI
-- [calicoctl](../../operations/clis/calicoctl/install.mdx) must be installed and configured
-
-## How to
-
-:::note
-
-Significantly changing $[prodname]'s BGP topology, such as changing from full-mesh to peering with ToRs, may result in temporary loss of pod network connectivity during the reconfiguration process. It is recommended to only make such changes during a maintenance window.
-
-:::
-
-- [Configure a global BGP peer](#configure-a-global-bgp-peer)
-- [Configure a per-node BGP peer](#configure-a-per-node-bgp-peer)
-- [Configure a node to act as a route reflector](#configure-a-node-to-act-as-a-route-reflector)
-- [Disable the default BGP node-to-node mesh](#disable-the-default-bgp-node-to-node-mesh)
-- [Change from node-to-node mesh to route reflectors without any traffic disruption](#change-from-node-to-node-mesh-to-route-reflectors-without-any-traffic-disruption)
-- [View BGP peering status for a node](#view-bgp-peering-status-for-a-node)
-- [View BGP info on all peers for a node](#view-bgp-info-on-all-peers-for-a-node)
-- [Change the default global AS number](#change-the-default-global-as-number)
-- [Change AS number for a particular node](#change-as-number-for-a-particular-node)
-- [Set a local AS number for a specific BGP peer](#set-a-local-as-number-for-a-specific-bgp-peer)
-- [Configure a BGP filter](#configure-a-bgp-filter)
-- [Configure a BGP peer with a BGP filter](#configure-a-bgp-peer-with-a-bgp-filter)
-
-### Configure a global BGP peer
-
-Global BGP peers apply to all nodes in your cluster. This is useful if your network topology includes BGP speakers that will be peered with every $[prodname] node in your deployment.
-
-The following example creates a global BGP peer that configures every $[prodname] node to peer with **192.20.30.40** in AS **64567**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: BGPPeer
-metadata:
- name: my-global-peer
-spec:
- peerIP: 192.20.30.40
- asNumber: 64567
-```
-
-### Configure a per-node BGP peer
-
-Per-node BGP peers apply to one or more nodes in the cluster. You can choose which nodes by specifying the node’s name exactly, or using a label selector.
-
-The following example creates a BGPPeer that configures every $[prodname] node with the label, **rack: rack-1** to peer with **192.20.30.40** in AS **64567**.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: BGPPeer
-metadata:
- name: rack1-tor
-spec:
- peerIP: 192.20.30.40
- asNumber: 64567
- nodeSelector: rack == 'rack-1'
-```
-
-### Configure a node to act as a route reflector
-
-$[prodname] nodes can be configured to act as route reflectors. To do this, each node that you want to act as a route reflector must have a cluster ID - typically an unused IPv4 address.
-
-To configure a node to be a route reflector with cluster ID 244.0.0.1, run the following command.
-
-```bash
-kubectl annotate node my-node projectcalico.org/RouteReflectorClusterID=244.0.0.1
-```
-
-Typically, you will want to label this node to indicate that it is a route reflector, allowing it to be easily selected by a BGPPeer resource. You can do this with kubectl. For example:
-
-```bash
-kubectl label node my-node route-reflector=true
-```
-
-Now it is easy to configure route reflector nodes to peer with each other and other non-route-reflector nodes using label selectors. For example:
-
-```yaml
-kind: BGPPeer
-apiVersion: projectcalico.org/v3
-metadata:
- name: peer-with-route-reflectors
-spec:
- nodeSelector: all()
- peerSelector: route-reflector == 'true'
-```
-
-:::note
-
-Adding `routeReflectorClusterID` to a node spec will remove it from the node-to-node mesh immediately, tearing down the
-existing BGP sessions. Adding the BGP peering will bring up new BGP sessions. This will cause a short (about 2 seconds)
-disruption to data plane traffic of workloads running in the nodes where this happens. To avoid this, make sure no
-workloads are running on the nodes, by provisioning new nodes or by running `kubectl drain` on the node (which may
-itself cause a disruption as workloads are drained).
-
-:::
-
-### Disable the default BGP node-to-node mesh
-
-The default **node-to-node BGP mesh** may be turned off to enable other BGP topologies. To do this, modify the default **BGP configuration** resource.
-
-Run the following command to disable the BGP full-mesh:
-
-```bash
-calicoctl patch bgpconfiguration default -p '{"spec": {"nodeToNodeMeshEnabled": false}}'
-```
-
-:::note
-
-If the default BGP configuration resource does not exist, you need to create it first. See [BGP configuration](../../reference/resources/bgpconfig.mdx) for more information.
-
-:::
-
-:::note
-
-Disabling the node-to-node mesh will break pod networking until/unless you configure replacement BGP peerings using BGPPeer resources.
-You may configure the BGPPeer resources before disabling the node-to-node mesh to avoid pod networking breakage.
-
-:::
-
-### Change from node-to-node mesh to route reflectors without any traffic disruption
-
-Switching from node-to-node BGP mesh to BGP route reflectors involves tearing down BGP sessions and bringing up new ones. This causes a short
-data plane network disruption (of about 2 seconds) for workloads running on the nodes in the cluster. To avoid this, you may provision
-route reflector nodes and bring their BGP sessions up before tearing down the node-to-node mesh sessions.
-
-Follow these steps to do so:
-
-1. [Provision new nodes to be route reflectors.](#configure-a-node-to-act-as-a-route-reflector) The nodes [should not be schedulable](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
- and they should have `routeReflectorClusterID` in their spec. These won't be part of the existing
- node-to-node BGP mesh, and will be the route reflectors when the mesh is disabled. These nodes should also have a label like
- `route-reflector` to select them for the BGP peerings. [Alternatively](https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/),
- you can drain workloads from existing nodes in your cluster by running `kubectl drain ` to configure them to be route reflectors,
- but this will cause a disruption on the workloads on those nodes as they are drained.
-
-2. Also set up a [BGPPeer](#configure-a-node-to-act-as-a-route-reflector) spec to configure route reflector nodes to peer with each other and other non-route-reflector nodes
- using label selectors.
-
-3. Wait for these peerings to be established. This can be [verified](#view-bgp-peering-status-for-a-node) by running `sudo calicoctl node status` on the nodes. Alternatively, you can create a [`CalicoNodeStatus` resource](../../reference/resources/caliconodestatus.mdx) to get BGP session status for the node.
-
-4. [Disable the BGP node-to-node mesh for the cluster.](#disable-the-default-bgp-node-to-node-mesh)
-
-5. If you did drain workloads from the nodes or created them as unschedulable, mark the nodes as schedulable again (e.g. by running `kubectl uncordon `).
-
-### View BGP peering status for a node
-
-Create a [CalicoNodeStatus resource](../../reference/resources/caliconodestatus.mdx) to monitor BGP session status for the node.
-
-Alternatively, you can run the `calicoctl node status` command on a given node to learn more about its BGP status.
-
-:::note
-
-This command communicates with the local $[prodname] agent, so you must execute it on the node whose status you are attempting to view.
-
-:::
-
-### View BGP info on all peers for a node
-
-You can use `calicoctl` to view the BGP information for all peers of a particular node, including connection status, routing statistics, and BGP state. This is useful for confirming that your configuration is behaving as desired, and for more detailed troubleshooting.
-
-Run the following command from anywhere you have access to `kubectl`:
-
-```bash
-calicoctl bgp peers
-```
-
-Where `` is the resource name for one of the Calico node pods within your cluster.
-
-:::note
-
-The above command can be run from anywhere you have access to kubectl. We recommend running it as a kubectl plugin. [Follow these instructions](../../operations/clis/calicoctl/install.mdx#install-calicoctl-as-a-kubectl-plugin-on-a-single-host) for how to install `calicoctl` as a kubectl plugin.
-
-:::
-If you install the binary as a kubectl plugin using the above instructions, you can then run the command as follows:
-
-```bash
-kubectl calico bgp peers
-```
-
-### Change the default global AS number
-
-By default, all Calico nodes use the 64512 autonomous system, unless a per-node AS has been specified for the node. You can change the global default for all nodes by modifying the default **BGPConfiguration** resource. The following example command sets the global default AS number to **64513**.
-
-```bash
-kubectl patch bgpconfiguration default -p '{"spec": {"asNumber": "64513"}}'
-```
-
-:::note
-
-If the default BGP configuration resource does not exist, you need to create it first. See [BGP configuration](../../reference/resources/bgpconfig.mdx) for more information.
-
-:::
-
-### Change AS number for a particular node
-
-You can configure an AS for a particular node by modifying the node object using `calicoctl`. For example, the following command changes the node named **node-1** to belong to **AS 64514**.
-
-```bash
-calicoctl patch node node-1 -p '{"spec": {"bgp": {"asNumber": "64514"}}}'
-```
-
-### Set a local AS number for a specific BGP peer
-
-You can configure a distinct local AS number for an individual BGP peer by modifying the `BGPPeer` resource using `calicoctl` or `kubectl`. This overrides the node-wide or global AS number defined in the `BGPConfiguration`, allowing different local ASNs to be used on a per-peer basis. If `localASNumber` is not set, Calico will fall back to the node-wide or global AS number.
-
-```bash
-kubectl patch bgppeer [peer_name] -p '{"spec": {"localASNumber": 64577}}'
-```
-
-### Configure a BGP filter
-
-BGP filters control which routes are imported and exported between BGP peers.
-
-The BGP filter rules (importVX, exportVX) are applied sequentially, taking the
-`action` of the first matching rule. When no rules are matched, the default
-`action` is `Accept`.
-
-In order for a BGPFilter to be used in a BGP peering, its `name`
-must be added to `filters` of the corresponding BGPPeer resource.
-
-The following example creates a BGPFilter
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: BGPFilter
-metadata:
- name: my-filter
-spec:
- exportV4:
- - action: Accept
- matchOperator: In
- cidr: 77.0.0.0/16
- - action: Reject
- source: RemotePeers
- - action: Reject
- interface: '*.calico'
- importV4:
- - action: Reject
- matchOperator: NotIn
- cidr: 44.0.0.0/16
- exportV6:
- - action: Reject
- source: RemotePeers
- - action: Reject
- interface: '*.calico'
- importV6:
- - action: Accept
- matchOperator: Equal
- cidr: 5000::0/64
- - action: Reject
-```
-
-### Configure a BGP peer with a BGP filter
-
-BGP peers can use BGP filters to control which routes are imported or exported between them.
-
-The following example creates a BGPFilter and associates it with a BGPPeer
-:::note
-
-BGPFilters are applied in the order listed on a BGPPeer
-
-:::
-
-```yaml
-kind: BGPFilter
-apiVersion: projectcalico.org/v3
-metadata:
- name: first-bgp-filter
-spec:
- exportV4:
- - action: Accept
- matchOperator: In
- cidr: 77.0.0.0/16
- source: RemotePeers
- importV4:
- - action: Reject
- matchOperator: NotIn
- cidr: 44.0.0.0/16
- exportV6:
- - action: Reject
- interface: '*.calico'
- importV6:
- - action: Accept
- matchOperator: Equal
- cidr: 5000::0/64
----
-kind: BGPFilter
-apiVersion: projectcalico.org/v3
-metadata:
- name: second-bgp-filter
-spec:
- exportV4:
- - action: Accept
- matchOperator: In
- cidr: 77.0.0.0/16
- interface: '*.calico'
- importV4:
- - action: Reject
- matchOperator: NotIn
- cidr: 44.0.0.0/16
- exportV6:
- - action: Reject
- source: RemotePeers
- importV6:
- - action: Reject
----
-kind: BGPPeer
-apiVersion: projectcalico.org/v3
-metadata:
- name: peer-with-filter
-spec:
- peerSelector: has(filter-bgp)
- filters:
- - first-bgp-filter
- - second-bgp-filter
-```
-
-## Additional resources
-
-- [Node resource](../../reference/resources/node.mdx)
-- [Configure BGP peering with nested clusters running on Kubevirt VMs](./bgp-to-workload.mdx)
-- [BGP configuration resource](../../reference/resources/bgpconfig.mdx)
-- [BGP peer resource](../../reference/resources/bgppeer.mdx)
-- [BGP filter resource](../../reference/resources/bgpfilter.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/custom-bgp-config.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/custom-bgp-config.mdx
deleted file mode 100644
index 8bc83e412e..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/custom-bgp-config.mdx
+++ /dev/null
@@ -1,52 +0,0 @@
----
-description: Override the default BIRD BGP templates for Calico Enterprise to access advanced BIRD features for proof-of-concept and special-case routing setups.
----
-
-# Custom BGP configuration
-
-## Big picture
-
-Customize BGP configurations for special use-cases.
-
-:::caution
-Customizing BGP configuration templates is not supported by Tigera for production because they are not guaranteed to work when upgrading. However, if you want to use custom templates for POCs and other temporary uses cases, contact your Tigera Support representative for help.
-
-:::
-
-## Concepts
-
-In $[prodname], BGP is handled by [BIRD](https://github.com/projectcalico/bird).
-The BIRD configurations are templated out through [confd](https://github.com/projectcalico/confd).
-You can modify the BIRD configuration to use BIRD features which are not typically exposed using the
-default configuration provided with $[prodname].
-
-## Before you begin
-
-**Required**
-
-- Calico CNI
-
-## How to
-
-- [Update BGP configuration](#update-bgp-configuration)
-- [Apply BGP customizations](#apply-bgp-customizations) based on how you've deployed $[prodname]:
-
-### Update BGP configuration
-
-Using the directions provided with the templates, set the correct values
-for the BGP configuration using these resources:
-
-- [BGP Configuration](../../reference/resources/bgpconfig.mdx)
-- [BGP Peer](../../reference/resources/bgppeer.mdx)
-- [calicoctl](../../reference/clis/calicoctl/index.mdx)
-
-### Apply BGP Customizations
-
-1. Create your confd templates.
-1. Create a ConfigMap from the templates.
-
-```
-kubectl create configmap bird-templates -n tigera-operator --from-file=
-```
-
-The created config map will be used to populate the $[prodname] BIRD configuration file templates. If a template with the same name already exists within the node container, it will be overwritten with the contents from the config map.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/dual-tor.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/dual-tor.mdx
deleted file mode 100644
index f7dad5fe22..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/dual-tor.mdx
+++ /dev/null
@@ -1,640 +0,0 @@
----
-description: Deploy a dual ToR cluster with Calico Enterprise so two independent connectivity planes provide redundancy between racks for on-premises clusters.
----
-
-# Deploy a dual ToR cluster
-
-## Big picture
-
-Deploy a dual plane cluster to provide redundant connectivity between your workloads for on-premises deployments.
-
-:::note
-
-Dual ToR is not supported if you are using BGP with encapsulation (VXLAN or IP-in-IP).
-
-:::
-
-## Value
-
-A dual plane cluster provides two independent planes of connectivity between all cluster
-nodes. If a link or software component breaks somewhere in one of those planes, cluster
-nodes can still communicate over the other plane, and the cluster as a whole continues to
-operate normally.
-
-## Concepts
-
-### Dual plane connectivity, aka "dual ToR"
-
-Large on-prem Kubernetes clusters, split across multiple server racks, can use two or more
-independent planes of connectivity between all the racks. The advantages are:
-
-- The cluster can still function, even if there is a single break in connectivity
- somewhere.
-
-- The cluster can load balance across the bandwidth of _both_ planes, when both planes
- are available.
-
-The redundant approach can be applied within each rack as well, such that each node has
-two or more independent connections to those connectivity planes. Typically, each rack
-has two top-of-rack routers ("ToRs") and each node has two fabric-facing interfaces, each
-of which connects over a separate link or Ethernet to one of the ToRs for the rack.
-
-Here's an example of how a dual plane setup might look, with just two racks and two nodes
-in each rack. For simplicity, we've shown the connections _between_ racks as single
-links; in reality that would be more complex, but still following the overall dual plane
-paradigm.
-
-
-
-Because of the two ToRs per rack, the whole setup is often referred to as "dual ToR".
-
-### Network design for a dual ToR cluster
-
-For a dual ToR cluster to operate seamlessly when there is a break on one of the planes,
-several things are needed.
-
-- Each node should have a stable IP address that is independent of its per-interface
- addresses and remains valid if the connectivity through _one_ of those interfaces goes
- down.
-
-- Each node must somehow know or learn the stable IP address of every other node.
-
-- Wherever a connection (other than BGP) is to or from a _node_ (as opposed to a
- non-host-networked pod), that connection should use the node's stable address as its
- destination or source IP (respectively), so that the connection can continue working if
- one of the planes has an outage.
-
-- Importantly, this includes connections that Kubernetes uses as part of its own control
- plane, such as between the Kubernetes API server and kubelet on each node. Ideally,
- therefore, the stable IP address setup on each node should happen *before* Kubernetes
- starts running.
-
-- BGP is an exception to the previous points - in fact, the _only_ exception - because we
- want each node's BGP peerings to be interface-specific and to reflect what is actually
- reachable, moment by moment, over that interface. The Linux routing table then
- automatically adjusts so that the route to each remote destination is either ECMP -
- when both planes are up - or non-ECMP when it can only be reached over one of the
- planes.
-
-- BGP peerings should be configured to detect any outages, and to propagate their
- consequences, as quickly as possible, so that the routing can quickly respond on each
- node. Note that this is quite different from the reasoning for a single connectivity
- plane, where it's better to delay any network churn, on the assumption that an outage
- will be quickly fixed.
-
-Finally, to spread load evenly and maximise use of both planes, when both available, the
-routers and Linux kernel need to be configured for efficient ECMP.
-
-### Calico's early networking architecture
-
-$[prodname]'s $[nodecontainer] image can be run in an "early networking" mode,
-on each node, to perform all of the above points that are needed before Kubernetes starts
-running. That means that it:
-
-- Provisions the stable IP address, and assigns it to the loopback interface.
-
-- Ensures the stable address will be used as the source
- IP for any outgoing connections, by adjusting the scope of interface addresses.
-
-- Starts running BGP, peering with the node's ToRs, to advertise the node's
- stable address to other nodes.
-
-- Configures efficient ECMP in the Linux kernel (with `fib_multipath_hash_policy=1` and
- `fib_multipath_use_neigh=1`).
-
-More detail is given below on how to run this early networking image. A key point is that
-it must run as soon as possible after each node boot, and before Kubernetes starts on the
-node, so it is typically run as a Docker or podman container.
-
-After its start-of-day provisioning, the early networking container keeps running so that
-it can tag-team the BGP role with Calico's regular BGP service running inside the
-$[nodecontainer] _pod_:
-
-- Initially the $[nodecontainer] pod does not yet exist, so the early networking
- BGP runs to advertise out the node's stable address.
-
-- After Kubernetes has started on the node, and Calico has been installed in Kubernetes,
- the $[nodecontainer] pod runs and starts its own BGP service. The early
- networking container spots that the regular BGP service is now running and so shuts
- down its own BGP. Now the regular BGP service handles the advertisement of the stable
- address, as well as pod IPs and so on.
-
-- Later, the $[nodecontainer] pod might be shut down, e.g. for restart or upgrade.
- If the downtime continues for longer than the graceful restart period, the early
- networking container spots this and restarts its own BGP, to ensure that the node's
- stable IP address continues to be advertised to other nodes. The cycle can now repeat
- from the "Initially" state above.
-
- :::note
-
- The default graceful restart period is 120s for traditional BGP GR and
- 3600s for LLGR.
-
- :::
-
-### BGP configuration for rapid outage detection
-
-A dual ToR cluster needs Calico BGPPeer resources to specify how each node should peer
-with its ToRs. The remaining parts of the dual ToR network design are implemented as
-properties of those BGP peerings, and as corresponding properties on the BGP configuration
-between and within the ToRs and core infrastructure.
-
-Specifically, on Calico's BGPPeer resource,
-
-- the `failureDetectionMode` field is used to enable BFD
-
-- the `restartMode` field can be used to enable long-lived graceful restart (LLGR).
-
-See below for more on the benefits of these settings. When they are used, consistent
-settings are needed on the ToRs and core infrastructure.
-
-### ECMP routing
-
-An "Equal Cost Multiple Path" (ECMP) route is one that has multiple possible ways to reach
-a given destination or prefix, all of which are considered to be equally good. A dual ToR
-setup naturally generates ECMP routes, with the different paths going over the different
-connectivity planes.
-
-When using an ECMP route, Linux decides how to balance traffic across the available paths,
-including whether this is informed by TCP and UDP port numbers as well as source and
-destination IP addresses, whether the decision is made per-packet, per-connection, or in
-some other way, and so on; and the details here have varied with Linux kernel version.
-For a clear account of the exact options and behaviors for different kernel versions,
-please see [this blog](https://web.archive.org/web/20210204031636/https://cumulusnetworks.com/blog/celebrating-ecmp-part-two/).
-
-### BFD
-
-Bidirectional Forwarding Detection (BFD) is [a protocol](https://tools.ietf.org/html/rfc5880)
- that detects very quickly when forwarding
-along a particular path stops working - whether that's because a link has broken
-somewhere, or some software component along the path.
-
-In a dual ToR setup, rapid failure detection is important so that traffic flows within the
-cluster can quickly adjust to using the other available connectivity plane.
-
-### Long lived graceful restart
-
-Long Lived Graceful Restart (LLGR) is [an extension for BGP](https://tools.ietf.org/html/draft-uttaro-idr-bgp-persistence-05)
- that handles link
-failure by lowering the preference of routes over that link. This is a compromise between
-the base BGP behaviour - which is immediately to remove those routes - and traditional BGP
-Graceful Restart behaviour - which is not to change those routes at all, until some
-configured time has passed.
-
-For a dual ToR setup, LLGR is helpful, as explained in more detail by [this blog](https://vincent.bernat.ch/en/blog/2018-bgp-llgr)
-, because:
-
-- If a link fails somewhere, the immediate preference lowering allows traffic to adjust
- immediately to use the other connectivity plane.
-
-- If a node is restarted, we still get the traditional Graceful Restart behaviour whereby
- routes to that node persist in the rest of the network.
-
-
-## Before you begin
-
-**Unsupported**
-
-- AKS
-- EKS
-- GKE
-
-**Required**
-
-- Calico CNI
-
-## How to
-
-- [Prepare YAML resources describing the layout of your cluster](#prepare-yaml-resources-describing-the-layout-of-your-cluster)
-- [Arrange for dual-homed nodes to run $[nodecontainer] on each boot](#arrange-for-dual-homed-nodes-to-run-cnx-node-on-each-boot)
-- [Configure your ToR routers and infrastructure](#configure-your-tor-routers-and-infrastructure)
-- [Install Kubernetes and $[prodname]](#install-kubernetes-and-calico-enterprise)
-- [Verify the deployment](#verify-the-deployment)
-
-### Prepare YAML resources describing the layout of your cluster
-
-1. Prepare BGPPeer resources to specify how each node in your cluster should peer with
- the ToR routers in its rack. For example, if your rack 'A' has ToRs with IPs
- 172.31.11.100 and 172.31.12.100 and the rack AS number is 65001:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: BGPPeer
- metadata:
- name: ra1
- spec:
- nodeSelector: "rack == 'ra' || rack == 'ra_single'"
- peerIP: 172.31.11.100
- asNumber: 65001
- sourceAddress: None
- ---
- apiVersion: projectcalico.org/v3
- kind: BGPPeer
- metadata:
- name: ra2
- spec:
- nodeSelector: "rack == 'ra'"
- peerIP: 172.31.12.100
- asNumber: 65001
- sourceAddress: None
- ```
-
- :::note
-
- The effect of the `nodeSelector` fields here is that any node with label
- `rack: ra` will peer with both these ToRs, while any node with label `rack: ra_single` will peer with only the first ToR. For optimal dual ToR function and
- resilience, nodes in rack 'A' should be labelled `rack: ra`, but `rack: ra_single`
- can be used instead on any nodes which cannot be dual-homed.
-
- :::
-
- Repeat for as many racks as there are in your cluster. Each rack needs a new pair of
- BGPPeer resources with its own ToR addresses and AS number, and `nodeSelector` fields
- matching the nodes that should peer with its ToR routers.
-
- Depending on what your ToR supports, consider also setting these fields in each
- BGPPeer:
-
- - `failureDetectionMode: BFDIfDirectlyConnected` to enable BFD, when possible, for
- fast failure detection.
-
- :::note
-
- $[prodname] only supports BFD on directly connected peerings, but
- in practice nodes are normally directly connected to their ToRs.
-
- :::
-
- - `restartMode: LongLivedGracefulRestart` to enable LLGR handling when the node needs
- to be restarted, if your ToR routers support LLGR. If not, we recommend instead
- `maxRestartTime: 10s`.
-
- - `birdGatewayMode: DirectIfDirectlyConnected` to enable the "direct" next hop
- algorithm, if that is helpful for optimal interworking with your ToR routers.
-
- :::note
-
- For directly connected BGP peerings, BIRD provides two gateway
- computation modes, "direct" and "recursive".
-
- "recursive" is the default, but "direct" can give better results when the ToR
- also acts as the route reflector (RR) for the rack.
- Specifically, a combined ToR/RR should ideally keep the BGP next hop intact (aka
- "next hop keep") when reflecting routes from other nodes in the same rack, but
- add itself as the BGP next hop (aka "next hop self") when forwarding routes from
- outside the rack. If your ToRs can be configured to do that, fine.
- If they cannot, an effective workaround is to configure the ToRs to do "next hop
- keep" for all routes, with "gateway direct" on the $[prodname] nodes. In
- effect the “gateway direct” applies a “next hop self” when needed, but otherwise
- not.
-
- :::
-
-1. Prepare this BGPConfiguration resource to [disable the full node-to-node mesh](bgp.mdx#disable-the-default-bgp-node-to-node-mesh):
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: BGPConfiguration
- metadata:
- name: default
- spec:
- nodeToNodeMeshEnabled: false
- ```
-
-1. Prepare disabled IPPool resources for the CIDRs from which you will allocate stable
- addresses for dual-homed nodes. For example, if the nodes in rack 'A' will have
- stable addresses from 172.31.10.0/24:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: IPPool
- metadata:
- name: ra-stable
- spec:
- cidr: 172.31.10.0/24
- disabled: true
- nodeSelector: all()
- ```
-
- If the next rack uses a different CIDR, define a similar IPPool for that rack, and so
- on.
-
- :::note
-
- These IPPool definitions tell $[prodname]'s BGP component to export
- routes within the given CIDRs, which is essential for the core BGP infrastructure to
- learn how to route to each stable address. `disabled: true` tells $[prodname]
- _not_ to use these CIDRs for pod IPs.
-
- :::
-
-1. Prepare an enabled IPPool resource for your default CIDR for pod IPs. For example:
-
- ```yaml
- apiVersion: projectcalico.org/v3
- kind: IPPool
- metadata:
- name: default-ipv4
- spec:
- cidr: 10.244.0.0/16
- nodeSelector: all()
- ```
-
- :::note
-
- The CIDR must match what you specify elsewhere in the Kubernetes
- installation. For example, `networking.clusterNetwork.cidr` in OpenShift's install
- config, or `--pod-network-cidr` with kubeadm. You should not specify `ipipMode` or
- `vxlanMode`, as these are incompatible with dual ToR operation. `natOutgoing` can
- be omitted, as here, if your core infrastructure will perform an SNAT for traffic
- from pods to the Internet.
-
- :::
-
-1. Prepare an EarlyNetworkConfiguration resource to specify the additional information
- that is needed for each node in a multi-rack dual ToR cluster:
-
- - The stable address for the node.
- - Its BGP AS number.
- - The IPs that the node should peer with, when $[nodecontainer] runs
- as a container for early networking setup after each node boot.
- - Any labels that the node should have, so as to match the right BGPPeer definitions
- for its rack, when $[nodecontainer] runs as a Kubernetes pod.
-
-
- With OpenShift, also add a toplevel `platform: openshift` setting.
-
- :::note
-
- `platform: openshift` triggers additional per-node setup that is needed
- during OpenShift's bootstrapping phase.
-
- :::
-
- For example, with IP addresses and AS numbers similar as for other resources above:
-
- ```yaml noValidation
- apiVersion: projectcalico.org/v3
- kind: EarlyNetworkConfiguration
- spec:
- platform: openshift
- nodes:
- # worker1
- - interfaceAddresses:
- - 172.31.11.3
- - 172.31.12.3
- stableAddress:
- address: 172.31.10.3
- asNumber: 65001
- peerings:
- - peerIP: 172.31.11.100
- - peerIP: 172.31.12.100
- labels:
- rack: ra
- # worker2
- - interfaceAddresses:
- - 172.31.21.4
- - 172.31.22.4
- stableAddress:
- address: 172.31.20.4
- asNumber: 65002
- peerings:
- - peerIP: 172.31.21.100
- - peerIP: 172.31.22.100
- labels:
- rack: rb
- ...
- ```
-
-1. Prepare a ConfigMap resource named "bgp-layout", in namespace "tigera-operator", that
- wraps the EarlyNetworkConfiguration like this:
-
- ```yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: bgp-layout
- namespace: tigera-operator
- data:
- earlyNetworkConfiguration: |
- apiVersion: projectcalico.org/v3
- kind: EarlyNetworkConfiguration
- spec:
- nodes:
- # worker1
- - interfaceAddresses:
- ...
- ```
-
-:::note
-
-EarlyNetworkConfiguration supplies labels and AS numbers to apply to each
-Calico node, as well as peering and other network configuration to use during node
-startup prior to receiving BGPPeer and BGPConfiguration resources from the datastore.
-EarlyNetworkConfiguration will be superseded by any BGPPeer or BGPConfiguration
-resources after successful startup.
-
-For a full description, see [Early Network Configuration](../../reference/resources/earlynetworkconfiguration.mdx)
-:::
-
-### Arrange for dual-homed nodes to run $[nodecontainer] on each boot
-
-$[prodname]'s $[nodecontainer] image normally runs as a Kubernetes pod, but
-for dual ToR setup it must also run as a container after each boot of a dual-homed node.
-For example:
-
-```
-podman run --privileged --net=host \
- -v /calico-early:/calico-early -e CALICO_EARLY_NETWORKING=/calico-early/cfg.yaml \
- $[registry]$[imageNames.node]:latest
-```
-
-The environment variable `CALICO_EARLY_NETWORKING` must point to the
-EarlyNetworkConfiguration prepared above, so that EarlyNetworkConfiguration YAML must be
-copied into a file on the node (here, `/calico-early/cfg.yaml`) and mapped into the
-$[nodecontainer] container.
-
-We recommend defining systemd services to ensure that early networking runs on each boot,
-and before kubelet starts on the node. Following is an example that may need tweaking for
-your particular platform, but that illustrates the important points.
-
-Firstly, a "calico-early" service that runs the Calico early networking on each boot:
-
-```
-[Unit]
-Wants=network-online.target
-After=network-online.target
-After=nodeip-configuration.service
-[Service]
-ExecStartPre=/bin/sh -c "rm -f /etc/systemd/system/kubelet.service.d/20-nodenet.conf /etc/systemd/system/crio.service.d/20-nodenet.conf; systemctl daemon-reload"
-ExecStartPre=-/bin/podman rm -f calico-early
-ExecStartPre=/bin/mkdir -p /etc/calico-early
-ExecStartPre=/bin/sh -c "test -f /etc/calico-early/details.yaml || /bin/curl -o /etc/calico-early/details.yaml http://172.31.1.1:8080/calico-early/details.yaml"
-ExecStart=/bin/podman run --rm --privileged --net=host --name=calico-early -v /etc/calico-early:/etc/calico-early -e CALICO_EARLY_NETWORKING=/etc/calico-early/details.yaml $[registry]$[imageNames.node]:latest
-[Install]
-WantedBy=multi-user.target
-```
-
-:::note
-
-- You must also install your Tigera-issued pull secret at `/root/.docker/config.json`,
- on each node, to enable pulling from $[registry].
-- Some OpenShift versions have a `nodeip-configuration` service that configures
- kubelet's `--node-ip` option **wrongly** for a dual ToR setup. The
- `After=nodeip-configuration.service` setting and the deletion of `20-nodenet.conf`
- undo that service's work so that kubelet can choose its own IP correctly (using a
- reverse DNS lookup).
-- The `/bin/curl ...` line shows how you can download the EarlyNetworkConfiguration
- YAML from a central hosting point within your cluster.
-
-:::
-
-Secondly, a "calico-early-wait" service that delays kubelet until after the Calico early
-networking setup is in place:
-
-```
-[Unit]
-After=calico-early.service
-Before=kubelet.service
-[Service]
-Type=oneshot
-ExecStart=/bin/sh -c "while sleep 5; do grep -q 00000000:1FF3 /proc/net/tcp && break; done; sleep 15"
-[Install]
-WantedBy=multi-user.target
-```
-
-:::note
-
-- The `ExecStart` line here arranges that kubelet will not start running until the
- calico-early service has started listening on port 8179 (hex `1FF3`). 8179 is the
- port that the calico-early service uses for pre-Kubernetes BGP.
-- We have sometimes observed issues if kubelet starts immediately after Calico's early
- networking setup, because of NetworkManager toggling the hostname. The final `sleep 15` allows for such changes to settle down before kubelet starts.
-
-:::
-
-On OpenShift you should wrap the above service definitions in `MachineConfig` resources
-for the control and worker nodes.
-
-On other platforms either define and enable the above services directly, or use
-whatever API the platform provides to define and enable services on new nodes.
-
-### Configure your ToR routers and infrastructure
-
-You should configure your ToR routers to accept all the BGP peerings from
-$[prodname] nodes, to reflect routes between the nodes in that rack, and to
-propagate routes between the ToR routers in different racks. In addition we recommend
-consideration of the following points.
-
-BFD should be enabled if possible on all BGP sessions - both to the $[prodname]
-nodes, and between racks in your core infrastructure - so that a break in connectivity
-anywhere can be rapidly detected. The handling should be to initiate LLGR procedures if
-possible, or else terminate the BGP session non-gracefully.
-
-LLGR should be enabled if possible on all BGP sessions - again, both to the
-$[prodname] nodes, and between racks in your core infrastructure. Traditional BGP
-graceful restart should not be used, because this will delay the cluster's response to a
-break in one of the connectivity planes.
-
-### Install Kubernetes and $[prodname]
-
-Details here vary, depending on **when** your Kubernetes installer gives an opportunity
-for you to define custom resources, but fundamentally what is needed here is to perform
-the installation as usual, except that all of the Calico resources prepared above, except
-the EarlyNetworkConfiguration, must be added into the datastore **before** the
-$[nodecontainer] pods start running on any node. We can illustrate this by looking
-at two examples: with OpenShift, and when adding Calico to an existing Kubernetes cluster.
-
-**OpenShift**
-
-With OpenShift, follow [our documentation](../../getting-started/install-on-clusters/openshift/index.mdx) as
-far as the option to [provide additional configuration](../../getting-started/install-on-clusters/openshift/installation.mdx).
-Then use `kubectl create configmap ...`, as that documentation says, to combine the
-prepared BGPPeer, BGPConfiguration and IPPool resources into a `calico-resources`
-ConfigMap. Place the generated file in the manifests directory for the OpenShift install.
-
-Also place the "bgp-layout" ConfigMap file in the manifests directory.
-
-Now continue with the OpenShift install process, and it will take care of adding those
-resources into the datastore as early as possible.
-
-**Adding to an existing Kubernetes cluster**
-
-Follow [our documentation](../../getting-started/install-on-clusters/kubernetes/generic-install.mdx) as
-far as the option for installing any custom Calico resources. Then use `calicoctl`, as
-that documentation says, to install the prepared BGPPeer, BGPConfiguration and IPPool
-resources.
-
-Also use `kubectl` to install the "bgp-layout" ConfigMap.
-
-Now continue with the $[prodname] install process, and you should observe each node
-establishing BGP sessions with its ToRs.
-
-### Verify the deployment
-
-If you examine traffic and connections within the cluster - for example, using `ss` or
-`tcpdump` - you should see that all connections use loopback IP addresses or pod CIDR IPs
-as their source and destination. For example:
-
-- The kubelet on each node connecting to the API server.
-
-- The API server's connection to its backing etcd database, and peer connections between
- the etcd cluster members.
-
-- Pod connections that involve an SNAT or MASQUERADE in the data path, as can be the case
- when connecting to a Service through a cluster IP or NodePort. At the point of the
- SNAT or MASQUERADE, a loopback IP address should be used.
-
-- Direct connections between pod IPs on different nodes.
-
-The only connections using interface-specific addresses should be BGP.
-
-:::note
-
-If you plan to use [Egress Gateways](../egress/egress-gateway-on-prem.mdx) in your cluster, you must also adjust the $[nodecontainer] IP
-auto-detection method to pick up the stable IP, for example using the `interface: lo` setting
-(The default first-found setting skips over the lo interface). This can be configured via the
-$[prodname] [Installation resource](../../reference/installation/api.mdx#nodeaddressautodetection).
-
-:::
-
-If you look at the Linux routing table on any cluster node, you should see ECMP routes
-like this to the loopback address of every other node in other racks:
-
-```
-172.31.20.4/32
- nexthop via 172.31.11.250 dev eth0
- nexthop via 172.31.12.250 dev eth1
-```
-
-and like this to the loopback address of every other node in the same rack:
-
-```
-172.31.10.4/32
- nexthop dev eth0
- nexthop dev eth1
-```
-
-If you launch some pods in the cluster, you should see ECMP routes for the /26 IP blocks
-for the nodes where those pods were scheduled, like this:
-
-```
-10.244.192.128/26
- nexthop via 172.31.11.250 dev eth0
- nexthop via 172.31.12.250 dev eth1
-```
-
-If you do something to break the connectivity between racks of one of the planes, you
-should see, within only a few seconds, that the affected routes change to have a single
-path only, via the plane that is still unbroken; for example:
-
-```
-172.31.20.4/32 via 172.31.12.250 dev eth1`
-10.244.192.128/26 via 172.31.12.250 dev eth1
-```
-
-When the connectivity break is repaired, those routes should change to become ECMP again.
-
-## Additional resources
-
- - [L3 fabric designs](../../reference/architecture/design/l3-interconnect-fabric.mdx)
\ No newline at end of file
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/index.mdx
deleted file mode 100644
index 676484715b..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Networking configuration tasks for Calico Enterprise — BGP, overlay encapsulation, MTU, multiple pod networks, dual ToR, IPVS, NAT, and QoS controls.
-hide_table_of_contents: true
----
-
-# Configure Calico Enterprise networking
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/mtu.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/mtu.mdx
deleted file mode 100644
index ab660d3891..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/mtu.mdx
+++ /dev/null
@@ -1,119 +0,0 @@
----
-description: Tune the Calico Enterprise MTU on the Installation resource so pod traffic matches the underlay, accounting for VXLAN, IP-in-IP, and WireGuard overhead.
----
-
-# Configure MTU to maximize network performance
-
-## Big picture
-
-Configure the maximum transmission unit (MTU) for your $[prodname] environment.
-
-## Value
-
-Optimize network performance for workloads by configuring the MTU in $[prodname] to best suit your underlying network.
-
-Increasing the MTU can improve performance, and decreasing the MTU can resolve packet loss and fragmentation problems when it is too high.
-
-## Concepts
-
-### MTU and $[prodname] defaults
-
-The maximum transmission unit (MTU) setting determines the largest packet size that can be transmitted through your network. MTU is configured on the veth attached to each workload, and tunnel devices (if you enable IP in IP, VXLAN, or WireGuard).
-
-In general, maximum performance is achieved by using the highest MTU value that does not cause fragmentation or dropped packets on the path. Maximum bandwidth increases and CPU consumption may drop for a given traffic rate. The improvement is often more significant when pod to pod traffic is being encapsulated (IP in IP, VXLAN, or WireGuard), and splitting and combining such traffic cannot be offloaded to your NICs.
-
-By default, $[prodname] will auto-detect the correct MTU for your cluster based on node configuration and enabled networking modes. This guide explains how you can override auto-detection
-of MTU by providing an explicit value if needed.
-
-To ensure auto-detection of MTU works correctly, make sure that the correct encapsulation modes are set in your [felix configuration](../../reference/resources/felixconfig.mdx). Disable any unused encapsulations (`vxlanEnabled`, `ipipEnabled`, `wireguardEnabled` and `wireguardEnabledV6`) in your felix configuration to ensure that auto-detection can pick the optimal MTU for your cluster.
-
-## Before you begin...
-
-**Required**
-
-- Calico CNI
-
-For help on using IP in IP and/or VXLAN overlays, see [Configure overlay networking](vxlan-ipip.mdx).
-
-For help on using WireGuard encryption, see [Configure WireGuard encryption](../../compliance/encrypt-cluster-pod-traffic.mdx).
-
-## How to
-
-- [Determine MTU size](#determine-mtu-size)
-- [Configure MTU](#configure-mtu)
-- [View current tunnel MTU values](#view-current-tunnel-mtu-values)
-
-### Determine MTU size
-
-The following table lists common MTU sizes for $[prodname] environments. Because MTU is a global property of the network path between endpoints, you should set the MTU to the minimum MTU of any path that packets may take.
-
-**Common MTU sizes**
-
-| Network MTU | $[prodname] MTU | $[prodname] MTU with IP-in-IP (IPv4) | $[prodname] MTU with VXLAN (IPv4) | $[prodname] MTU with VXLAN (IPv6) | $[prodname] MTU with WireGuard (IPv4) | $[prodname] MTU with WireGuard (IPv6) |
-| ---------------------- | ---------------- | ------------------------------------- | ---------------------------------- | ---------------------------------- | -------------------------------------- | -------------------------------------- |
-| 1500 | 1500 | 1480 | 1450 | 1430 | 1440 | 1420 |
-| 9000 | 9000 | 8980 | 8950 | 8930 | 8940 | 8920 |
-| 1500 (AKS) | 1500 | 1480 | 1450 | 1430 | 1340 | 1320 |
-| 1460 (GCE) | 1460 | 1440 | 1410 | 1390 | 1400 | 1380 |
-| 9001 (AWS Jumbo) | 9001 | 8981 | 8951 | 8931 | 8941 | 8921 |
-| 1450 (OpenStack VXLAN) | 1450 | 1430 | 1400 | 1380 | 1390 | 1370 |
-
-**Recommended MTU for overlay networking**
-
-The extra overlay header used in IP in IP, VXLAN and WireGuard protocols, reduces the minimum MTU by the size of the header. (IP in IP uses a 20-byte header, IPv4 VXLAN uses a 50-byte header, IPv6 VXLAN uses a 70-byte header, IPv4 WireGuard uses a 60-byte header and IPv6 WireGuard uses an 80-byte header).
-
-When using AKS, the underlying network has an [MTU of 1400](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning#azure-and-vm-mtu), even though the network interface will have an MTU of 1500.
-WireGuard sets the Don't Fragment (DF) bit on its packets, and so the MTU for WireGuard on AKS needs to be set to 60 bytes below (or 80 bytes for IPv6) the 1400 MTU of the underlying network to avoid dropped packets.
-
-If you have a mix of WireGuard and either IP in IP or VXLAN in your cluster, you should configure the MTU to be the smallest of the values of each encap type. The reason for this is that only WireGuard encapsulation will be used between any nodes where both have WireGuard enabled, and IP in IP or VXLAN will then be used between any nodes where both do not have WireGuard enabled. This could be the case if, for example, you are in the process of installing WireGuard on your nodes.
-
-Therefore, we recommend the following:
-
-- If you use IPv4 WireGuard encryption anywhere in your pod network, configure MTU size as “physical network MTU size minus 60”.
-- If you use IPv6 WireGuard encryption anywhere in your pod network, configure MTU size as “physical network MTU size minus 80”.
-- If you don't use WireGuard, but use IPv4 VXLAN anywhere in your pod network, configure MTU size as “physical network MTU size minus 50”.
-- If you don't use WireGuard, but use IPv6 VXLAN anywhere in your pod network, configure MTU size as “physical network MTU size minus 70”.
-- If you don't use WireGuard, but use only IP in IP, configure MTU size as “physical network MTU size minus 20”
-- Set the workload endpoint MTU and the tunnel MTUs to the same value (so all paths have the same MTU)
-
-**eBPF mode**
-
-Implementation of NodePorts uses VXLAN tunnel to hand off packets from one node to another, therefore VXLAN MTU setting
-is used to set the MTUs of workloads (veths) and should be “physical network MTU size minus 50” (see above).
-
-**MTU for flannel networking**
-
-When using flannel for networking, the MTU for network interfaces should match the MTU of the flannel interface.
-
-- If using flannel with VXLAN, use the “$[prodname] MTU with VXLAN” column in the table above for common sizes.
-
-### Configure MTU
-
-:::note
-
-The updated MTU used by $[prodname] only applies to new workloads.
-
-:::
-
-For Operator installations, edit the $[prodname] operator `Installation` resource to set the `mtu`
-field in the `calicoNetwork` section of the `spec`. For example:
-
-```bash
-kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"mtu":1440}}}'
-```
-
-Similarly, for OpenShift:
-
-```bash
-oc patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"mtu":1440}}}'
-```
-
-### View current tunnel MTU values
-
-To view the current tunnel size, use the following command:
-
-`ip link show`
-
-The IP in IP tunnel appears as tunlx (for example, tunl0), along with the MTU size. For example:
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/multiple-networks.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/multiple-networks.mdx
deleted file mode 100644
index 8db6733380..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/multiple-networks.mdx
+++ /dev/null
@@ -1,249 +0,0 @@
----
-description: Add extra Calico Enterprise networks to each pod with the Multus-CNI plugin, then control access with tiered network policy on every interface.
----
-
-# Configure multiple Calico Enterprise networks on a pod
-
-## Big picture
-
-Configure a Kubernetes cluster with multiple $[prodname] networks on each pod, and enforce security using $[prodname] tiered network policy.
-
-## Value
-
-By default, you can configure only one CNI (network and pod interface) in a cluster. But many deployments require multiple networks (for example, one that is faster or more secure) for sending different types of data. $[prodname] supports configuring additional $[prodname] networks and interfaces in your pods using the Multus-CNI plugin. You can then use $[prodname] tiered policy and other features to enforce security on all of your workload traffic.
-
-## Concepts
-
-### About the Multus-CNI plugin
-
-$[prodname] uses the [Multus-CNI plugin](https://github.com/intel/multus-cni/) to create multiple $[prodname] networks and multiple pod interfaces to access these networks. This extends the default network and pod interface that comes with the Calico CNI.
-
-You install Multus on a cluster, then simply enable Multus in the $[prodname] Installation resource. Using the Multus **NetworkAttachmentDefinition**, you define the new networks and reference them as an annotation in the pod resource.
-
-### Labels, workload endpoints, and policy
-
-When you set the `MultiInterfaceMode` field to `Multus` in the Installation resource, the following network and network interface labels are automatically added to new workload endpoints.
-
-- `projectcalico.org/network`
-- `projectcalico.org/network-namespace`
-- `projectcalico.org/network-interface`
-
-You can then create $[prodname] policies using these label selectors to target specific networks or network interfaces.
-
-### Limitations
-
-**Maximum additional networks per pod**
-
-You can define a maximum of nine additional $[prodname] networks on a pod. If you add a network that exceeds the limit for the pod, networking is not configured and the pod fails to start with an associated error.
-
-**$[prodname] features**
-
-Although the following $[prodname] features are supported for your default $[prodname] network, they are not supported at this time for additional networks/network interfaces using Multus:
-
-- Floating IPs
-- Specific IPs
-- Specifying IP pools on a per-namespace or per-pod basis
-- Egress gateways
-
-## Before you begin...
-
-**Required**
-
-- Calico CNI
-
- :::note
-
- Verify that you are using the Calico Enterprise CNI. The CNI plugin used by Kubernetes for AKS, EKS, and GKE may be different, which means this feature will not work.
-
- :::
-
-- [Install Multus 3.0+ on your Kubernetes cluster](https://github.com/intel/multus-cni/)
- :::note
-
- Multus is installed on OpenShift 4.0+ clusters.
-
- :::
-
-- [Install and configure calicoctl](../../operations/clis/calicoctl/index.mdx) or configure access to [the web console](../../operations/cnx/access-the-manager.mdx)
-
-## How to
-
-1. [Configure cluster for multiple networks](#configure-cluster-for-multiple-networks)
-1. [Create a new network](#create-a-new-network)
-1. [Create a pod interface for the new network](#create-a-pod-interface-for-the-new-network)
-1. [Configure the IP pool for the network](#configure-the-ip-pool-for-the-network)
-1. [Enforce policy on the new network and pod interface](#enforce-policy-on-the-new-network-and-pod-interface)
-1. [View workload endpoints](#view-workload-endpoints)
-
-### Configure cluster for multiple networks
-
-In the [Installation custom resource](../../reference/installation/api.mdx#caliconetworkspec), set the `MultiInterfaceMode` to **Multus**.
-
-### Create a new network
-
-Create a new network using the Multus **NetworkAttachmentDefinition**, and set the following required field to `"type":"calico"`.
-
-```yaml
-apiVersion: 'k8s.cni.cncf.io/v1'
-kind: NetworkAttachmentDefinition
-metadata:
- name: additional-calico-network
-spec:
- config: '{
- "cniVersion": "0.3.1",
- "type": "calico",
- "log_level": "info",
- "datastore_type": "kubernetes",
- "mtu": 1410,
- "nodename_file_optional": false,
- "ipam": {
- "type": "calico-ipam",
- "assign_ipv4" : "true",
- "assign_ipv6" : "false"
- },
- "policy": {
- "type": "k8s"
- },
- "kubernetes": {
- "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
- }
- }'
-```
-
-### Create a pod interface for the new network
-
-Create a pod interface that specifies the new network using an annotation.
-
-In the following example, we create a pod with an additional pod interface named, `cali1`. The pod interface is attached to the network named, `additional-calico-network`, using the `k8s.v1.cni.cncf.io/networks` annotation.
-Note that all networks in `k8s.v1.cni.cncf.io/networks` are assumed to be $[prodname] networks.
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: multus-test-pod-1
- namespace: default
- annotations:
- k8s.v1.cni.cncf.io/networks: additional-calico-network@cali1
-spec:
- nodeSelector:
- kubernetes.io/os: linux
- containers:
- - name: multus-test
- command: ['/bin/sh', '-c', 'trap : TERM INT; sleep infinity & wait']
- image: alpine
-```
-
-### Configure the IP pool for the network
-
-Although not required, you may want to assign IPs from specific pools to specific network interfaces. If you are using the [Calico Enterprise IPAM plugin](../../reference/component-resources/configuration.mdx#specifying-ip-pools-on-a-per-namespace-or-per-pod-basis), specify the IP pools in the **NetworkAttachmentDefinition** custom resource. For example:
-
-```
- "ipam": {
- "type": "calico-ipam",
- "assign_ipv4" : "true",
- "assign_ipv6" : "false"
- "ipv4_pools": ["10.0.0.0/24", "20.0.0.0/16", "default-ipv4-ippool"],
-},
-```
-
-### Enforce policy on the new network and pod interface
-
-When MultiInterfaceMode is set to Multus, WorkloadEndpoints are created with these labels:
-
-- `projectcalico.org/network`
-- `projectcalico.org/network-namespace`
-- `projectcalico.org/network-interface`
-
-You can use these labels to enforce policies on specific interfaces and networks using policy label selectors.
-
-:::note
-
-Prior to $[prodname] 3.0, if you were using Kubernetes datastore (kdd mode), the workload endpoint field and name suffix were always **eth0**. In 3.0, the value for workload labels may not be what you expect. Before creating policies targeting WorkloadEndpoints using the new labels, you should verify label values using the commands in [View workload endpoints](#view-workload-endpoints).
-
-:::
-
-In this policy example, we use the selector field to target all WorkloadEndpoints with the network interface of, `cali1`.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: internal-access.allow-tcp-6379
- namespace: production
-spec:
- tier: internal-access
- selector: projectcalico.org/network-interface == cali1
- types:
- - Ingress
- - Egress
- ingress:
- - action: Allow
- metadata:
- annotations:
- from: frontend
- to: database
- protocol: TCP
- source:
- selector: role == 'frontend'
- destination:
- ports:
- - 6379
- egress:
- - action: Allow
-```
-
-### View workload endpoints
-
-**In the $[prodname] web console**, go to the **WorkloadEndpoint** page to see all of the WorkloadEndpoints, including the network labels are for targeting WorkloadEndpoints with policy.
-
-**Using the CLI...**
-
-To view all WorkloadEndpoints for pods (default and new), use the following command.
-
-```
-MULTI_INTERFACE_MODE=multus calicoctl get workloadendpoints -o wide
-```
-
-```
-NAME WORKLOAD NODE NETWORKS INTERFACE PROFILES NATS
-test--bo--72vg--kadm--infra--0-k8s-multus--test--pod--1-eth0 multus-test-pod-1 bryan-bo-72vg-kadm-infra-0 192.168.53.129/32 calif887e436e8b kns.default,ksa.default.default
-test--bo--72vg--kadm--infra--0-k8s-multus--test--pod--1-net1 multus-test-pod-1 bryan-bo-72vg-kadm-infra-0 192.168.53.140/32 calim17CD6INXIX kns.default,ksa.default.default
-test--bo--72vg--kadm--infra--0-k8s-multus--test--pod--1-testiface multus-test-pod-1 bryan-bo-72vg-kadm-infra-0 192.168.53.142/32 calim27CD6INXIX kns.default,ksa.default.default
-test--bo--72vg--kadm--infra--0-k8s-multus--test--pod--1-net3 multus-test-pod-1 bryan-bo-72vg-kadm-infra-0 192.168.52.143/32 calim37CD6INXIX kns.default,ksa.default.default
-```
-
-To view specific WorkloadEndpoints, use the following command.
-
-```
-MULTI_INTERFACE_MODE=multus calicoctl get workloadendpoint test--bz--72vg--kadm--infra--0-k8s-multus--test--pod--1-net1 -o yaml
-```
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: WorkloadEndpoint
-metadata:
- creationTimestamp: '2020-05-04T22:23:05T'
- labels:
- projectcalico.org/namespace: default
- projectcalico.org/network: calico
- projectcalico.org/network-interface: net1
- projectcalico.org/network-namespace: default
- projectcalico.org/orchestrator: k8s
- projectcalico.org/serviceaccount: default
- name: test--bz--72vg--kadm--infra--0-k8s-multus--test--pod--1-net1
- namespace: default
- resourceVersion: '73572'
- uid: b9bb7482-cdb8-48d4-9ae5-58322d48391a
-spec:
- endpoint: net1
- interfaceName: calim16CD6INXIX
- ipNetworks:
- - 192.168.52.141/32
- node: bryan-bo-72vg-kadm-infra-0
- orchestrator: k8s
- pod: multus-test-pod-1
- profiles:
- - kns.default
- - ksa.default.default
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/node-local-dns-cache.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/node-local-dns-cache.mdx
deleted file mode 100644
index c81935195a..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/node-local-dns-cache.mdx
+++ /dev/null
@@ -1,69 +0,0 @@
----
-description: Run NodeLocal DNSCache alongside Calico Enterprise and write the network policy that lets pod DNS traffic reach the per-node cache.
----
-
-# Use NodeLocal DNSCache in your cluster
-
-## Big picture
-
-Set up NodeLocal DNSCache to improve DNS lookup latency.
-
-## Before you begin
-
-### Required
-
-Follow these [steps](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) to enable NodeLocal DNSCache connectivity.
-
-### Unsupported
-
-- OpenShift
-
-NodeLocal DNSCache does not support OpenShift. OpenShift has its own DNS caching mechanism which deploys CoreDNS pods as DaemonSets.
-For more information, see [OpenShift DNS setup](https://docs.openshift.com/container-platform/4.10/networking/dns-operator.html).
-
-## Create a policy to allow traffic from NodeLocal DNSCache
-
-The following is a sample network policy that allows all incoming TCP traffic (including incoming traffic from
-`node-local-dns` pods) on port 53 on `kube-dns`.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: NetworkPolicy
-metadata:
- name: default.local-dns-to-core-dns
- namespace: kube-system
-spec:
- tier: default
- selector: k8s-app == "kube-dns"
- ingress:
- - action: Allow
- protocol: TCP
- destination:
- selector: k8s-app == "kube-dns"
- ports:
- - '53'
- types:
- - Ingress
-```
-
-To refine the sources permitted by this policy, take into account that NodeLocal DNSCache pods are host networked,
-and make sure to allow traffic from the addresses of your hosts.
-If you're using encapsulation, you will need to allow connectivity from the tunnel IPs.
-
-The Tigera Operator creates policy to allow Tigera components to connect to NodeLocal DNSCache when detected.
-Felix accounts for the NodeLocal DNSCache in creating DNS Logs and enforcing DNS Policy.
-
-## Enable NodeLocal DNSCache on $[prodname] using the eBPF data plane
-
-If your $[prodname] installation uses the eBPF data plane, then you need to annotate the `kube-dns` service.
-Without this, the `kube-proxy` replacement will improperly resolve traffic going to a specific service IP.
-
-Annotate the `kube-dns` service by running the following command:
-
-```bash
-kubectl annotate service kube-dns -n kube-system projectcalico.org/natExcludeService=true
-```
-
-## Additional resources
-
-- [Blog: Optimizing Kubernetes DNS with NodeLocal DNSCache and Calico eBPF: A Practitioner’s Guide](https://www.tigera.io/blog/optimizing-kubernetes-dns-with-nodelocal-dnscache-and-calico-ebpf-a-practitioners-guide/)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/pod-mac-address.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/pod-mac-address.mdx
deleted file mode 100644
index bfed9fc5f0..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/pod-mac-address.mdx
+++ /dev/null
@@ -1,35 +0,0 @@
----
-description: Pin a chosen MAC address on a Kubernetes pod interface with the Calico Enterprise CNI plugin for cases such as MAC-bound software licenses.
----
-
-# Use a specific MAC address for a pod
-
-## Big picture
-
-Choose the MAC address for a pod instead of allowing the operating system to assign one.
-
-## Value
-
-Some applications bind software licenses to networking interface MAC addresses.
-
-## Concepts
-
-### Container MAC address
-
-The MAC address configured by the annotation described here will be visible from within the container on the eth0 interface. Since it is isolated to the container it will not collide with any other MAC addresses assigned to other pods on the same node.
-
-## Before you begin...
-
-Your cluster must be using Calico CNI to use this feature.
-
-[Configuring the Calico CNI Plugins](../../reference/component-resources/configuration.mdx)
-
-## How to
-
-Annotate the pod with cni.projectcalico.org/hwAddr set to the desired MAC address. For example:
-
-```
- "cni.projectcalico.org/hwAddr": "1c:0c:0a:c0:ff:ee"
-```
-
-The annotation must be present when the pod is created; adding it later has no effect.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/qos-controls.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/qos-controls.mdx
deleted file mode 100644
index 90862df97f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/qos-controls.mdx
+++ /dev/null
@@ -1,152 +0,0 @@
----
-description: Apply Calico Enterprise QoS controls to cap pod ingress and egress bandwidth, packet rate, and connection counts, plus DiffServ marking on egress.
----
-
-# Configure QoS Controls
-
-## Big picture
-
-Configure QoS (Quality of Service) Controls to limit ingress and/or egress bandwidth, packet rate and number of connections used by $[prodname] workloads in order to prevent them from overusing or overloading network resources.
-Additionally, it allows configuring Differentiated Services (DiffServ) on egress traffic of $[prodname] workloads and hosts.
-
-## Value
-
-With QoS controls, $[prodname] enforces network resource limits (bandwidth, packet rate, connections) for Kubernetes pods and OpenStack VMs, ensuring fair resource allocation and preventing performance degradation for other workloads.
-$[prodname] can also apply DiffServ on egress traffic to allow upstream devices to prioritise forwarding accordingly.
-
-## Prerequisites
-
-* If you use the eBPF data plane, your Linux nodes must be running kernel version 6.6 or higher in order to configure bandwidth QoS controls.
-
-## Limitations
-
-* Configuring limits for established connections is not supported on installations that use the eBPF data plane.
-
-## Concepts
-
-### Quality of Service Controls
-
-**Quality of Service** (**QoS**), in the field of computer networking, refers to traffic prioritization and resource reservation control mechanisms. It may either mean guaranteeing minimum levels of networking resources, or limiting the maximum levels of usage of networking resources in order to prevent a small number of users from excessive resource consumption, stopping others from using their fair share. For practical purposes, the latter will be considered as $[prodname] implements QoS Controls by limiting maximum levels of network resources usage.
-
-$[prodname] implements three types of QoS Controls, which can be configured using annotations on the Kubernetes pods for either ingress (traffic coming into the pod), egress (traffic going out of the pod), or both:
-1. Bandwidth: limiting the bit rate of traffic into/out of the pod
-2. Packet rate: limiting the number of packets per second that can be sent or received by the pod
-3. Number of established connections: limiting the absolute number of connections that the pod may initiate or accept
-4. Differentiated Services (DiffServ): setting Differentiated Services Code Point (DSCP) on egress traffic leaving clusters or toward hosts
-
-### Annotations
-
-On Kubernetes, $[prodname] uses [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) on pods for the configuration of QoS controls.
-
-The values of the QoS controls annotations may contain suffixes, such as `k`, `M`, `G`, `T`, `P`, or `E` to represent large numbers. Binary suffixes are also supported, for example `1Ki` represents "1024".
-
-For example, to limit egress bandwidth to 100Mbps, with a maximum burst of 200Mb:
-
-```yaml noValidation
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: my-deployment
- labels:
- app: my-app
-spec:
- replicas: 3
- template:
- metadata:
- annotations:
- qos.projectcalico.org/egressBandwidth: "100M"
- qos.projectcalico.org/egressBurst: "200M"
- spec:
- (...)
-```
-
-## How to
-
-- [Configure bandwidth limits](#configure-bandwidth-limits)
-- [Configure packet rate limits](#configure-packet-rate-limits)
-- [Configure established connection limits](#configure-established-connection-limits)
-- [Configure DiffServ](#configure-diffserv)
-
-### Configure bandwidth limits
-
-Use the annotations below to configure bandwidth and burst limits for traffic going into or coming out of the pod. Limiting the bandwidth enforces that, on average, that will be the maximum bit rate used. The burst size is the amount of data that is available instantaneously for transmission. Burst configuration is optional, if burst is not explicitly configured with an annotation, a default value of `4Gib` is used. If you configure a peak rate limit, burst traffic will not go over that limit. Otherwise, there are no limits to burst traffic.
-
-| Annotation | Description |
-|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `qos.projectcalico.org/ingressBandwidth` | Specifies the ingress bandwidth limit (in bits per second). Min value: `1k` Max value: `1P` |
-| `qos.projectcalico.org/ingressBurst` | Specifies the ingress burst size (in bits). Optional, defaults to `4Gi`. Min value: `1k` Max value: `34359738360` |
-| `qos.projectcalico.org/ingressPeakrate` | Specifies the ingress peak rate limit, i.e. the bandwidth limit during bursts (in bits per second). Optional, defaults to unlimited. Must be higher than the bandwidth limit. Min value: `1.01k` Max value: `1.01P` |
-| `qos.projectcalico.org/ingressMinburst` | Specifies the ingress minburst, i.e. the burst size for peak rate (in **bytes**). Optional, defaults to the MTU value. Min value: `1k` Max value: `100M` |
-| `qos.projectcalico.org/egressBandwidth` | Specifies the egress bandwidth limit (in bits per second). Min value: `1k` Max value: `1P` |
-| `qos.projectcalico.org/egressBurst` | Specifies the egress burst size (in bits). Optional, defaults to `4Gi`. Min value: `1k` Max value: `34359738360` |
-| `qos.projectcalico.org/egressPeakrate` | Specifies the egress peak rate limit, i.e. the bandwidth limit during bursts (in bits per second). Optional, defaults to unlimited. Must be higher than the bandwidth limit. Min value: `1.01k` Max value: `1.01P` |
-| `qos.projectcalico.org/egressMinburst` | Specifies the egress minburst, i.e. the burst size for peak rate (in **bytes**). Optional, defaults to the MTU value. Min value: `1k` Max value: `100M` |
-
-
-If the [Kubernetes bandwidth plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) annotations `kubernetes.io/ingress-bandwidth` or `kubernetes.io/egress-bandwidth` are configured and the `qos.projectcalico.org` annotations are not, they are honored and $[prodname] will configure bandwidth limits based on them. The $[prodname] specific annotations take precedence, so if both are configured, the Kubernetes annotation will be ignored. This makes upgrading from a $[prodname] version that uses the bandwidth plugin to a version with native bandwidth limiting seamless, as the behavior will remain consistent across versions (with $[prodname] replacing the functionality previously provided by the Kubernetes bandwidth plugin).
-
-One essential difference between the bandwidth plugin and $[prodname]'s implementations is that with $[prodname], the bandwidth limits take effect immediately, whereas with the bandwidth plugin the pods need to be recreated for the limits to take effect.
-
-| Annotation | Description |
-|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `kubernetes.io/ingress-bandwidth` | Kubernetes bandwidth plugin annotation for the ingress bandwidth limit (in bits per second). Ignored if `qos.projectcalico.org/ingressBandwidth` is present. Min value: `1k` Max value: `1P` |
-| `kubernetes.io/egress-bandwidth` | Kubernetes bandwidth plugin annotation for the egress bandwidth limit (in bits per second). Ignored if `qos.projectcalico.org/egressBandwidth` is present. Min value: `1k` Max value: `1P` |
-
-### Configure packet rate limits
-
-Use the annotations below to configure packet rate limits for traffic going into or coming out of the pod. Limiting the packet rate enforces that, on average, that will be the maximum rate that packets will be sent and/or received by the pod. The packet burst size is the number of packets that are available instantaneously for transmission. Packet burst configuration is optional. If packet burst is not explicitly configured with an annotation, a default value of `5` packets is used.
-
-| Annotation | Description |
-|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `qos.projectcalico.org/ingressPacketRate` | Specifies the maximum rate of ingress packets (in packets per second). Min value: `1` Max value: `10k` |
-| `qos.projectcalico.org/ingressPacketBurst` | Specifies the ingress packet burst size (in number of packets). Optional, defaults to `5`. Min value: `1` Max value: `10k` |
-| `qos.projectcalico.org/egressPacketRate` | Specifies the maximum rate of egress packets (in packets per second). Min value: `1` Max value: `10k` |
-| `qos.projectcalico.org/egressPacketBurst` | Specifies the egress packet burst size (in number of packets). Optional, defaults to `5`. Min value: `1` Max value: `10k` |
-
-### Configure established connection limits
-
-Use the annotations below to configure limits for the number of established connections into or out of a pod. Limiting the number of connections enforces that the pod cannot accept or initiate more connections that the specified limits.
-
-| Annotation | Description |
-|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `qos.projectcalico.org/ingressMaxConnections` | Specifies the maximum number of ingress connections. Min value: `1` Max value: `4294967295` |
-| `qos.projectcalico.org/egressMaxConnections` | Specifies the maximum number of egress connections. Min value: `1` Max value: `4294967295` |
-
-### Configure DiffServ
-
-Use the annotation below to set DSCP on egress traffic toward an endpoint outside cluster or another host in cluster. Unlike, other QoS controls, this annotation can also be set on a [host endpoint](../../reference/host-endpoints).
-For example, to set DSCP AF11 on a host endpoint:
-
-```yaml noValidation
-apiVersion: projectcalico.org/v3
-kind: HostEndpoint
-metadata:
- name: my-hep
- annotations:
- qos.projectcalico.org/dscp: "AF11"
- labels:
- app: my-app
-spec:
- (...)
-```
-
-| Annotation | Description |
-|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `qos.projectcalico.org/dscp` | Specifies the DSCP value of egress traffic toward an endpoint outside cluster or another host in cluster. Min value: `0` Max value: `63` String values: DF, EF, AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, CS0, CS1, CS2, CS3, CS4, CS5, CS6 |
-
-## Troubleshooting
-
-### Bandwidth is not enforced on eBPF
-
-If you use the eBPF data plane and bandwidth limits aren't being enforced, check the calico-node logs to see if `tcx` is supported by the operating system.
-`tcx` is present in the Linux kernel version 6.6 and later, and it is required for bandwidth limits to work with the eBPF data plane.
-
-The following example shows logs that indicate an unsupported kernel version:
-
-```
-$ kubectl logs -n calico-system ds/calico-node | grep tcx
-Found 4 pods, using pod/calico-node-j9z5d
-Defaulted container "calico-node" out of: calico-node, flexvol-driver (init), ebpf-bootstrap (init), install-cni (init)
-bird: libbpf: prog 'cali_tcx_test': failed to attach to tcx: Invalid argument
-2025-10-15 16:31:48.522 [INFO][81] felix/bpf_ep_mgr.go 595: tcx is not supported. Falling back to tc
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/vxlan-ipip.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/vxlan-ipip.mdx
deleted file mode 100644
index 5b1b0ed19d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/vxlan-ipip.mdx
+++ /dev/null
@@ -1,148 +0,0 @@
----
-description: Choose VXLAN or IP-in-IP overlay encapsulation in Calico Enterprise so pod traffic crosses underlay networks that don't route pod CIDRs natively.
----
-
-# Overlay networking
-
-## Big picture
-
-Enable inter workload communication across networks that are not aware of workload IPs.
-
-## Value
-
-In general, we recommend running Calico without network overlay/encapsulation. This gives you the highest performance and simplest network; the packet that leaves your workload is the packet that goes on the wire.
-
-However, selectively using overlays/encapsulation can be useful when running on top of an underlying network that cannot easily be made aware of workload IPs. A common example is if you are using Calico networking in AWS across multiple VPCs/subnets. In this case, Calico can selectively encapsulate only the traffic that is routed between the VPCs/subnets, and run without encapsulation within each VPC/subnet. You might also decide to run your entire Calico network with encapsulation as an overlay network -- as a quick way to get started without setting up BGP peering or other routing information in your underlying network.
-
-## Concepts
-
-### Routing workload IP addresses
-
-Networks become aware of workload IP addresses through layer 3 routing techniques like static routes or BGP route distribution, or layer 2 address learning. As such, they can route unencapsulated traffic to the right host for the endpoint that is the ultimate destination. However, not all networks are able to route workload IP addresses. For example, public cloud environments where you don’t own the hardware, AWS across VPC subnet boundaries, and other scenarios where you cannot peer Calico over BGP to the underlay, or easily configure static routes. This is why Calico supports encapsulation, so you can send traffic between workloads without requiring the underlying network to be aware of workload IP addresses.
-
-### Encapsulation types
-
-Calico supports two types of encapsulation: VXLAN and IP in IP. VXLAN is supported in some environments where IP in IP is not (for example, Azure). VXLAN has a slightly higher per-packet overhead because the header is larger, but unless you are running very network intensive workloads the difference is not something you would typically notice. The other small difference between the two types of encapsulation is that Calico's VXLAN implementation does not use BGP, whereas Calico's IP in IP implementation uses BGP between Calico nodes.
-
-### Cross-subnet
-
-Encapsulation of workload traffic is typically required only when traffic crosses a router that is unable to route workload IP addresses on its own. Calico can perform encapsulation on: all traffic, no traffic, or only on traffic that crosses a subnet boundary.
-
-## Before you begin
-
-**Required**
-
-- Calico CNI
-
-**Not supported**
-
-- Calico for OpenStack (i.e. when Calico is used as the Neutron plugin)
-
-**Limitations**
-
-- IP in IP supports only IPv4 addresses
-- VXLAN in IPv6 is only supported for kernel versions ≥ 4.19.1 or redhat kernel version ≥ 4.18.0
-
-## How to
-
-- [Configure default IP pools at install time](#configure-default-ip-pools-at-install-time)
-- [Configure IP in IP encapsulation for only cross-subnet traffic](#configure-ip-in-ip-encapsulation-for-only-cross-subnet-traffic)
-- [Configure IP in IP encapsulation for all inter workload traffic](#configure-ip-in-ip-encapsulation-for-all-inter-workload-traffic)
-- [Configure VXLAN encapsulation for only cross-subnet traffic](#configure-vxlan-encapsulation-for-only-cross-subnet-traffic)
-- [Configure VXLAN encapsulation for all inter workload traffic](#configure-vxlan-encapsulation-for-all-inter-workload-traffic)
-
-### IPv4/6 address support
-
-IP in IP supports only IPv4 addresses.
-
-### Best practice
-
-Calico has an option to selectively encapsulate only traffic that crosses subnet boundaries. We recommend using the **cross-subnet** option with IP in IP or VXLAN to minimize encapsulation overhead. Cross-subnet mode provides better performance in AWS multi-AZ deployments, Azure VNets, and on networks where routers are used to connect pools of nodes with L2 connectivity.
-
-Be aware that switching encapsulation modes can cause disruption to in-progress connections. Plan accordingly.
-
-### Configure default IP pools at install time
-
-Default IP pools are configured at install-time automatically by Calico.
-
-For operator managed clusters, you can configure encapsulation in the IP pools section of the default Installation. For example, the following installation snippet will enable VXLAN across subnets.
-
-```yaml
-kind: Installation
-apiVersion: operator.tigera.io/v1
-metadata:
- name: default
-spec:
- calicoNetwork:
- ipPools:
- - cidr: 192.168.0.0/16
- encapsulation: VXLANCrossSubnet
-```
-
-### Configure IP in IP encapsulation for only cross-subnet traffic
-
-IP in IP encapsulation can be performed selectively, and only for traffic crossing subnet boundaries.
-
-To enable this feature, set `ipipMode` to `CrossSubnet`.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: ippool-ipip-cross-subnet-1
-spec:
- cidr: 192.168.0.0/16
- ipipMode: CrossSubnet
- natOutgoing: true
-```
-
-### Configure IP in IP encapsulation for all inter workload traffic
-
-With `ipipMode` set to `Always`, Calico routes traffic using IP in IP for all traffic originating from a Calico enabled-host, to all Calico networked containers and VMs within the IP pool.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: ippool-ipip-1
-spec:
- cidr: 192.168.0.0/16
- ipipMode: Always
- natOutgoing: true
-```
-
-### Configure VXLAN encapsulation for only cross subnet traffic
-
-VXLAN encapsulation can be performed selectively, and only for traffic crossing subnet boundaries.
-
-To enable this feature, set `vxlanMode` to `CrossSubnet`.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: ippool-vxlan-cross-subnet-1
-spec:
- cidr: 192.168.0.0/16
- vxlanMode: CrossSubnet
- natOutgoing: true
-```
-
-### Configure VXLAN encapsulation for all inter workload traffic
-
-With `vxlanMode` set to `Always`, Calico routes traffic using VXLAN for all traffic originating from a Calico enabled host, to all Calico networked containers and VMs within the IP pool.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: ippool-vxlan-1
-spec:
- cidr: 192.168.0.0/16
- vxlanMode: Always
- natOutgoing: true
-```
-
-## Additional resources
-
-For details on IP pool resource options, see [IP pool](../../reference/resources/ippool.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/workloads-outside-cluster.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/workloads-outside-cluster.mdx
deleted file mode 100644
index 750d880f25..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/configuring/workloads-outside-cluster.mdx
+++ /dev/null
@@ -1,70 +0,0 @@
----
-description: Configure NAT outgoing on Calico Enterprise IP pools so pod traffic destined outside the cluster is source-NATed to the node IP.
----
-
-# Configure outgoing NAT
-
-## Big picture
-
-Configure $[prodname] networking to perform outbound NAT for connections from pods to outside of the cluster. $[prodname] optionally source NATs the pod IP to the node IP.
-
-## Value
-
-The $[prodname] NAT outbound connection option is flexible; it can be enabled, disabled, and applied to $[prodname] IP pools with public IPs, private IPs, or a specific range of IP addresses. This article describes some use cases for enabling and disabling outgoing NAT.
-
-## Concepts
-
-### $[prodname] IP pools and NAT
-
-When a pod with an IP address in the pool initiates a network connection to an IP address to outside of $[prodname]’s IP pools, the outgoing packets will have their source IP address changed from the pod IP address to the node IP address using SNAT (Source Network Address Translation). Any return packets on the connection automatically get this change reversed before being passed back to the pod.
-
-### Enable NAT: for pods with IP addresses that are not routable beyond the cluster
-
-A common use case for enabling NAT outgoing, is to allow pods in an overlay network to connect to IP addresses outside of the overlay, or pods with private IP addresses to connect to public IP addresses outside the cluster/the internet (subject to network policy allowing the connection, of course). When NAT is enabled, traffic is NATed from pods in that pool to any destination outside of all other $[prodname] IP pools.
-
-### Disable NAT: For on-premises deployments using physical infrastructure
-
-If you choose to implement $[prodname] networking with [BGP peered with your physical network infrastructure](bgp.mdx), you can use your own infrastructure to NAT traffic from pods to the internet. In this case, you should disable the $[prodname] `natOutgoing` option. For example, if you want your pods to have public internet IPs, you should:
-
-- Configure $[prodname] to peer with your physical network infrastructure
-- Create an IP pool with public IP addresses for those pods that are routed to your network with NAT disabled (`nat-outgoing: false`)
-- Verify that other network equipment does not NAT the pod traffic
-
-## Before you begin
-
-**Required**
-
-- Calico CNI
-
-## How to
-
-- [Create an IP pool with NAT outgoing enabled](#create-an-ip-pool-with-nat-outgoing-enabled)
-- [Use additional IP pools to specify addresses that can be reached without NAT](#use-additional-ip-pools-to-specify-addresses-that-can-be-reached-without-nat)
-
-### Create an IP pool with NAT outgoing enabled
-
-In the following example, we create a $[prodname] IPPool with natOutgoing enabled. Outbound NAT is performed locally on the node where each workload in the pool is hosted.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: default-ipv4-ippool
-spec:
- cidr: 192.168.0.0/16
- natOutgoing: true
-```
-
-### Use additional IP pools to specify addresses that can be reached without NAT
-
-Because $[prodname] performs outgoing NAT only when connecting to an IP address that is not in a $[prodname] IPPool, you can create additional IPPools that are not used for pod IP addresses, but prevent NAT to certain CIDR blocks. This is useful if you want nodes to NAT traffic to the internet, but not to IPs in certain internal ranges. For example, if you did not want to NAT traffic from pods to 10.0.0.0/8, you could create the following pool. You must ensure that the network between the cluster and 10.0.0.0/8 can route pod IPs.
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: no-nat-10.0.0.0-8
-spec:
- cidr: 10.0.0.0/8
- disabled: true
-```
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/determine-best-networking.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/determine-best-networking.mdx
deleted file mode 100644
index 5bcaeff399..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/determine-best-networking.mdx
+++ /dev/null
@@ -1,263 +0,0 @@
----
-description: Compare networking choices in Calico Enterprise — overlay versus non-overlay, BGP, CNI, and IPAM — to land on the right configuration for your cluster.
----
-
-# Determine best networking option
-
-## Big picture
-
-Learn about the different networking options $[prodname] supports so you can choose the best option for your needs.
-
-## Value
-
-$[prodname]’s flexible modular architecture supports a wide range of deployment options, so you can select the best networking approach for your specific environment and needs. This includes the ability to run with a variety of CNI and IPAM plugins, and underlying network types, in non-overlay or overlay modes, with or without BGP.
-
-## Concepts
-
-If you want to fully understand the network choices available to you, we recommend you make sure you are familiar with and understand the following concepts. If you would prefer to skip the learning and get straight to the choices and recommendations, you can jump ahead to [Networking Options](#networking-options).
-
-### Kubernetes networking basics
-
-The Kubernetes network model defines a “flat” network in which:
-
-- Every pod get its own IP address.
-- Pods on any node can communicate with all pods on all other nodes without NAT.
-
-This creates a clean, backwards-compatible model where pods can be treated much like VMs or physical hosts from the perspectives of port allocation, naming, service discovery, load balancing, application configuration, and migration. Network segmentation can be defined using network policies to restrict traffic within these base networking capabilities.
-
-Within this model there’s quite a lot of flexibility for supporting different networking approaches and environments. The details of exactly how the network is implemented depend on the combination of CNI, network, and cloud provider plugins being used.
-
-### CNI plugins
-
-CNI (Container Network Interface) is a standard API which allows different network implementations to plug into Kubernetes. Kubernetes calls the API any time a pod is being created or destroyed. There are two types of CNI plugins:
-
-- CNI network plugins: responsible for adding or deleting pods to/from the Kubernetes pod network. This includes creating/deleting each pod’s network interface and connecting/disconnecting it to the rest of the network implementation.
-- CNI IPAM plugins: responsible for allocating and releasing IP addresses for pods as they are created or deleted. Depending on the plugin, this may include allocating one or more ranges of IP addresses (CIDRs) to each node, or obtaining IP addresses from an underlying public cloud’s network to allocate to pods.
-
-### Cloud provider integrations
-
-Kubernetes cloud provider integrations are cloud-specific controllers that can configure the underlying cloud network to help provide Kubernetes networking. Depending on the cloud provider, this could include automatically programming routes into the underlying cloud network so it knows natively how to route pod traffic.
-
-### kubenet
-
-kubenet is an extremely basic network plugin built into Kubernetes. It does not implement cross-node networking or network policy. It is typically used together with a cloud provider integration that sets up routes in the cloud provider network for communication between nodes, or in single node environments. kubenet is not compatible with $[prodname].
-
-### Overlay networks
-
-An overlay network is a network that is layered on top of another network. In the context of Kubernetes, an overlay network can be used to handle pod-to-pod traffic between nodes on top of an underlying network that is not aware of pod IP addresses or which pods are running on which nodes. Overlay networks work by encapsulating network packets that an underlying network doesn’t know how to handle (for example using pod IP addresses) within an outer packet which the underlying network does know how to handle (for example node IP addresses). Two common network protocols used for encapsulation are VXLAN and IP-in-IP.
-
-The main advantage of using an overlay network is that it reduces dependencies on the underlying network. For example, you can run a VXLAN overlay on top of almost any underlying network, without needing to integrate with or make any changes to the underlying network.
-
-The main disadvantages of using an overlay network are:
-
-- A slight performance impact. The process of encapsulating packets takes a small amount of CPU, and the extra bytes required in the packet to encode the encapsulation (VXLAN or IP-in-IP headers) reduces the maximum size of inner packet that can be sent, which in turn can mean needing to send more packets for the same amount of total data.
-- The pod IP addresses are not routable outside of the cluster. More on this below!
-
-### Cross-subnet overlays
-
-In addition to standard VXLAN or IP-in-IP overlays, $[prodname] also supports “cross-subnet” modes for VXLAN and IP-in-IP. In this mode, within each subnet, the underlying network acts as an L2 network. Packets sent within a single subnet are not encapsulated, so you get the performance of a non-overlay network. Packets sent across subnets are encapsulated, like a normal overlay network, reducing dependencies on the underlying network (without the need to integrate with or make any changes to the underlying network).
-
-Just like with a standard overlay network, the underlying network is not aware of pod IP addresses and the pod IP addresses are not routable outside of the cluster.
-
-### Pod IP routability outside of the cluster
-
-An important distinguishing feature of different Kubernetes network implementations is whether or not pod IP addresses are routable outside of the cluster across the broader network.
-
-**Not routable**
-
-If the pod IP addresses are not routable outside of the cluster then when a pod tries to establish a network connection to an IP address that is outside of the cluster, Kubernetes uses a technique called SNAT (Source Network Address Translation) to change the source IP address from the IP address of the pod, to the IP address of the node hosting the pod. Any return packets on the connection get automatically mapped back to the pod IP address. So the pod is unaware the SNAT is happening, the destination for the connection sees the node as the source of the connection, and the underlying broader network never sees pod IP addresses.
-
-For connections in the opposite direction, where something outside of the cluster needs to connect to a pod, this can only be done via Kubernetes services or Kubernetes ingress. Nothing outside of the cluster can directly connect to a pod IP address, because the broader network doesn’t know how to route packets to pod IP addresses.
-
-**Routable**
-
-If the pod IP addresses are routable outside of the cluster then pods can connect to the outside world without SNAT, and the outside world can connect directly to pods without going via a Kubernetes service or Kubernetes ingress.
-
-The advantage of pod IP addresses that are routable outside the cluster are:
-
-- Avoiding SNAT for outbound connections may be essential for integrating with existing broader security requirements. It can also simplify debugging and understandability of operation logs.
-- If you have specialized workloads that mean some pods need to be directly accessible without going via Kubernetes services or Kubernetes ingress, then routable pod IPs can be operationally simpler than the alternative of using host networked pods.
-
-The main disadvantage of pod IP addresses that are routable outside the cluster is that the pod IPs must be unique across the broader network. So for example, if running multiple clusters you will need to use a different IP address range (CIDR) for pods in each cluster. This in turn can lead to IP address range exhaustion challenges when running at scale, or if there are other significant existing enterprise demands on IP address space.
-
-**What determines routability?**
-
-If you are using an overlay network for your cluster, then pod IPs are not normally routable outside of the cluster.
-
-If you aren’t using an overlay network, then whether pod IPs are routable outside of the cluster depends on what combination of CNI plugins, cloud provider integrations, or (for on-prem) BGP peering with the physical network, is being used.
-
-### BGP
-
-BGP (Border Gateway Protocol) is a standards based networking protocol for sharing routes across a network. It’s one of the fundamental building blocks of the internet, with exceptional scaling characteristics.
-
-$[prodname] has built in support for BGP. In an on-prem deployment, this allows $[prodname] to peer with the physical network (typically to Top of Rack routers) to exchange routes, making a non-overlay network where pod IP addresses routable across the broader network, just like any other workload attached to the network.
-
-## About $[prodname] Networking
-
-$[prodname]’s flexible modular architecture for networking includes the following.
-
-**$[prodname] CNI network plugin**
-
-The $[prodname] CNI network plugin connects pods to the host network namespace’s L3 routing using a pair of virtual Ethernet devices (veth pair). This L3 architecture avoids the unnecessary complexity and performance overheads of additional L2 bridges that feature in many other Kubernetes networking solutions.
-
-**$[prodname] CNI IPAM plugin**
-
-The $[prodname] CNI IPAM plugin allocates IP addresses for pods out of one or more configurable IP address ranges, dynamically allocating small blocks of IPs per node as required. The result is a more efficient IP address space usage compared to many other CNI IPAM plugins, including the host local IPAM plugin which is used in many networking solutions.
-
-**Overlay network modes**
-
-$[prodname] can provide both VXLAN or IP-in-IP overlay networks, including cross-subnet only modes.
-
-**Non-overlay network modes**
-
-$[prodname] can provide non-overlay networks running on top of any underlying L2 network, or an L3 network that is either a public cloud network with appropriate cloud provider integration, or a BGP capable network (typically an on-prem network with standard Top-of-Rack routers).
-
-**Network policy enforcement**
-
-$[prodname]’s network policy enforcement engine implements the full range of Kubernetes Network Policy features, plus the extended features of $[prodname] Network Policy. This works in conjunction with $[prodname]’s built in networking modes, or any other $[prodname] compatible network plugins and cloud provider integrations.
-
-## $[prodname] compatible CNI plugins and cloud provider integrations
-
-In addition to the $[prodname] CNI plugins and built in networking modes, $[prodname] is also compatible with a number of third party CNI plugins and cloud provider integrations.
-
-**Amazon VPC CNI**
-
-The Amazon VPC CNI plugin allocates pod IPs from the underlying AWS VPC and uses AWS elastic network interfaces to provide VPC native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Amazon EKS](https://aws.amazon.com/eks/), with Calico for network policy enforcement.
-
-**Azure CNI**
-
-The Azure CNI plugin allocates pod IPs from the underlying Azure VNet configures the Azure virtual network to provide VNet native pod networking (pod IPs that are routable outside of the cluster). It is the default networking used in [Microsoft AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy enforcement.
-
-**Azure cloud provider**
-
-The Azure cloud provider integration can be used as an alternative to the Azure CNI plugin. It uses the host-local IPAM CNI plugin to allocate pod IPs, and programs the underlying Azure VNet subnet with corresponding routes. Pod IPs are only routable within the VNet subnet (which often equates to meaning they are not routable outside of the cluster).
-
-**Google cloud provider**
-
-The Google cloud provider integration uses host-local IPAM CNI plugin to allocate pod IPs, and programs the Google cloud network Alias IP ranges to provide VPC native pod networking on Google cloud (pod IPs that are routable outside of the cluster). It is the default for Google Kubernetes Engine (GKE), with Calico for network policy enforcement.
-
-**Host local IPAM**
-
-The host local CNI IPAM plugin is a commonly used IP address management CNI plugin, which allocates a fixed size IP address range (CIDR) to each node, and then allocates pod IP addresses from within that range. The default address range size is 256 IP addresses (a /24), though two of those IP addresses are reserved for special purposes and not assigned to pods. The simplicity of host local CNI IPAM plugin makes it easy to understand, but results in less efficient IP address space usage compared to $[prodname] CNI IPAM plugin.
-
-## Networking options
-
-### On-prem
-
-The most common network setup for $[prodname] on-prem is non-overlay mode using [BGP to peer](configuring/bgp.mdx) with the physical network (typically top of rack routers) to make pod IPs routable outside of the cluster. (You can of course configure the rest of your on-prem network to limit the scope of pod IP routing outside of the cluster if desired.) This setup provides a rich range of advanced $[prodname] features, including the ability to advertise Kubernetes service IPs (cluster IPs or external IPs), and the ability to control IP address management at the pod, namespace, or node level, to support a wide range of possibilities for integrating with existing enterprise network and security requirements.
-
-
-
-If peering BGP to the physical network is not an option, you can also run non-overlay mode if the cluster is within a single L2 network, with Calico just peering BGP between the nodes in the cluster. Even though this is not strictly an overlay network, the pod IPs are not routable outside of the cluster, because the broader network does not have routes for the pod IPs.
-
-
-
-Alternatively you can run $[prodname] in either VXLAN or IP-in-IP overlay mode, with cross-subnet overlay mode to optimize performance within each L2 subnet.
-
-_Recommended:_
-
-
-
-_Alternative:_
-
-
-
-### AWS
-
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Amazon VPC CNI plugin. This is the default networking mode for [EKS](https://aws.amazon.com/eks/), with Calico for network policy. Pod IP addresses are allocated from the underlying VPC and the maximum number of pods per node is dependent on the [instance type](https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation).
-
-
-
-If you prefer to avoid dependencies on a specific cloud provider, or allocating pod IPs from the underlying VPC is problematic due to IP address range exhaustion challenges, or if the maximum number of pods supported per node by the Amazon VPC CNI plugin is not sufficient for your needs, we recommend using $[prodname] networking in cross-subnet overlay mode. Pod IPs will not be routable outside of the cluster, but you can scale the cluster up to the limits of Kubernetes with no dependencies on the underlying cloud network.
-
-
-
-You can learn more about Kubernetes Networking on AWS, including how each of the above options works under the covers, in this short video: [Everything you need to know about Kubernetes networking on AWS](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-pod-networking-on-aws/).
-
-### Azure
-
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Azure CNI plugin. This is supported by [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service/), with Calico for network policy. Pod IP addresses are allocated from the underlying VNet.
-
-
-
-Alternatively you can run $[prodname] in Azure CNI overlay mode.
-
-
-
-If you are using AKS and prefer to avoid dependencies on a specific cloud provider or allocating pod IPs from the underlying VNet is problematic due to IP address range exhaustion challenges, we recommend using $[prodname] networking in cross-subnet overlay mode. Pod IPs will not be routable outside of the cluster, but you can scale the cluster up to the limits of Kubernetes with no dependencies on the underlying cloud network.
-
-
-
-You can learn more about Kubernetes Networking on Azure, including how each of the above options works under the covers, in this short video: [Everything you need to know about Kubernetes networking on Azure](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-networking-on-azure/).
-
-### Google Cloud
-
-If you would like pod IP addresses to be routable outside of the cluster then you must use the Google cloud provider integration in conjunction with host-local IPAM CNI plugin. This is supported by [GKE](https://cloud.google.com/kubernetes-engine), with Calico for network policy. Pod IP addresses are allocated from the underlying VPC, and corresponding Alias IP addresses are automatically assigned to nodes.
-
-
-
-If you prefer to avoid dependencies on a specific cloud provider, or allocating pod IPs from the underlying VPC is problematic due to IP address range exhaustion challenges, we recommend using $[prodname] networking in overlay mode. As Google cloud network is a pure L3 network, cross-subnet mode is not supported. Pod IPs will not be routable outside of the cluster, but you can scale the cluster up to the limits of Kubernetes with no dependencies on the underlying cloud network.
-
-_Recommended:_
-
-
-
-_Alternative:_
-
-
-
-You can learn more about Kubernetes Networking on Google cloud, including how each of the above options works under the covers, in this short video: [Everything you need to know about Kubernetes networking on Google cloud](https://www.projectcalico.org/everything-you-need-to-know-about-kubernetes-networking-on-google-cloud/).
-
-### Anywhere
-
-The above list of environments is obviously not exhaustive. Understanding the concepts and explanations in this guide has hopefully helped you figure out what is right for your environment. If you still aren't sure then you can ask for advice through the Calico Users's Slack or Discourse forum. And remember you can run Calico in VXLAN overlay mode in almost any environment if you want to get started without worrying too deeply about the different options.
-
-
-
-## Additional resources
-
-- [Video playlist: Everything you need to know about Kubernetes networking](https://www.youtube.com/playlist?list=PLoWxE_5hnZUZMWrEON3wxMBoIZvweGeiq)
-- [Configure BGP peering](configuring/bgp.mdx)
-- [Configure overlay networking](configuring/vxlan-ipip.mdx)
-- [Advertise Kubernetes service IP addresses](configuring/advertise-service-ips.mdx)
-- [Customize IP address management](ipam/index.mdx)
-- [Restrict a pod to use an IP address in a specific range](ipam/legacy-firewalls.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-aws.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-aws.mdx
deleted file mode 100644
index 17853b3582..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-aws.mdx
+++ /dev/null
@@ -1,1175 +0,0 @@
----
-description: Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use VPC subnet IPs visible to the AWS fabric.
----
-
-# Configure egress gateways, AWS
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-## Big picture
-
-Control the source IP address seen by external services/appliances by routing the traffic from certain pods
-through egress gateways. Use native VPC subnet IP addresses for the egress gateways so that the IPs are valid in the AWS fabric.
-
-## Value
-
-Controlling the source IP seen when traffic leaves the cluster allows groups of pods to be identified
-by external firewalls, appliances and services (even as the groups are scaled up/down or pods restarted).
-$[prodname] controls the source IP by directing traffic through one or more "egress gateway" pods, which
-change the source IP of the traffic to their own IP. The egress gateways used can be chosen at the pod or namespace
-scope allowing for flexibility in how the cluster is seen from outside.
-
-In AWS, egress gateway source IP addresses are chosen from an IP pool backed by a [VPC subnet](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html)
-using $[prodname] IPAM. $[prodname] IPAM allows the IP addresses to be precisely controlled, this allows
-for static configuration of external appliances. Using an IP pool backed by a VPC subnet allows $[prodname] to
-configure the AWS fabric to route traffic to and from the egress gateway using its own IP address.
-
-## Concepts
-
-### CIDR notation
-
-This article assumes that you are familiar with network masks and CIDR notation.
-
-- CIDR notation is defined in [RFC4632](https://datatracker.ietf.org/doc/html/rfc4632).
-- The [Wikipedia article on CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
- provides a good reference.
-
-### AWS-backed IP pools
-
-$[prodname] supports IP pools that are backed by the AWS fabric. Workloads that use an IP address from an
-AWS-backed pool can communicate on the AWS network using their own IP address and AWS will route their traffic
-to/from their host without changing the IP address.
-
-Pods that use an IP address from an AWS-backed pool may also be [assigned an AWS Elastic IP via a pod annotation](#add-aws-elastic-ips-to-the-egress-gateway-deployment)
-. Elastic IPs used in this
-way have the normal AWS semantics: when accessing resources inside the AWS network, the workload's private IP
-(from the IP pool) is used. When accessing resources outside the AWS network, AWS translates the workload's IP to
-the Elastic IP. Elastic IPs also allow for incoming requests from outside the AWS fabric, direct to the workload.
-
-In overview, the AWS-backed IP Pools feature works as follows:
-
-- An IP pool is created with its `awsSubnetID` field set to the ID of a VPC subnet. This "AWS-backed" IP pool's
- CIDR must be contained within the VPC subnet's CIDR.
-
- :::caution
-
- You must ensure that the CIDR(s) used for AWS-backed IP pool(s) are reserved in the AWS fabric.
- For example, by creating a dedicated VPC subnet for $[prodname]. If the CIDR is not reserved; both
- $[prodname] and AWS may try to assign the same IP address, resulting in a conflict.
-
- :::
-
-- Since they are a limited resource, $[prodname] IPAM does not use AWS-backed pools by default. To request an
- AWS-backed IP address, a pod must have a resource request:
-
- ```yaml noValidation
- spec:
- containers:
- - ...
- resources:
- requests:
- projectcalico.org/aws-secondary-ipv4: 1
- limits:
- projectcalico.org/aws-secondary-ipv4: 1
- ```
-
- $[prodname] manages the `projectcalico.org/aws-secondary-ipv4` capacity on the Kubernetes Node resource,
- ensuring that Kubernetes will not try to schedule too many AWS-backed workloads to the same node. Only AWS-backed
- pods are limited in this way; there is no limit on the number of non-AWS-backed pods.
-
-- When the CNI plugin spots such a resource request, it will choose an IP address from an AWS-backed pool. Only
- pools with VPC subnets in the availability zone of the host are considered.
-
-- When Felix, $[prodname]'s per-host agent spots a local workload with an AWS-backed address it tries to ensure
- that the IP address of the workload is assigned to the host in the AWS fabric. If need be, it will create a
- new [secondary ENI](#secondary-elastic-network-interfaces-enis) device and attach it to the host to house the IP address.
- Felix supports two modes for assigning secondary ENIs: **ENI-per-workload** mode (added in v3.13) and
- **Secondary-IP-per-workload** mode. These modes are described [below](#secondary-elastic-network-interfaces-enis).
-
-- If the pod has one or more AWS Elastic IPs listed in the `cni.projectcalico.org/awsElasticIPs` pod annotation,
- Felix will try to ensure that _one_ of the Elastic IPs is assigned to the pod's private IP address in the AWS fabric.
- (Specifying multiple Elastic IPs is useful for multi-pod deployments; ensuring that each pod in the deployment
- gets one of the IPs.)
-
-### Egress gateway
-
-An egress gateway acts as a transit pod for the outbound application traffic that is configured to
-use it. As traffic leaving the cluster passes through the egress gateway, its source IP is changed
-to that of the egress gateway pod, and the traffic is then forwarded on.
-
-### Source IP
-
-When an outbound application flow leaves the cluster, its IP packets will have a source IP.
-This begins as the pod IP of the pod that originated the flow, then:
-
-- _If no egress gateway is configured_ and the pod IP came from an [IP pool](../../reference/resources/ippool.mdx)
- with `natOutgoing: true`, the node hosting the pod will change the source IP to its own as the
- traffic leaves the host. This allows the pod to communicate with external service even though the
- external network is unaware of the pod's IP.
-
-- _If the pod is configured with an egress gateway_, the traffic is first forwarded to the egress gateway, which
- changes the source IP to its own and then sends the traffic on. To function correctly, egress gateways
- should have IPs from an IP pool with `natOutgoing: false`, meaning their host forwards the packet onto
- the network without changing the source IP again. Since the egress gateway's IP is visible to
- the underlying network fabric, the fabric must be configured to know about the egress gateway's
- IP and to send response traffic back to the same host.
-
-### AWS VPCs and subnets
-
-An AWS VPC is a virtual network that is, by default, logically isolated from other VPCs. Each VPC has one or more
-(often large) CIDR blocks associated with it (for example `10.0.0.0/16`). In general, VPC CIDRs may overlap, but only
-if the VPCs remain isolated. AWS allows VPCs to be peered with each other through VPC Peerings. VPCs can only be
-peered if _none_ of their associated CIDRs overlap.
-
-Each VPC has one or more VPC subnets associated with it, each subnet owns a non-overlapping part of one of the
-VPC's CIDR blocks. Each subnet is associated with a particular availability zone. Instances in one availability
-zone can only use IP addresses from subnets in that zone. Unfortunately, this adds some complexity to managing
-egress gateways IP addresses: much of the configuration must be repeated per-AZ.
-
-### AWS VPC and DirectConnect peerings
-
-AWS [VPC Peerings](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html) allow multiple VPCs to be
-connected together. Similarly, [DirectConnect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)
-allows external datacenters to be connected to an AWS VPC. Peered VPCs and datacenters communicate using private IPs
-as if they were all on one large private network.
-
-By using AWS-backed IP pools, egress gateways can be assigned private IPs allowing them to communicate without NAT
-within the same VPC, with peered VPCs, and, with peered datacenters.
-
-### Secondary Elastic Network Interfaces (ENIs)
-
-Elastic network interfaces are network interfaces that can be added and removed from an instance dynamically. Each
-ENI has a primary IP address from the VPC subnet that it belongs to, and it may also have one or more secondary IP
-addresses, chosen for the same subnet. While the primary IP address is fixed and cannot be changed, the secondary
-IP addresses can be added and removed at runtime.
-
-To arrange for AWS to route traffic to and from egress gateways, $[prodname] adds _secondary_ Elastic
-Network Interfaces (ENIs) to the host. $[prodname] supports two modes for provisioning the
-secondary ENIs. The table below describes the trade-offs between **ENI-per-workload** and **Secondary-IP-per-workload**
-modes:
-
-| **ENI-per-workload** (since v3.13) | **Secondary-IP-per-workload** |
-| ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
-| One secondary ENI is attached for each AWS-backed workload. | Secondary ENIs are shared, multiple workloads per ENI. |
-| Supports one AWS-backed workload per secondary ENI. | Supports 2-49 AWS-backed workloads per secondary ENI (depending on instance type). |
-| ENI Primary IP is set to Workload's IP. | ENI Primary IP chosen from dedicated "host secondary" IP pools. |
-| Makes best use of AWS IP space, no need to reserve IPs for hosts. | Requires "host secondary" IPs to be reserved. These cannot be used for workloads. |
-| ENI deleted when workload deleted. | ENI retained (ready for next workload to be scheduled). |
-| Slower to handle churn/workload mobility. (Creating ENI is slower than assigning IP.) | Faster at handling churn/workload mobility. |
-
-The number of ENIs that an instance can support and the number of secondary IPs that each ENI can support depends on
-the instance type according to [this table](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI).
-Note: the table lists the total number of network interfaces and IP addresses but the first interface on the host (the
-primary interface) and, in Secondary-IP-per-workload mode, the first IP of each interface (its primary IP) cannot be
-used for egress gateways.
-
-The primary interface cannot be used for egress gateways because it belongs to the VPC subnet that is
-in use for Kubernetes hosts; this means that a planned egress gateway IP could get used by AWS as the primary IP of
-an instance (for example when scaling up the cluster).
-
-## Before you begin
-
-**Required**
-
-- Calico CNI
-- Open port UDP 4790 on the host
-
-**Not Supported**
-
-- Amazon VPC CNI
-- Windows
-
- $[prodname] CNI and IPAM is required. The ability to control the egress gateway’s IP is a feature of $[prodname] CNI and IPAM. AWS VPC CNI does not support that feature, so it is incompatible with egress gateways.
-
-## How to
-
-- [Configure IP autodetection](#configure-ip-autodetection)
-- [Ensure Kubernetes VPC has free CIDR range](#ensure-kubernetes-vpc-has-free-cidr-range)
-- [Create dedicated VPC subnets](#create-dedicated-vpc-subnets)
-- [Configure AWS IAM roles](#configure-aws-iam-roles)
-- [Configure IP reservations for each VPC subnet](#configure-ip-reservations-for-each-vpc-subnet)
-- [Enable egress gateway support](#enable-egress-gateway-support)
-- [Enable AWS-backed IP pools](#enable-aws-backed-ip-pools)
-- [Configure IP pools backed by VPC subnets](#configure-ip-pools-backed-by-vpc-subnets)
-- [Deploy a group of egress gateways](#deploy-a-group-of-egress-gateways)
-- [Configure iptables backend for egress gateways](#configure-iptables-backend-for-egress-gateways)
-- [Configure namespaces and pods to use egress gateways](#configure-namespaces-and-pods-to-use-egress-gateways)
-- [Optionally enable ECMP load balancing](#optionally-enable-ecmp-load-balancing)
-- [Verify the feature operation](#verify-the-feature-operation)
-- [Control the use of egress gateways](#control-the-use-of-egress-gateways)
-- [Policy enforcement for flows via an egress gateway](#policy-enforcement-for-flows-via-an-egress-gateway)
-- [Upgrade egress gateways](#upgrade-egress-gateways)
-
-### Configure IP autodetection
-
-Since this feature adds additional network interfaces to nodes, it is important to configure $[prodname] to
-autodetect the correct primary interface to use for normal pod-to-pod traffic. Otherwise, $[prodname] may
-autodetect a newly-added secondary ENI as the main interface, causing an outage.
-
-For EKS clusters, the default IP autodetection method is `can-reach=8.8.8.8`, which will choose the interface
-with a route to `8.8.8.8`; this is typically the interface with a default route, which will be the correct (primary) ENI.
-($[prodname] ensures that the secondary ENIs do not have default routes in the main routing table.)
-
-For other AWS clusters, $[prodname] may default to `firstFound`, which is **not** suitable.
-
-To examine the autodetection method, check the operator's installation resource:
-
-```bash
-$ kubectl get installations.operator.tigera.io -o yaml default
-```
-```yaml noValidation
-apiVersion: operator.tigera.io/v1
-kind: Installation
-metadata:
- ...
- name: default
- ...
-spec:
- calicoNetwork:
- ...
- nodeAddressAutodetectionV4:
- firstFound: true
-...
-```
-
-If `nodeAddressAutodetectionV4` is set to `firstFound: true` or is not specified, then you must change it to another method by editing the
-resource. The NodeAddressAutodetection options, `canReach` and `cidrs` are suitable. See [Installation reference](../../reference/installation/api.mdx). If using the `cidrs` option, set the CIDRs list to include only the
-CIDRs from which your primary ENI IPs are chosen (do not include the dedicated VPC subnets chosen below).
-
-### Ensure Kubernetes VPC has free CIDR range
-
-For egress gateways to be useful in AWS, we want to assign them IP addresses from a VPC subnet that is in the same AZ
-as their host.
-
-To avoid clashes between AWS IP allocations and $[prodname] IP allocations, it is important that the range of
-IP addresses assigned to $[prodname] IP pools is not used by AWS for automatic allocations. In this guide we
-assume that you have created a dedicated VPC subnet per Availability Zone (AZ) that is reserved for $[prodname]
-and configured not to be used as the default subnet for the AZ.
-
-If you are creating your cluster and VPC from scratch, plan to subdivide the VPC CIDR into (at least) two VPC subnets
-per AZ. One VPC subnet for the Kubernetes (and any other) hosts and one VPC subnet for egress gateways. (The next
-section explains the sizing requirements for the egress gateway subnets.)
-
-If you are adding this feature to an existing cluster, you may find that the existing VPC subnets already cover the
-entire VPC CIDR, making it impossible to create a new subnet. If that is the case, you can make more room by
-adding a second CIDR to the VPC that is large enough for the new subnets. For information on adding a secondary
-CIDR range to a VPC, see [this guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#vpc-resize).
-
-### Create dedicated VPC subnets
-
-$[prodname] requires a dedicated VPC subnet in each AWS availability zone that you wish to deploy egress
-gateways. The subnet must be dedicated to $[prodname] so that AWS will not
-use IP addresses from the subnet for other purposes (as this could clash with an egress gateway's IP). When creating the
-subnet you should configure it not to be used for instances.
-
-Some IP addresses from the dedicated subnet are reserved for AWS and $[prodname] internal use:
-
-- The first four IP addresses in the subnet cannot be used. These are [reserved by AWS for internal use](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#vpc-sizing-ipv4).
-- Similarly, the last IP in the subnet (the broadcast address) cannot be used.
-- _In **Secondary-IP-per-workload** mode_, $[prodname] requires one IP address from the subnet per secondary ENI
- that it provisions (for use as the primary IP address of the ENI). In **ENI-per-workload** mode, this is not required.
-
-
-
-
-Example for **ENI-per-workload** mode:
-
-- You anticipate having up to 30 instances running in each availability zone (AZ).
-- You intend to use `t3.large` instances, [these are limited to](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI) 3 ENIs per host.
-- So, each host can accept 2 secondary ENIs, each of which can handle one egress gateway.
-- With 2 ENIs per node and 30 nodes, the part of the cluster in this AZ could handle up to `30 * 2 = 60` egress
- gateways.
-- AWS reserves 5 IPs from the AWS subnet for internal use, no "host secondary IPs" need to be reserved in this mode.
-- Since VPC subnets are allocated by CIDR, a `/25` subnet containing 128 IP addresses would comfortably fit the 5
- reserved IPs as well as the 60 possible gateways (with headroom for more nodes to be added later).
-
-
-
-
-Example for **Secondary-IP-per-workload** mode:
-
-- You anticipate having up to 30 instances running in each availability zone (AZ).
-- You intend to use `t3.large` instances, [these are limited to](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI)
- 3 ENIs per host (one of which is the primary) and each ENI can handle 12 IP addresses, (one of which is the primary).
-- So, each host can accept 2 secondary ENIs and each secondary ENI could handle 11 egress gateway pods.
-- Each in-use secondary ENI requires one IP from the VPC subnet (up to 60 in this case) and AWS requires 5 IPs to be
- reserved so that's up to 65 IPs reserved in total.
-- With 2 ENIs and 11 IPs per ENI, the part of the cluster in this AZ could handle up to `30 * 2 * 11 = 660` egress
- gateways.
-- Since VPC subnets are allocated by CIDR, a `/22` subnet containing 1024 IP addresses would comfortably fit the 65
- reserved IPs as well as the 660 possible gateways.
-
-$[prodname] allocates ENIs on-demand so each instance will only claim one of those reserved IP addresses when the
-first egress gateway is assigned to that node. It will only claim its second IP when that ENI becomes full and then an
-extra egress gateway is provisioned.
-
-
-
-
-### Configure AWS IAM roles
-
-To provision the required AWS resources, each $[noderunning] pod in your cluster requires the
-following IAM permissions to be granted. The permissions can be granted to the node IAM Role itself, or by using
-the AWS [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) feature to grant the permissions to the
-`calico-node` service account.
-
-- DescribeInstances
-- DescribeInstanceTypes
-- DescribeNetworkInterfaces
-- DescribeSubnets
-- DescribeTags
-- CreateTags
-- AssignPrivateIpAddresses
-- UnassignPrivateIpAddresses
-- AttachNetworkInterface
-- CreateNetworkInterface
-- DeleteNetworkInterface
-- DetachNetworkInterface
-- ModifyNetworkInterfaceAttribute
-
-The above permissions are similar to those used by the AWS VPC CNI (since both CNIs need to provision the same kinds
-of resources). In addition, to support elastic IPs, each $[noderunning] also requires the following permissions:
-
-- DescribeAddresses
-- AssociateAddress
-- DisassociateAddress
-
-### Configure AWS Security Group rules
-
-To allow egress gateway traffic into the egress gateway pod's host from the client, the ingress rules of the security
-group need to be updated. A rule to allow all packets from within the security group must be added to the inbound rules.
-
-### Configure IP reservations for each VPC subnet
-
-Since the first four IP addresses and the last IP address in a VPC subnet cannot be used, it is important to
-prevent $[prodname] from _trying_ to use them. For each VPC subnet that you plan to use,
-ensure that you have an entry in an [IP reservation](../../reference/resources/ipreservation.mdx) for its first
-four IP addresses and its final IP address.
-
-For example, if your chosen VPC subnets are `100.64.0.0/22` and `100.64.4.0/22`, you could create the following
-`IPReservation` resource, which covers both VPC subnets (if you're not familiar with CIDR notation, replacing the
-`/22` of the original subnet with `/30` is a shorthand for "the first four IP addresses"):
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPReservation
-metadata:
- name: aws-ip-reservations
-spec:
- reservedCIDRs:
- - 100.64.0.0/30
- - 100.64.3.255
- - 100.64.4.0/30
- - 100.64.7.255
-```
-
-### Enable egress gateway support
-
-In the default **FelixConfiguration**, set the `egressIPSupport` field to `EnabledPerNamespace` or
-`EnabledPerNamespaceOrPerPod`, according to the level of support that you need in your cluster. For
-support on a per-namespace basis only:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespace"}}'
-```
-
-Or for support both per-namespace and per-pod:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespaceOrPerPod"}}'
-```
-
-:::note
-
-- `egressIPSupport` must be the same on all cluster nodes, so you should set them only in the
- `default` FelixConfiguration resource.
-- The operator automatically enables the required policy sync API in the FelixConfiguration.
-
-:::
-
-### Enable AWS-backed IP pools
-
-
-
-
-To enable **ENI-per-workload** mode, in the default **FelixConfiguration**, set the `awsSecondaryIPSupport` field to
-`EnabledENIPerWorkload`:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"awsSecondaryIPSupport":"EnabledENIPerWorkload"}}'
-```
-
-
-
-
-To enable **Secondary-IP-per-workload** mode, set the field to `Enabled` (the name `Enabled` predates
-the addition of the **ENI-per-workload** mode):
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"awsSecondaryIPSupport":"Enabled"}}'
-```
-
-
-
-
-You can verify that the setting took effect by examining the Kubernetes Node resources:
-
-```bash
-kubectl describe node
-```
-
-Should show the new `projectcalico.org/aws-secondary-ipv4` capacity (in the Allocated Resources section).
-
-#### Changing modes
-
-You can change between the two modes by:
-
-- Ensuring that the number of egress gateways on every node is within the limits of the particular mode. i.e.
- when switching to **ENI-per-workload** mode, the number of egress gateways must be less than or equal to the number
- of secondary ENIs that your instances can handle.
-- Editing the setting (using the patch commands above, for example).
-
-Changing the mode will cause disruption as ENIs must be removed and re-added.
-
-### Configure IP pools backed by VPC subnets
-
-
-
-
-In **ENI-per-workload** mode, IP pools are (only) used to subdivide the VPC subnets into small pools used for
-particular groups of egress gateways. These IP Pools must have:
-
-- `awsSubnetID` set to the ID of the relevant VPC subnet. This activates the AWS-backed IP feature for these pools.
-- `allowedUse` set to `["Workload"]` to tell $[prodname] IPAM to use those pools for the egress gateway workloads.
-- `vxlanMode` and `ipipMode` set to `Never` to disable encapsulation for the egress gateway pods. (`Never` is the default if these fields are not specified.)
-- `blockSize` set to 32. This aligns $[prodname] IPAM with the behaviour of the AWS fabric.
-- `disableBGPExport` set to `true`. This prevents routing conflicts if your cluster is using IPIP or BGP networking.
-
-It's also recommended to:
-
-- Set `nodeSelector` to `"!all()"`. This prevents $[prodname] IPAM from using the pool automatically. It will
- only be used for workloads that explicitly name it in the `cni.projectcalico.org/ipv4pools` annotation.
-
-Continuing the example above, with VPC subnets
-
-- `100.64.0.0/22` in, say, availability zone west-1 and id `subnet-000000000000000001`
-- `100.64.4.0/22` in, say, availability zone west-2 and id `subnet-000000000000000002`
-
-And, assuming that there are two clusters of egress gateways "red" and "blue" (which in turn serve namespaces "red"
-and "blue"), one way to structure the IP pools is to have one IP pool for each group of egress gateways in each
-subnet. Then, if a particular egress gateway from the egress gateway cluster is scheduled to one AZ or the other,
-it will take an IP from the appropriate pool.
-
-For the "west-1" availability zone:
-
-- IP pool "egress-red-west-1", CIDR `100.64.0.4/30` (the first non-reserved /30 CIDR in the VPC subnet). These
- addresses will be used for "red" egress gateways in the "west-1" AZ.
-
-- IP pool "egress-blue-west-1", CIDR `100.64.0.8/30` (the next 4 IPs from the "west-1" subnet). These addresses
- will be used for "blue" egress gateways in the "west-1" AZ.
-
-For the "west-2" availability zone:
-
-- IP pool "egress-red-west-2", CIDR `100.64.4.4/30` (the first non-reserved /30 CIDR in the VPC subnet). These
- addresses will be used for "red" egress gateways in the "west-2" AZ.
-
-- IP pool "egress-blue-west-2", CIDR `100.64.4.8/30` (the next 4 IPs from the "west-2" subnet). These addresses
- will be used for "blue" egress gateways in the "west-2" AZ.
-
-Converting this to `IPPool` resources:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-red-west-1
-spec:
- cidr: 100.64.0.4/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000001
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-blue-west-1
-spec:
- cidr: 100.64.0.8/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000001
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-red-west-2
-spec:
- cidr: 100.64.4.4/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000002
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-blue-west-2
-spec:
- cidr: 100.64.4.8/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000002
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
-```
-
-
-
-
-In **Secondary-IP-per-workload** mode, IP pools are used to subdivide the VPC subnets as follows:
-
-- One medium-sized IP pool per-Subnet reserved for $[prodname] to use for the _primary_ IP addresses of its _secondary_ ENIs.
- These pools must have:
-
- - `awsSubnetID` set to the ID of the relevant VPC subnet. This activates the AWS-backed IP feature for these pools.
- - `allowedUse` set to `["HostSecondaryInterface"]` to reserve them for this purpose.
- - `blockSize` set to 32. This aligns $[prodname] IPAM with the behaviour of the AWS fabric.
- - `vxlanMode` and `ipipMode` set to `Never`. (`Never` is the default if these fields are not specified.)
- - `disableBGPExport` set to `true`. This prevents routing conflicts if your cluster is using IPIP or BGP networking.
-
-- Small pools used for particular groups of egress gateways. These must have:
-
- - `awsSubnetID` set to the ID of the relevant VPC subnet. This activates the AWS-backed IP feature for these pools.
- - `allowedUse` set to `["Workload"]` to tell $[prodname] IPAM to use those pools for the egress gateway workloads.
- - `vxlanMode` and `ipipMode` set to `Never` to disable encapsulation for the egress gateway pods. (`Never` is the default if these fields are not specified.)
- - `blockSize` set to 32. This aligns $[prodname] IPAM with the behaviour of the AWS fabric.
- - `disableBGPExport` set to `true`. This prevents routing conflicts if your cluster is using IPIP or BGP networking.
-
- It's also recommended to:
-
- - Set `nodeSelector` to `"!all()"`. This prevents $[prodname] IPAM from using the pool automatically. It will
- only be used for workloads that explicitly name it in the `cni.projectcalico.org/ipv4pools` annotation.
-
-Continuing the example above, with VPC subnets
-
-- `100.64.0.0/22` in, say, availability zone west-1 and id `subnet-000000000000000001`
-- `100.64.4.0/22` in, say, availability zone west-2 and id `subnet-000000000000000002`
-
-And, assuming that there are two clusters of egress gateways "red" and "blue" (which in turn serve namespaces "red"
-and "blue"), one way to structure the IP pools is to have a "hosts" IP pool in each VPC subnet and one IP pool for each
-group of egress gateways in each subnet. Then, if a particular egress gateway from the egress gateway cluster is
-scheduled to one AZ or the other, it will take an IP from the appropriate pool.
-
-For the "west-1" availability zone:
-
-- IP pool "hosts-west-1", CIDR `100.64.0.0/25` (the first 128 addresses in the "west-1" VPC subnet).
-
- - We'll reserve these addresses for hosts to use.
- - `100.64.0.0/25` covers the addresses from `100.64.0.0` to `100.64.0.127` (but addresses `100.64.0.0` to `100.64.0.3`
- were reserved above).
-
-- IP pool "egress-red-west-1", CIDR `100.64.0.128/30` (the next 4 IPs from the "west-1" subnet).
-
- - These addresses will be used for "red" egress gateways in the "west-1" AZ.
-
-- IP pool "egress-blue-west-1", CIDR `100.64.0.132/30` (the next 4 IPs from the "west-1" subnet).
-
- - These addresses will be used for "blue" egress gateways in the "west-1" AZ.
-
-For the "west-2" availability zone:
-
-- IP pool "hosts-west-2", CIDR `100.64.4.0/25` (the first 128 addresses in the "west-2" VPC subnet).
-
- - `100.64.4.0/25` covers the addresses from `100.64.4.0` to `100.64.4.127` (but addresses `100.64.4.0` to `100.64.4.3`
- were reserved above).
-
-- IP pool "egress-red-west-2", CIDR `100.64.4.128/30` (the next 4 IPs from the "west-2" subnet).
-
- - These addresses will be used for "red" egress gateways in the "west-2" AZ.
-
-- IP pool "egress-blue-west-2", CIDR `100.64.4.132/30` (the next 4 IPs from the "west-2" subnet).
-
- - These addresses will be used for "blue" egress gateways in the "west-2" AZ.
-
-Converting this to `IPPool` resources:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: hosts-west-1
-spec:
- cidr: 100.64.0.0/25
- allowedUses: ['HostSecondaryInterface']
- awsSubnetID: subnet-000000000000000001
- blockSize: 32
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-red-west-1
-spec:
- cidr: 100.64.0.128/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000001
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-blue-west-1
-spec:
- cidr: 100.64.0.132/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000001
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: hosts-west-2
-spec:
- cidr: 100.64.4.0/25
- allowedUses: ['HostSecondaryInterface']
- awsSubnetID: subnet-000000000000000002
- blockSize: 32
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-red-west-2
-spec:
- cidr: 100.64.4.128/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000002
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
----
-apiVersion: projectcalico.org/v3
-kind: IPPool
-metadata:
- name: egress-blue-west-2
-spec:
- cidr: 100.64.4.132/30
- allowedUses: ['Workload']
- awsSubnetID: subnet-000000000000000002
- blockSize: 32
- nodeSelector: '!all()'
- disableBGPExport: true
-```
-
-
-
-
-### Deploy a group of egress gateways
-
-Use an egress gateway custom resource to deploy a group of egress gateways.
-
-Using the example of the "red" egress gateway cluster, we use several features of Kubernetes and $[prodname]
-in tandem to get a cluster of egress gateways that spans both availability zones and uses AWS-backed IP addresses:
-
-```bash
-kubectl apply -f - <
-# -
-# timeoutSeconds: 15
-# intervalSeconds: 5
-# httpProbe:
-# urls:
-# -
-# -
-# timeoutSeconds: 30
-# intervalSeconds: 10
- aws:
- nativeIP: Enabled
- template:
- metadata:
- labels:
- egress-code: red
- spec:
- nodeSelector:
- kubernetes.io/os: linux
- terminationGracePeriodSeconds: 0
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: "topology.kubernetes.io/zone"
- whenUnsatisfiable: "DoNotSchedule"
- labelSelector:
- matchLabels:
- egress-code: red
-EOF
-```
-
-- `replicas: 2` tells Kubernetes to schedule two egress gateways in the "red" cluster.
-- ipPools tells $[prodname] IPAM to use one of the "red" IP pools:
-
- ```yaml
- ipPools:
- - name: "egress-red-west-1"
- - name: "egress-red-west-2"
- ```
- Depending on which AZ the pod is scheduled in, $[prodname] IPAM will automatically ignore IP pools that
- are backed by AWS subnets that are not in the local AZ.
-
- External services and appliances can recognise "red" traffic because it will all come from the CIDRs of the "red"
- IP pools.
-
-- When nativeIP is enabled, IPPools must be AWS-backed. It also tells Kubernetes to only schedule the gateway to a node
- with available AWS IP capacity:
-
- ```yaml
- aws:
- nativeIP: Enabled
- ```
-
-- The following [topology spread constraint](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
- ensures that Kubernetes spreads the Egress gateways evenly between AZs (assuming that your nodes are labeled with
- the expected [well-known label](https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone)
- `topology.kubernetes.io/zone`):
-
- ```yaml
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: DoNotSchedule
- labelSelector:
- matchLabels:
- egress-code: red
- ```
-
-- The labels are arbitrary. You can choose whatever names and values are convenient for your cluster's Namespaces and Pods to refer to in their egress selectors.
- If labels are not specified, a default label `projectcalico.org/egw`:`name` will be added by the Tigera Operator.
-
-- icmpProbe may be used to specify the Probe IPs, ICMP interval and timeout in seconds. `ips` if set, the
- egress gateway pod will probe each IP periodically using an ICMP ping. If all pings fail then the egress
- gateway will report non-ready via its health port. `intervalSeconds` controls the interval between probes.
- `timeoutSeconds` controls the timeout before reporting non-ready if no probes succeed.
-
- ```yaml
- icmpProbe:
- ips:
- -
- -
- timeoutSeconds: 20
- intervalSeconds: 10
- ```
-
-- httpProbe may be used to specify the Probe URLs, HTTP interval and timeout in seconds. `urls` if set, the
- egress gateway pod will probe each external service periodically. If all probes fail then the egress
- gateway will report non-ready via its health port. `intervalSeconds` controls the interval between probes.
- `timeoutSeconds` controls the timeout before reporting non-ready if all probes are failing.
-
- ```yaml
- httpProbe:
- urls:
- -
- -
- timeoutSeconds: 30
- intervalSeconds: 10
- ```
-- Please refer to the [operator reference docs](../../reference/installation/api.mdx) for details about the egress gateway resource type.
-
-:::note
-
-- It is advisable to have more than one egress gateway per group, so that the egress IP function
- continues if one of the gateways crashes or needs to be restarted. When there are multiple
- gateways in a group, outbound traffic from the applications using that group is load-balanced
- across the available gateways. The number of `replicas` specified must be less than or equal
- to the number of free IP addresses in the IP Pool.
-- IPPool can be specified either by its name (e.g. `-name: egress-ippool-1`) or by its CIDR (e.g. `-cidr: 10.10.10.0/31`).
-- The labels are arbitrary. You can choose whatever names and values are convenient for
- your cluster's Namespaces and Pods to refer to in their egress selectors.
- The health port `8080` is used by:
-- The Kubernetes `readinessProbe` to expose the status of the egress gateway pod (and any ICMP/HTTP
- probes).
-- Remote pods to check if the egress gateway is "ready". Only "ready" egress
- gateways will be used for remote client traffic. This traffic is automatically allowed by $[prodname] and
- no policy is required to allow it. $[prodname] only sends probes to egress gateway pods that have a named
- "health" port. This ensures that during an upgrade, health probes are only sent to upgraded egress gateways.
-
-:::
-
-### Configure iptables backend for egress gateways
-
-The Tigera Operator configures egress gateways to use the same iptables backend as `calico-node`.
-To modify the iptables backend for egress gateways, you must change the `iptablesBackend` field in the [Felix configuration](../../reference/resources/felixconfig.mdx).
-
-### Configure namespaces and pods to use egress gateways
-
-You can configure namespaces and pods to use an egress gateway by:
-* annotating the namespace or pod
-* applying an egress gateway policy to the namespace or pod.
-
-Using an egress gateway policy is more complicated, but it allows advanced use cases.
-
-#### Configure a namespace or pod to use an egress gateway (annotation method)
-
-In a $[prodname] deployment, the Kubernetes namespace and pod resources honor annotations that
-tell that namespace or pod to use particular egress gateways. These annotations are selectors, and
-their meaning is "the set of pods, anywhere in the cluster, that match those selectors".
-
-So, to configure all the pods in a namespace to use the egress gateways that are
-labelled with `egress-code: red`, you would annotate that namespace like this:
-
-```bash
-kubectl annotate ns egress.projectcalico.org/selector="egress-code == 'red'"
-```
-
-By default, that selector can only match egress gateways in the same namespace. To select gateways
-in a different namespace, specify a `namespaceSelector` annotation as well, like this:
-
-```bash
-kubectl annotate ns egress.projectcalico.org/namespaceSelector="projectcalico.org/name == 'default'"
-```
-
-Egress gateway annotations have the same [syntax and range of expressions](../../reference/resources/networkpolicy.mdx#selector) as the selector fields in
-$[prodname] [network policy](../../reference/resources/networkpolicy.mdx#entityrule).
-
-To configure a specific Kubernetes Pod to use egress gateways, specify the same annotations when
-creating the pod. For example:
-
-```bash
-kubectl apply -f - < egress.projectcalico.org/egressGatewayPolicy="egw-policy1"
-```
-
-To configure a specific Kubernetes pod to use the same policy, specify the same annotations when
-creating the pod.
-For example:
-
-```bash
-kubectl apply -f - < -n -- nc 8089 ` should be the IP address of the netcat server.
-
-Then, if you check the logs or output of the netcat server, you should see:
-
-```
-Connection from received
-```
-
-with `` being one of the IPs of the egress IP pool that you provisioned.
-
-### Control the use of egress gateways
-
-If a cluster ascribes special meaning to traffic flowing through egress gateways, it will be
-important to control when cluster users can configure their pods and namespaces to use them, so that
-non-special pods cannot impersonate the special meaning.
-
-If namespaces in a cluster can only be provisioned by cluster admins, one option is to enable egress
-gateway function only on a per-namespace basis. Then only cluster admins will be able to configure
-any egress gateway usage.
-
-Otherwise -- if namespace provisioning is open to users in general, or if it's desirable for egress
-gateway function to be enabled both per-namespace and per-pod -- a [Kubernetes admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)
- will be
-needed. This is a task for each deployment to implement for itself, but possible approaches include
-the following.
-
-1. Decide whether a given Namespace or Pod is permitted to use egress annotations at all, based on
- other details of the Namespace or Pod definition.
-
-1. Evaluate egress annotation selectors to determine the egress gateways that they map to, and
- decide whether that usage is acceptable.
-
-1. Impose the cluster's own bespoke scheme for a Namespace or Pod to identify the egress gateways
- that it wants to use, less general than $[prodname]'s egress annotations. Then the
- admission controller would police those bespoke annotations (that that cluster's users could
- place on Namespace or Pod resources) and either reject the operation in hand, or allow it
- through after adding the corresponding $[prodname] egress annotations.
-
-### Policy enforcement for flows via an egress gateway
-
-For an outbound connection from a client pod, via an egress gateway, to a destination outside the
-cluster, there is more than one possible enforcement point for policy:
-
-The path of the traffic through policy is as follows:
-
-1. Packet leaves the client pod and passes through its egress policy.
-2. The packet is encapsulated by the client pod's host and sent to the egress gateway
-3. The encapsulated packet is sent from the host to the egress gateway pod.
-4. The egress gateway pod de-encapsulates the packet and sends the packet out again with its own address.
-5. The packet leaves the egress gateway pod through its egress policy.
-
-To ensure correct operation, (as of v3.15) the encapsulated traffic between host and egress gateway is auto-allowed by
-$[prodname] and other ingress traffic is blocked. That means that there are effectively two places where
-policy can be applied:
-
-1. on egress from the client pod
-2. on egress from the egress gateway pod (see limitations below).
-
-The policy applied at (1) is the most powerful since it implicitly sees the original source of the traffic (by
-virtue of being attached to that original source). It also sees the external destination of the traffic.
-
-Since an egress gateway will never originate its own traffic, one option is to rely on policy applied at (1) and
-to allow all traffic to at (2) (either by applying no policy or by applying an "allow all").
-
-Alternatively, for maximum "defense in depth" applying policy at both (1) and (2) provides extra protection should
-the policy at (1) be disabled or bypassed by an attacker. Policy at (2) has the following limitations:
-
-- [Domain-based policy](../../network-policy/domain-based-policy.mdx) is not supported at egress from egress
- gateways. It will either fail to match the expected traffic, or it will work intermittently if the egress gateway
- happens to be scheduled to the same node as its clients. This is because any DNS lookup happens at the client pod.
- By the time the policy reaches (2) the DNS information is lost and only the IP addresses of the traffic are available.
-
-- The traffic source will appear to be the egress gateway pod, the source information is lost in the address
- translation that occurs inside the egress gateway pod.
-
-That means that policies at (2) will usually take the form of rules that match only on destination port and IP address,
-either directly in the rule (via a CIDR match) or via a (non-domain based) NetworkSet. Matching on source has little
-utility since the IP will always be the egress gateway and the port of translated traffic is not always preserved.
-
-:::note
-
-Since v3.15.0, $[prodname] also sends health probes to the egress gateway pods from the nodes where
-their clients are located. In iptables mode, this traffic is auto-allowed at egress from the host and ingress
-to the egress gateway. In eBPF mode, the probe traffic can be blocked by policy, so you must ensure that this traffic is allowed; this should be fixed in an upcoming
-patch release.
-
-:::
-
-## Upgrade egress gateways
-
-From v3.16, egress gateway deployments are managed by the Tigera Operator.
-
-- When upgrading from a pre-v3.16 release, no automatic upgrade will occur. To upgrade a pre-v3.16 egress gateway deployment,
- create an equivalent EgressGateway resource with the same namespace and the same name as mentioned [above](#deploy-a-group-of-egress-gateways);
- the operator will then take over management of the old Deployment resource, replacing it with the upgraded version.
-
-- Use `kubectl apply` to create the egress gateway resource. Tigera Operator will read the newly created resource and wait
- for the other $[prodname] components to be upgraded. Once the other $[prodname] components are upgraded, Tigera Operator
- will upgrade the existing egress gateway deployment with the new image.
-
-By default, upgrading egress gateways will sever any connections that are flowing through them. To minimise impact,
-the egress gateway feature supports some advanced options that give feedback to affected pods. For more details see
-the [egress gateway maintenance guide](egress-gateway-maintenance.mdx).
-
-## Additional resources
-
-Please see also:
-
-- The `egressIP...` and `aws...` fields of the [FelixConfiguration resource](../../reference/resources/felixconfig.mdx#spec).
-- [Troubleshooting egress gateways](troubleshoot.mdx).
-- [Additional configuration for egress gateway maintenance](egress-gateway-maintenance.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-azure.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-azure.mdx
deleted file mode 100644
index 449922f1bd..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-azure.mdx
+++ /dev/null
@@ -1,776 +0,0 @@
----
-description: Route specific application traffic out of a Calico Enterprise cluster through egress gateways that use native Azure VNet IPs recognised by Azure routing.
----
-
-# Configure egress gateways, Azure
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-## Big picture
-
-Control the source IP address seen by external services/appliances by routing the traffic from certain pods
-through egress gateways. Use native VNet subnet IP addresses for the egress gateways so that the IPs are valid in the Azure fabric.
-
-## Value
-
-Controlling the source IP seen when traffic leaves the cluster allows groups of pods to be identified
-by external firewalls, appliances and services (even as the groups are scaled up/down or pods restarted).
-$[prodname] controls the source IP by directing traffic through one or more "egress gateway" pods, which
-change the source IP of the traffic to their own IP. The egress gateways used can be chosen at the pod or namespace
-scope allowing for flexibility in how the cluster is seen from outside.
-
-In Azure, egress gateway source IP addresses are chosen from an arbitrary user-defined IP pool
-using $[prodname] IPAM. egress gateway pods use dedicated IPPools to use as source IP addresses, which enables static configuration
-of external appliances.
-
-## Concepts
-
-### Egress gateway
-
-An egress gateway acts as a transit pod for the outbound application traffic that is configured to
-use it. As traffic leaving the cluster passes through the egress gateway, its source IP is changed
-to that of the egress gateway pod, and the traffic is then forwarded on.
-
-### Source IP
-
-When an outbound application flow leaves the cluster, its IP packets will have a source IP.
-This begins as the pod IP of the pod that originated the flow, then:
-
-- _If no egress gateway is configured_ and the pod IP came from an [IP pool](../../reference/resources/ippool.mdx)
-with `natOutgoing: true`, the node hosting the pod will change the source IP to its own as the
-traffic leaves the host. This allows the pod to communicate with external service even though the
-external network is unaware of the pod's IP.
-
-- _If the pod is configured with an egress gateway_, the traffic is first forwarded to the egress gateway, which
-changes the source IP to its own and then sends the traffic on. To function correctly, egress gateways
-should have IPs from an IP pool with `natOutgoing: false`, meaning their host forwards the packet onto
-the network without changing the source IP again. Since the egress gateway's IP is visible to
-the underlying network fabric, the fabric must be configured to know about the egress gateway's
-IP and to send response traffic back to the same host.
-
-### Azure VNets and subnets
-
-An Azure VNet is a virtual network that is, by default, logically isolated from other VNets. Each VNet has one or more
-(often large) CIDR blocks associated with it (for example `10.0.0.0/16`). In general, VNet CIDRs may overlap, but only
-if the VNets remain isolated. Azure allows VNets to be peered with each other through VNet Peerings. VNets can only be
-peered if *none* of their associated CIDRs overlap.
-
-Each VNet has one or more VNet subnets associated with it, each subnet owns a non-overlapping part of one of the
-VNet's CIDR blocks. VNet subnets span all availability zones in a region, so it is possible to distribute egress gateway
-resources across availability zones in a region without the need to repeat the configuration per-AZ.
-
-### Azure VNet and ExpressRoute peerings
-
-Azure [VNet Peerings](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview) allow multiple VNets to be
-connected together. Similarly, [ExpressRoute](https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction)
-allows external datacenters to be connected to an Azure VNet. Peered VPCs and datacenters communicate using private IPs
-as if they were all on one large private network.
-
-By advertising routes to Azure fabric using Azure Route Servers, egress gateways can be assigned private IPs allowing them to
-communicate without NAT within the same VPC, with peered VPCs, and, with peered datacenters.
-
-### Azure Route Server
-
-Azure [Route Server](https://learn.microsoft.com/en-us/azure/route-server/) is a managed networking service that allows
-a network virtual appliance, like $[prodname], to dynamically configure Azure fabric by exchanging routing information
-using Border Gateway Protocol (BGP). $[prodname] can establish BGP sessions with an Azure Route Server in a VNet
-to advertise the IPs of egress gateways to that VNet. The learned routes are then propagated to the rest of VNets through
-VNet peering, or to external datacenters through ExpressRoute, allowing communication with egress gateway.
-
-## Before you begin
-
-**Required**
-
-- Calico CNI
-- Open port UDP 4790 on the host
-
-**Not Supported**
-
-- Azure VNet CNI
-- Windows
-
-$[prodname] CNI and IPAM are required. The ability to control the egress gateway’s IP is a feature of $[prodname] CNI and IPAM. Azure VNet CNI does not support that feature, so it is incompatible with egress gateways.
-
-## How to
-
-- [Choose route reflectors](#choose-route-reflectors)
-- [Create Azure Route Server](#create-azure-route-server)
-- [Disable the default BGP node-to-node mesh](#disable-the-default-bgp-node-to-node-mesh)
-- [Enable BGP](#enable-bgp)
-- [Provision an egress IP pool](#provision-an-egress-ip-pool)
-- [(Optional) Limit number of route advertisement](#limit-number-of-route-advertisement)
-- [Configure route reflector](#configure-route-reflector)
-- [Enable egress gateway support](#enable-egress-gateway-support)
-- [Deploy a group of egress gateways](#deploy-a-group-of-egress-gateways)
-- [Configure iptables backend for egress gateways](#configure-iptables-backend-for-egress-gateways)
-- [Configure namespaces and pods to use egress gateways](#configure-namespaces-and-pods-to-use-egress-gateways)
-- [(Optional) Enable ECMP load balancing](#optionally-enable-ecmp-load-balancing)
-- [Verify the feature operation](#verify-the-feature-operation)
-- [Control the use of egress gateways](#control-the-use-of-egress-gateways)
-- [Policy enforcement for flows via an egress gateway](#policy-enforcement-for-flows-via-an-egress-gateway)
-
-### Choose route reflectors
-
-It is possible to establish BGP connections between all $[prodname] nodes and Azure Route Servers, but
-to avoid hitting Azure Route Server peers [limit](https://learn.microsoft.com/en-us/azure/route-server/overview#route-server-limits),
-it is better to select some nodes as route reflectors and set up BGP connections between those and Azure Route Server.
-The number of route reflectors depends on the cluster size, but it is recommended to have at least 3 at all times,
-and Azure Route Servers supports up to 8 peers in a VNet.
-
-### Create Azure Route Server
-
-Deploy Azure [Route Server](https://learn.microsoft.com/en-us/azure/route-server/) in the VNet (hub or spoke VNet) that routes
-egress addresses. Then, add the selected route reflectors as peers to the Azure Route Server.
-
-:::note
-
-- The BGP connections between Calico route reflectors and Azure Route Servers are critical for the functionality
-of egress gateways. It is important to maintain route reflectors with care, and to make sure there are always
-enough healthy route reflectors.
-- If possible, assign a static address to the route reflectors so after reboots the same address is kept.
-- In AKS, it is [recommended](https://learn.microsoft.com/en-us/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools)
-to run applications in user node pools and leave system node pools for running critical system pods.
-The nodes in system node pools are perfect Route Reflector candidates.
-
-:::
-
-### Disable the default BGP node-to-node mesh
-
-The default $[prodname] **node-to-node BGP mesh** may be turned off to enable other BGP topologies.
-To do this, modify the default **BGP configuration** resource.
-
-Run the following command to disable the BGP full-mesh:
-
-```bash
-kubectl apply -f - < projectcalico.org/RouteReflectorClusterID=244.0.0.1
-```
-
-Typically, you will want to label this node to indicate that it is a route reflector, allowing it to be easily selected by a BGPPeer resource. You can do this with kubectl. For example:
-
-```bash
-kubectl label node route-reflector=true
-```
-
-Now it is easy to configure route reflector nodes to peer with each other and other non-route-reflector nodes using label selectors. For example:
-
-```yaml
-kind: BGPPeer
-apiVersion: projectcalico.org/v3
-metadata:
- name: peer-with-route-reflectors
-spec:
- nodeSelector: all()
- peerSelector: route-reflector == 'true'
-```
-
-Finally, Add the IP addresses of Azure Route Servers, usually there are two, as peers to route reflectors. For example, if the $[prodname]
-cluster is in a subnet with 10.224.0.0 as network address, the 10.224.0.1 is, [by definition](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets), the gateway and Azure Route Servers are deployed with
-ASN 65515 and IP addresses of 10.225.0.4 and 10.225.0.5, create two **BGPPeer** resources:
-
-```yaml
-apiVersion: projectcalico.org/v3
-kind: BGPPeer
-metadata:
- name: azure-route-server-a
-spec:
- peerIP: 10.225.0.4
- reachableBy: 10.224.0.1
- asNumber: 65515
- keepOriginalNextHop: true
- nodeSelector: route-reflector == 'true'
- filters:
- - export-egress-ips
----
-apiVersion: projectcalico.org/v3
-kind: BGPPeer
-metadata:
- name: azure-route-server-b
-spec:
- peerIP: 10.225.0.5
- reachableBy: 10.224.0.1
- asNumber: 65515
- keepOriginalNextHop: true
- nodeSelector: route-reflector == 'true'
- filters:
- - export-egress-ips
-```
-
-:::note
-
-- Adding `routeReflectorClusterID` to a node spec will remove it from the node-to-node mesh immediately, tearing down the
-existing BGP sessions. Adding the BGP peering will bring up new BGP sessions. This will cause a short (about 2 seconds)
-disruption to data plane traffic of workloads running in the nodes where this happens. To avoid this, make sure no
-workloads are running on the nodes, by provisioning new nodes or by running `kubectl drain` on the node (which may
-itself cause a disruption as workloads are drained).
-- It is important to set `keepOriginalNextHop: true` since route reflectors advertise routes on behalf of other nodes.
-Advertised routes to Azure Route Servers should have the original next hop otherwise the return packets will be sent to
-route reflectors, and get dropped.
-- It is mandatory to set `reachableBy` field set to the gateway of the subnet $[prodname] cluster is running in for
-peering with Azure Route Servers to prevent BGP connection flapping. See [BGP peer](../../reference/resources/bgppeer.mdx) for more information.
-- Including `filters` to apply the BGP filter configured in the previous section, is optional.
-:::
-
-### Enable egress gateway support
-
-In the default **FelixConfiguration**, set the `egressIPSupport` field to `EnabledPerNamespace` or
-`EnabledPerNamespaceOrPerPod`, according to the level of support that you need in your cluster. For
-support on a per-namespace basis only:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespace"}}'
-```
-
-Or for support both per-namespace and per-pod:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespaceOrPerPod"}}'
-```
-
-:::note
-
-- `egressIPSupport` must be the same on all cluster nodes, so you should set them only in the `default` FelixConfiguration resource.
-- The operator automatically enables the required policy sync API in the FelixConfiguration.
-
-:::
-
-### Deploy a group of egress gateways
-
-Use a Kubernetes Deployment to deploy a group of egress gateways.
-
-Using the example of the "red" egress gateway cluster, we use several features of Kubernetes and $[prodname]
-in tandem to get a cluster of egress gateways that uses the user defined IP addresses:
-
-```bash
-kubectl apply -f - <
-# -
-# timeoutSeconds: 15
-# intervalSeconds: 5
-# httpProbe:
-# urls:
-# -
-# -
-# timeoutSeconds: 30
-# intervalSeconds: 10
- template:
- metadata:
- labels:
- egress-code: red
- spec:
- terminationGracePeriodSeconds: 0
- nodeSelector:
- kubernetes.io/os: linux
- topologySpreadConstraints:
- - maxSkew: 1
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: DoNotSchedule
- labelSelector:
- matchLabels:
- egress-code: red
-EOF
-```
-
-* `replicas: 2` tells Kubernetes to schedule two egress gateways in the "red" cluster.
-
-* This annotation tells $[prodname] IPAM to use one of the "egress-ip-red-pool" IP pool.
-
-External services and appliances can recognise "red" traffic because it will all come from the CIDRs of the "red"
-IP pool.
-
-* The following [topology spread constraint](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/)
-ensures that Kubernetes spreads the Egress gateways evenly between AZs (assuming that your nodes are labeled with
-the expected [well-known label](https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone)
-`topology.kubernetes.io/zone`):
-
-```yaml
-topologySpreadConstraints:
-- maxSkew: 1
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: DoNotSchedule
- labelSelector:
- matchLabels:
- egress-code: red
- ```
-
-* The labels are arbitrary. You can choose whatever names and values are convenient for your cluster's Namespaces and Pods to refer to in their egress selectors.
-If labels are not specified, a default label `projectcalico.org/egw`:`name` will be added by the Tigera Operator.
-
-* icmpProbe may be used to specify the Probe IPs, ICMP interval and timeout in seconds. `ips` if set, the
-egress gateway pod will probe each IP periodically using an ICMP ping. If all pings fail then the egress
-gateway will report non-ready via its health port. `intervalSeconds` controls the interval between probes.
-`timeoutSeconds` controls the timeout before reporting non-ready if no probes succeed.
-
-```yaml
-icmpProbe:
- ips:
- -
- -
- timeoutSeconds: 20
- intervalSeconds: 10
- ```
-
-* httpProbe may be used to specify the Probe URLs, HTTP interval and timeout in seconds. `urls` if set, the
-egress gateway pod will probe each external service periodically. If all probes fail then the egress
-gateway will report non-ready via its health port. `intervalSeconds` controls the interval between probes.
-`timeoutSeconds` controls the timeout before reporting non-ready if all probes are failing.
-
-```yaml
-httpProbe:
- urls:
- -
- -
- timeoutSeconds: 30
- intervalSeconds: 10
- ```
-- Please refer to the [operator reference docs](../../reference/installation/api.mdx) for details about the egress gateway resource type.
-
-:::note
-
-* It is advisable to have more than one egress gateway per group, so that the egress IP function
-continues if one of the gateways crashes or needs to be restarted. When there are multiple
-gateways in a group, outbound traffic from the applications using that group is load-balanced
-across the available gateways. The number of `replicas` specified must be less than or equal
-to the number of free IP addresses in the IP Pool.
-
-* IPPool can be specified either by its name (e.g. `-name: egress-ip-red-pool`) or by its CIDR (e.g. `-cidr: 10.10.10.0/30`).
-
-* The labels are arbitrary. You can choose whatever names and values are convenient for
-your cluster's Namespaces and Pods to refer to in their egress selectors.
-
-The health port `8080` is used by:
-
-* The Kubernetes `readinessProbe` to expose the status of the egress gateway pod (and any ICMP/HTTP probes).
-
-* Remote pods to check if the egress gateway is "ready". Only "ready" egress
-gateways will be used for remote client traffic. This traffic is automatically allowed by $[prodname] and
-no policy is required to allow it. $[prodname] only sends probes to egress gateway pods that have a named
-"health" port. This ensures that during an upgrade, health probes are only sent to upgraded egress gateways.
-:::
-
-### Configure iptables backend for egress gateways
-
-The Tigera Operator configures egress gateways to use the same iptables backend as `calico-node`.
-To modify the iptables backend for egress gateways, you must change the `iptablesBackend` field in the [Felix configuration](../../reference/resources/felixconfig.mdx).
-
-### Configure namespaces and pods to use egress gateways
-
-You can configure namespaces and pods to use an egress gateway by:
-* annotating the namespace or pod
-* applying an egress gateway policy to the namespace or pod.
-
-Using an egress gateway policy is more complicated, but it allows advanced use cases.
-
-#### Configure a namespace or pod to use an egress gateway (annotation method)
-
-In a $[prodname] deployment, the Kubernetes namespace and pod resources honor annotations that
-tell that namespace or pod to use particular egress gateways. These annotations are selectors, and
-their meaning is "the set of pods, anywhere in the cluster, that match those selectors".
-
-So, to configure all the pods in a namespace to use the egress gateways that are
-labelled with `egress-code: red`, you would annotate that namespace like this:
-
-```bash
-kubectl annotate ns egress.projectcalico.org/selector="egress-code == 'red'"
-```
-
-By default, that selector can only match egress gateways in the same namespace. To select gateways
-in a different namespace, specify a `namespaceSelector` annotation as well, like this:
-
-```bash
-kubectl annotate ns egress.projectcalico.org/namespaceSelector="projectcalico.org/name == 'default'"
-```
-
-Egress gateway annotations have the same [syntax and range of expressions](../../reference/resources/networkpolicy.mdx#selector) as the selector fields in
-$[prodname] [network policy](../../reference/resources/networkpolicy.mdx#entityrule).
-
-To configure a specific Kubernetes Pod to use egress gateways, specify the same annotations when
-creating the pod. For example:
-
-```bash
-kubectl apply -f - < egress.projectcalico.org/egressGatewayPolicy="egw-policy1"
-```
-
-To configure a specific Kubernetes pod to use the same policy, specify the same annotations when
-creating the pod.
-For example:
-
-```bash
-kubectl apply -f - <
-spec:
- containers:
- - name: alpine
- image: alpine
- command: ["/bin/sleep"]
- args: ["infinity"]
-EOF
-```
-
-Now you can use `kubectl exec` to initiate an outbound connection from that pod:
-
-```bash
-kubectl exec -n -- nc 8089 ` should be the IP address of the netcat server.
-
-Then, if you check the logs or output of the netcat server, you should see:
-
-```
-Connection from received
-```
-
-with `` being one of the IPs of the egress IP pool that you provisioned.
-
-### Control the use of egress gateways
-
-If a cluster ascribes special meaning to traffic flowing through egress gateways, it will be
-important to control when cluster users can configure their pods and namespaces to use them, so that
-non-special pods cannot impersonate the special meaning.
-
-If namespaces in a cluster can only be provisioned by cluster admins, one option is to enable egress
-gateway function only on a per-namespace basis. Then only cluster admins will be able to configure
-any egress gateway usage.
-
-Otherwise -- if namespace provisioning is open to users in general, or if it's desirable for egress
-gateway function to be enabled both per-namespace and per-pod -- a [Kubernetes admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)
- will be
-needed. This is a task for each deployment to implement for itself, but possible approaches include
-the following.
-
-1. Decide whether a given Namespace or Pod is permitted to use egress annotations at all, based on
-other details of the Namespace or Pod definition.
-
-1. Evaluate egress annotation selectors to determine the egress gateways that they map to, and
-decide whether that usage is acceptable.
-
-1. Impose the cluster's own bespoke scheme for a Namespace or Pod to identify the egress gateways
-that it wants to use, less general than $[prodname]'s egress annotations. Then the
-admission controller would police those bespoke annotations (that that cluster's users could
-place on Namespace or Pod resources) and either reject the operation in hand, or allow it
-through after adding the corresponding $[prodname] egress annotations.
-
-#### Policy enforcement for flows via an egress gateway
-
-For an outbound connection from a client pod, via an egress gateway, to a destination outside the
-cluster, there is more than one possible enforcement point for policy:
-
-The path of the traffic through policy is as follows:
-
-1. Packet leaves the client pod and passes through its egress policy.
-2. The packet is encapsulated by the client pod's host and sent to the egress gateway
-3. The encapsulated packet is sent from the host to the egress gateway pod.
-4. The egress gateway pod de-encapsulates the packet and sends the packet out again with its own address.
-5. The packet leaves the egress gateway pod through its egress policy.
-
-To ensure correct operation, (as of v3.15) the encapsulated traffic between host and egress gateway is auto-allowed by
-$[prodname] and other ingress traffic is blocked. That means that there are effectively two places where
-policy can be applied:
-
-1. on egress from the client pod
-2. on egress from the egress gateway pod (see limitations below).
-
-The policy applied at (1) is the most powerful since it implicitly sees the original source of the traffic (by
-virtue of being attached to that original source). It also sees the external destination of the traffic.
-
-Since an egress gateway will never originate its own traffic, one option is to rely on policy applied at (1) and
-to allow all traffic to at (2) (either by applying no policy or by applying an "allow all").
-
-Alternatively, for maximum "defense in depth" applying policy at both (1) and (2) provides extra protection should
-the policy at (1) be disabled or bypassed by an attacker. Policy at (2) has the following limitations:
-
-- [Domain-based policy](../../network-policy/domain-based-policy.mdx) is not supported at egress from egress
-gateways. It will either fail to match the expected traffic, or it will work intermittently if the egress gateway
-happens to be scheduled to the same node as its clients. This is because any DNS lookup happens at the client pod.
-By the time the policy reaches (2) the DNS information is lost and only the IP addresses of the traffic are available.
-
-- The traffic source will appear to be the egress gateway pod, the source information is lost in the address
-translation that occurs inside the egress gateway pod.
-
-That means that policies at (2) will usually take the form of rules that match only on destination port and IP address,
-either directly in the rule (via a CIDR match) or via a (non-domain based) NetworkSet. Matching on source has little
-utility since the IP will always be the egress gateway and the port of translated traffic is not always preserved.
-
-:::note
-
-Since v3.15.0, $[prodname] also sends health probes to the egress gateway pods from the nodes where their clients are located.
-In iptables mode, this traffic is auto-allowed at egress from the host and ingress to the egress gateway.
-In eBPF mode, the probe traffic can be blocked by policy, so you must ensure that this traffic is allowed.
-
-:::
-
-## Additional resources
-
-Please see also:
-
-- [Configure egress gateways, on-premises](egress-gateway-on-prem.mdx)
-- [Troubleshooting egress gateways](troubleshoot.mdx).
-- [Additional configuration for egress gateway maintenance](egress-gateway-maintenance.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-maintenance.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-maintenance.mdx
deleted file mode 100644
index a7dcdc1f1d..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-maintenance.mdx
+++ /dev/null
@@ -1,372 +0,0 @@
----
-description: Reduce the impact of Calico Enterprise egress gateway maintenance on workloads with long-lived TCP sessions by reading termination annotations and timing draining.
----
-
-# Optimize egress networking for workloads with long-lived TCP connections
-
-## Big picture
-
-React to egress gateway maintenance windows and minimize the impact of egress gateway downtime on sensitive workloads
-
-## Value
-
-While most workloads benefit from the reduced downtime associated with increased replicas, there are some specific cases where increasing your number of egress gateways will not have as significant an effect on availability.
-
-One area where this applies is when your workloads must maintain long-lived TCP connections that are coupled to higher-level abstractions, such as database sessions, transactions, or similar. In these environments, if an egress gateway becomes unavailable, these long-lived sessions may close. Data may need to be retransmitted. And in some cases, data may be lost.
-
-## Before you begin
-
-These features require you to have configured a functioning egress gateway deployment in a cluster. For more information on deploying egress gateways, [see our other egress gateway guides](../egress/index.mdx)
-
-## How to
-
-- [Observe gateway maintenance impact](#observe-gateway-maintenance-impact)
-- [Expose gateway maintenance annotations to your application](#expose-gateway-maintenance-annotations-to-your-application)
-- [Reduce the impact of gateway downtime](#reduce-the-impact-of-gateway-downtime)
-
-### Observe gateway maintenance impact
-
-A number of egress-related annotations are automatically added to your workloads when an egress gateway they use is in the "terminating" phase. These annotations will outline _which_ gateway is about to terminate, _when it began terminating_, and _when it will fully terminate_. This information can prove useful for conducting non-disruptive maintenance on your cluster, as it means any planned termination of egress pods will be communicated to dependent workloads.
-
-Before we can observe these annotations, we must first configure a _termination grace period_ for our egress gateways. The termination grace period prolongs an egress gateway's termination phase, giving us a window to react to the termination. Without configuring the grace period, we would have a zero-second window to react to gateway termination.
-
-#### Add a termination grace period to egress gateway replicas
-
-To widen our maintenance window, we can adjust the `terminationGracePeriodSeconds` field on our egress gateway pods. The amount of time we set for the termination grace period dictates how much time a dependent workload has to prepare for a gateway going down.
-
-Let's add a termination grace period of 60 seconds to all pods in our egress gateway deployment, so that our egress-dependent workloads have a wider window to react. The Egress Gateway resource must be patched with the new `terminationGracePeriodSeconds` as below:
-
-Patch a termination grace period of 60s into egress gateway resource.
-```sh
- kubectl get egressgateway
- ```
- Response:
- ```
- NAME AGE
- egress-gateway 8m43s
-```
-Patch our deployment with a 60-second termination grace period.
-```sh
- kubectl patch egressgateway egress-gateway --type=merge -p '{"spec": {"template": {"spec": {"terminationGracePeriodSeconds": 60}}}}'
-```
-Wait for the change to roll out.
- ```sh
- kubectl rollout status deploy/egress-gateway
-```
-
-:::note
-
-- This assumes that you have upgraded your Egress Gateways to use the new managed resource in v3.16 or above
-- Making the above alterations to an egress gateway resource will trigger a new rollout of the deployment - you can monitor the rollout status with `kubectl rollout status deploy/`
-- If your rollout seems to have stalled and egress gateway pods are stuck on "ContainerCreating" phase, it's possible the deployment's IPPool has been exhausted. You can check if this is the case by inspecting a stuck pod with `kubectl describe pod `
-
-:::
-
-#### Inspect workload annotations
-
-Once the updated egress gateway deployment rolls out, we're ready to observe the gateway maintenance annotations $[prodname] adds to your dependent workloads. Let's simulate cluster maintenance by deleting an egress gateway pod. It should take 60 seconds to terminate - the amount of time defined by `terminationGracePeriodSeconds`.
-
-Show pods in default namespace - one application pod using two egress gateway pods.
-```sh
- kubectl get pods -o wide
-```
-Response:
-```
-NAME READY STATUS RESTARTS AGE IP
-application-with-long-lived-connections 1/1 Running 0 20m 192.168.192.210
-egress-gateway-6576ccdf66-fxdvh 1/1 Running 0 3m 10.10.10.1
-egress-gateway-6644fbb56b-5xbh2 1/1 Running 0 3m 10.10.10.0
-```
-Delete one of the egress gateways being used by the application pod; do not block waiting for termination to finish.
-```sh
-kubectl delete pod egress-gateway-6576ccdf66-fxdvh --wait=false
-```
-Response:
-```
-pod "egress-gateway-6576ccdf66-fxdvh" deleted
-```
-
-The gateway we just deleted should now wait in the "terminating" phase until its termination grace period expires, at-which point it will be deleted. If our application pod depends on the terminating egress gateway, we'll see gateway maintenance annotations added to the dependent application pod automatically, outlining what gateway is going down, when it began terminating, and when it will be deleted:
-
-Observe the annotations added to the dependent application pod.
-```sh
- kubectl get pod application-with-long-lived-connections -o yaml
-```
-Response:
-```
-apiVersion: v1
-kind: Pod
-metadata:
- annotations:
- ...
- egress.projectcalico.org/gatewayMaintenanceFinishedTimestamp: "2022-04-19T16:00:18Z"
- egress.projectcalico.org/gatewayMaintenanceGatewayIP: 10.10.10.1
- egress.projectcalico.org/gatewayMaintenanceStartedTimestamp: "2022-04-19T15:59:18Z"
-...
-```
-
-Success! Our workload's annotations mark a 60-second maintenance window for the gateway we terminated, indicating when the egress gateway began terminating, and when it will fully terminate.
-
-:::note
-
-- Adjusting egress deployments, say, by modifying the `terminationGracePeriodSeconds` field, will trigger a new rollout.
-- IPPool specified should be large enough to include terminating pods.
-- Egress pods terminating due to a new rollout will behave the same as if they were deleted for maintenance - dependent workloads will receive gateway maintenance annotations, and gateway pods will terminate after their termination grace period has elapsed.
-- Deleting an egress gateway in a way that overrides the termination grace period, say, by using `kubectl delete pod my-pod --grace-period=0`, will result in the gateway going down immediately, and dependent workloads will not have any time to react to the termination.
-
-:::
-
-
-
-### Expose gateway maintenance annotations to your application
-
-While the presence of gateway maintenance annotations may be useful to a cluster administrator inspecting pods, it's not quite enough if our workload wishes to react to terminating egress gateways, say, by restarting its session gracefully before loss of connectivity.
-
-The [Kubernetes downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api) provides a means of exposing pod information [as files](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#store-pod-fields) or as [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-pod-fields-as-values-for-environment-variables) within the pod. This value can then be polled by your workload, to react to changes as you see fit.
-
-Let's write a simple pod manifest that uses the downward API to expose maintenance annotations to the program running within:
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
- annotations:
- egress.projectcalico.org/selector: egress-code == 'red'
- egress.projectcalico.org/namespaceSelector: projectcalico.org/name == 'default'
- name: poll-my-own-annotations
- namespace: default
-spec:
- containers:
- - name: application-container
- image: k8s.gcr.io/busybox:1.24
- command: ['sh', '-c']
- args:
- - while true; do
- echo 'polling egress maintenance timestamp...';
- if [[ -e /var/run/egress/gatewayMaintenanceStartedTimestamp ]]; then
- echo -n 'gatewayMaintenanceStartedTimestamp has value "'; cat /var/run/egress/gatewayMaintenanceStartedTimestamp; echo -en '"\n';
- fi;
- sleep 3;
- done;
- volumeMounts:
- - name: egress-maintenance-started
- mountPath: /var/run/egress
- volumes:
- - name: egress-maintenance-started
- downwardAPI:
- items:
- - path: 'gatewayMaintenanceStartedTimestamp'
- fieldRef:
- fieldPath: metadata.annotations['egress.projectcalico.org/gatewayMaintenanceStartedTimestamp']
-```
-
-This sample manifest will create a pod whose `gatewayMaintenanceStartedTimestamp` annotation is mounted to the file `/var/run/egress/gatewayMaintenanceStartedTimestamp`. The pod's main process is a script which polls the value of this file.
-
-After deleting an egress gateway this workload relies on, let's check its logs:
-
-```sh
-kubectl logs poll-my-own-annotations
-```
-Response:
-```
-polling egress maintenance timestamp...
-gatewayMaintenanceStartedTimestamp has value ""
-polling egress maintenance timestamp...
-gatewayMaintenanceStartedTimestamp has value ""
-polling egress maintenance timestamp...
-gatewayMaintenanceStartedTimestamp has value ""
-polling egress maintenance timestamp...
-gatewayMaintenanceStartedTimestamp has value "2022-04-19T17:24:46Z"
-polling egress maintenance timestamp...
-gatewayMaintenanceStartedTimestamp has value "2022-04-19T17:24:46Z"
-```
-
-We can see above that our script saw the value of the mounted volume change at the same time what we terminated our egress gateway pod. This work can be further developed to propagate notifications to our production workloads, without any need for polling kubernetes itself.
-
-**Note**: It's not recommended to couple your production applications to a Kubernetes client for the purposes of polling pod information, as it could give an attacker greater privileges if successful in compromising a workload. Instead, use a method such as the downward API that fully decouples the program.
-
-
-
-### Reduce the impact of gateway downtime
-
-So far we have observed egress gateway maintenance windows, added a termination grace period to gateway pods, and propagated maintenance information directly to our workloads. Finally, we are going to look at the `maxNextHops` annotation, which is designed to limit the impact of a terminating egress gateway.
-
-Below is a sample kubernetes deployment which was adapted from the earlier annotation-aware pod manifest. The deployment has 3 replicas, and is configured to use egress gateways:
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: annotation-aware-workloads
-spec:
- replicas: 3
- selector:
- matchLabels:
- app: annotation-aware-workload
- strategy:
- rollingUpdate:
- maxSurge: 25%
- maxUnavailable: 25%
- type: RollingUpdate
- template:
- metadata:
- labels:
- app: annotation-aware-workload
- annotations:
- egress.projectcalico.org/selector: egress-code == 'red'
- egress.projectcalico.org/namespaceSelector: projectcalico.org/name == 'default'
- spec:
- containers:
- - name: application-container
- image: k8s.gcr.io/busybox:1.24
- command: ['sh', '-c']
- args:
- - while true; do
- echo "[${MY_POD_NAME}] polling egress maintenance timestamp...";
- if [[ -e /var/run/egress/gatewayMaintenanceStartedTimestamp ]]; then
- echo -n "[${MY_POD_NAME}] gatewayMaintenanceStartedTimestamp has value '"; cat /var/run/egress/gatewayMaintenanceStartedTimestamp; echo -en "'\n";
- fi;
- sleep 3;
- done;
- volumeMounts:
- - name: egress-maintenance-started
- mountPath: /var/run/egress
- env:
- - name: MY_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- volumes:
- - name: egress-maintenance-started
- downwardAPI:
- items:
- - path: 'gatewayMaintenanceStartedTimestamp'
- fieldRef:
- fieldPath: metadata.annotations['egress.projectcalico.org/gatewayMaintenanceStartedTimestamp']
-```
-
-#### Observing the impact of egress gateway maintenance
-
-We now want to conduct maintenance on a particular node in our cluster, resulting in one of our egress gateways terminating. In this scenario, since our dependent applications' connections are load-balanced evenly across all available egress gateways, all of our application pods will receive a maintenance window annotation. If we have configured our applications to react to such a window, we will see them all react at once in a thundering herd:
-
-Begin the termination of an egress gateway pod.
-
-```sh
- kubectl delete pod egress-gateway-6576ccdf66-mtqzl --wait=false
-```
-Response:
-```
-pod "egress-gateway-6576ccdf66-mtqzl" deleted
-```
-
-Let's collect logs from all pods in our maintenance-aware application deployment.
-```sh
-kubectl logs --selector=app=annotation-aware-workload
-```
-Response:
-```
-[annotation-aware-workloads-7987f55c9f-f7mkq] polling egress maintenance timestamp...
-[annotation-aware-workloads-7987f55c9f-f7mkq] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-7987f55c9f-qtcs2] polling egress maintenance timestamp...
-[annotation-aware-workloads-7987f55c9f-qtcs2] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-7987f55c9f-z5x25] polling egress maintenance timestamp...
-[annotation-aware-workloads-7987f55c9f-z5x25] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-7987f55c9f-qtcs2] polling egress maintenance timestamp...
-[annotation-aware-workloads-7987f55c9f-qtcs2] gatewayMaintenanceStartedTimestamp has value '2022-04-20T12:24:34Z'
-[annotation-aware-workloads-7987f55c9f-f7mkq] polling egress maintenance timestamp...
-[annotation-aware-workloads-7987f55c9f-f7mkq] gatewayMaintenanceStartedTimestamp has value '2022-04-20T12:24:34Z'
-[annotation-aware-workloads-7987f55c9f-z5x25] polling egress maintenance timestamp...
-[annotation-aware-workloads-7987f55c9f-z5x25] gatewayMaintenanceStartedTimestamp has value '2022-04-20T12:24:34Z'
-```
-
-We can see in the above logs that all of our applications have been affected by the downtime of just a single egress gateway. In the worst case, this could lead to a window of downtime for the application, as all replicas scramble to restart their connections at once. To avoid this, lets use the `egress.projectcalico.org/maxNextHops` annotation to restrict the total number of gateways each application can depend on.
-
-#### Reducing the impact of egress gateway maintenance
-
-To place a limit on the number of egress gateways an application can depend on, annotate the application's pod with the `egress.projectcalico.org/maxNextHops` annotation. Alternatively, to limit all pods in a certain namespace, annotate that namespace. Let's annotate all pods in our sample deployment from earlier:
-
-```sh
-kubectl patch deploy annotation-aware-workloads --type=merge -p \
-'{"spec":
- {"template":
- {"metadata":
- {"annotations":
- {"egress.projectcalico.org/maxNextHops": "1"}
- }
- }
- }
-}'
-```
-
-:::note
-
-- Either a _pod or a namespace_ can be annotated with `egress.projectcalico.org/maxNextHops`, however, the `egress.projectcalico.org/selector` annotation must also be present on the selected resource.
-- If annotating pods, the `egressIPSupport` Felixconfiguration option must be set to `EnabledPerNamespaceOrPerPod`.
-- If a pod's desired `maxNextHops` exceeds the total number of available egress gateways, scaling up the egress gateway deployment will result in the pod's egress networking updating until the desired number of gateways are being used.
-- In all other cases, the `maxNextHops` annotation only takes effect at the time a pod is created. To ensure a pod's egress networking remains functional for its entire lifecycle, modifications to `maxNextHops` after a pod's creation will have no effect. For this reason, it's recommended that any egress gateway deployments have been scaled prior to deploying dependent workloads.
-
-:::
-
-After our patched sample deployment has been fully rolled out, each application pod should now depend on at most one egress gateway replica. Let's bring down another egress gateway pod and monitor our application logs:
-
-Begin the termination of an egress gateway pod.
-
-```sh
-kubectl delete pod egress-gateway-6576ccdf66-c42v7 --wait=false
-```
-Response:
-```
-pod "egress-gateway-6576ccdf66-c42v7" deleted
-```
-Collect logs from each application pod.
-```sh
-kubectl logs --selector=app=annotation-aware-workload
-```
-Response:
-```
-[annotation-aware-workloads-565b6855b9-tjvqr] polling egress maintenance timestamp...
-[annotation-aware-workloads-565b6855b9-tjvqr] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-565b6855b9-s44pt] polling egress maintenance timestamp...
-[annotation-aware-workloads-565b6855b9-s44pt] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-565b6855b9-46cw5] polling egress maintenance timestamp...
-[annotation-aware-workloads-565b6855b9-46cw5] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-565b6855b9-tjvqr] polling egress maintenance timestamp...
-[annotation-aware-workloads-565b6855b9-tjvqr] gatewayMaintenanceStartedTimestamp has value '2022-04-20T12:53:32Z'
-[annotation-aware-workloads-565b6855b9-s44pt] polling egress maintenance timestamp...
-[annotation-aware-workloads-565b6855b9-s44pt] gatewayMaintenanceStartedTimestamp has value ''
-[annotation-aware-workloads-565b6855b9-46cw5] polling egress maintenance timestamp...
-[annotation-aware-workloads-565b6855b9-46cw5] gatewayMaintenanceStartedTimestamp has value ''
-```
-
-We can see from the above logs that only a single application pod has now been affected by the terminating egress gateway. The other pods have not received an annotation for a terminating gateway because they have chosen different gateways to depend on, and thus won't be affected.
-
-:::note
-
-The subset of egress gateway replicas that each pod will depend on when using the `maxNextHops` annotation can't be manually selected.
-$[prodname] selects a subset of replicas in such a way as to evenly distribute load across the whole replica set.
-
-:::
-
-
-
-## Reference
-
-**The following are annotations that $[prodname] sets automatically on any egress-dependent pods:**
-
-| Annotation | Description | Datatype | Default value | Expected values |
-| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------- | ------------- | ---------------------------------------------------- |
-| `egress.projectcalico.org/gatewayMaintenanceGatewayIP` | Indicates the IP of a terminating egress gateway your pod is using. | IP Address | "" | Any IP within the egress gateway deployment's IPSet. |
-| `egress.projectcalico.org/gatewayMaintenanceStartedTimestamp` | Indicates when the egress gateway identified by `gatewayMaintenanceGatewayIP` began terminating. | String | "" | An RFC3339 date string |
-| `egress.projectcalico.org/gatewayMaintenanceFinishedTimestamp` | Indicates when the egress gateway identified by `gatewayMaintenanceGatewayIP` will finish terminating. | String | "" | An RFC3339 date string |
-
-
-
-**The following annotations are used to configure your egress-dependent workloads. These annotations can be set either on a namespace, or on a pod. If setting the annotations on pods, the `egressIPSupport` FelixConfiguration option must be set to `EnabledPerNamespaceOrPerPod`.**
-
-| Annotation | Description | Datatype | Default value | Possible values |
-| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ------------- | ----------------------- |
-| `egress.projectcalico.org/maxNextHops` | Specifies the maximum number of egress gateway replicas from the selected deployment that a pod should depend on. Replicas will be chosen in a manner that attempts to balance load across the whole egress gateway replicaset. If unset, or set to "0", egress traffic will behave in the default manner (load balanced over all available gateways). | String | "" | "0", "1", "2", "3", ... |
-
-## Additional resources
-
-- [Troubleshooting egress gateways](troubleshoot.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-on-prem.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-on-prem.mdx
deleted file mode 100644
index 781b1a09e8..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/egress-gateway-on-prem.mdx
+++ /dev/null
@@ -1,603 +0,0 @@
----
-description: Send selected application traffic through Calico Enterprise egress gateways on-premises so external firewalls see a predictable source IP for cluster workloads.
-redirect_from:
- - /compliance/egress-gateways
----
-
-# Configure egress gateways, on-premises
-
-## Big picture
-
-Configure specific application traffic to exit the cluster through an egress gateway.
-
-## Value
-
-When traffic from particular applications leaves the cluster to access an external destination, it
-can be useful to control the source IP of that traffic. For example, there may be an additional
-firewall around the cluster, whose purpose includes policing external accesses from the cluster, and
-specifically that particular external destinations can only be accessed from authorised workloads
-within the cluster.
-
-$[prodname]'s own policy (including [DNS policy](../../network-policy/domain-based-policy.mdx)) and
-per-node firewalls can ensure this, but deployments may like to deepen their defense by adding an
-external firewall as well. If the external firewall is configured to allow outbound connections
-only from particular source IPs, and the intended cluster workloads can be configured so that their
-outbound traffic will have one of those source IPs, then the defense in depth objective is achieved.
-
-$[prodname] allows specifying an [IP pool](../../reference/resources/ippool.mdx) for each pod or namespace, and
-even a [specific IP](../ipam/use-specific-ip.mdx) for a new pod, but this requires predicting how many pods
-there will be representing a particular application, so that the IP pool can be correctly sized.
-When IPs are a precious resource, over-sizing the pool is wasteful; but under-sizing is also
-problematic, as then IPs will not be available within the desired range as the application is
-scaled.
-
-Egress gateways provide an alternative approach. Application pods and namespaces are provisioned
-with IPs from the default (and presumably plentiful) pool, but also configured so that their
-outbound traffic is directed through an egress gateway. (Or, for resilience, through one of a small
-number of egress gateways.) The egress gateways are set up to use a [specific IP pool](../ipam/legacy-firewalls.mdx)
- and to perform an SNAT on the traffic passing through them. Hence, any
-number of application pods can have their outbound connections multiplexed through a fixed small
-number of egress gateways, and all of those outbound connections acquire a source IP from the egress
-gateway IP pool.
-
-:::note
-
-The source port of an outbound flow through an egress gateway can generally _not_ be
-preserved. Changing the source port is how Linux maps flows from many upstream IPs onto a single
-downstream IP.
-
-:::
-
-Egress gateways are also useful if there is a reason for wanting all outbound traffic from a
-particular application to leave the cluster through a particular node or nodes. For this case, the
-gateways just need to be scheduled to the desired nodes, and the application pods/namespaces
-configured to use those gateways.
-
-## Concepts
-
-### Egress gateway
-
-An egress gateway acts as a transit pod for the outbound application traffic that is configured to
-use it. As traffic leaving the cluster passes through the egress gateway, its source IP is changed
-to that of the egress gateway pod, and the traffic is then forwarded on.
-
-### Source IP
-
-When an outbound application flow leaves the cluster, its IP packets will have a source IP.
-Normally this is the pod IP of the pod that originated the flow, or the node IP of the node hosting
-that pod. It will be the **node IP** if the pod IP came from an [IP pool](../../reference/resources/ippool.mdx) with `natOutgoing: true`, and the **pod IP** if
-not. (Assuming no other CNI plugin has been configured to NAT outgoing traffic.)
-
-With an egress gateway involved that is all still true, except that now it's the egress gateway that
-counts, instead of the original application pod. So the flow will have the egress gateway's **node
-IP**, if the egress gateway's pod IP came from an [IP pool](../../reference/resources/ippool.mdx)
- with `natOutgoing: true`, and the egress
-gateway's **pod IP** otherwise.
-
-### Control the use of egress gateways
-
-If a cluster ascribes special meaning to traffic flowing through egress gateways, it will be
-important to control when cluster users can configure their pods and namespaces to use them, so that
-non-special pods cannot impersonate the special meaning.
-
-If namespaces in a cluster can only be provisioned by cluster admins, one option is to enable egress
-gateway function only on a per-namespace basis. Then only cluster admins will be able to configure
-any egress gateway usage.
-
-Otherwise -- if namespace provisioning is open to users in general, or if it's desirable for egress
-gateway function to be enabled both per-namespace and per-pod -- a [Kubernetes admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)
- will be
-needed. This is a task for each deployment to implement for itself, but possible approaches include
-the following.
-
-1. Decide whether a given Namespace or Pod is permitted to use egress annotations at all, based on
- other details of the Namespace or Pod definition.
-
-1. Evaluate egress annotation selectors to determine the egress gateways that they map to, and
- decide whether that usage is acceptable.
-
-1. Impose the cluster's own bespoke scheme for a Namespace or Pod to identify the egress gateways
- that it wants to use, less general than $[prodname]'s egress annotations. Then the
- admission controller would police those bespoke annotations (that that cluster's users could
- place on Namespace or Pod resources) and either reject the operation in hand, or allow it
- through after adding the corresponding $[prodname] egress annotations.
-
-### Policy enforcement for flows via an egress gateway
-
-For an outbound connection from a client pod, via an egress gateway, to a destination outside the
-cluster, there is more than one possible enforcement point for policy:
-
-The path of the traffic through policy is as follows:
-
-1. Packet leaves the client pod and passes through its egress policy.
-2. The packet is encapsulated by the client pod's host and sent to the egress gateway
-3. The encapsulated packet is sent from the host to the egress gateway pod.
-4. The egress gateway pod de-encapsulates the packet and sends the packet out again with its own address.
-5. The packet leaves the egress gateway pod through its egress policy.
-
-To ensure correct operation, (as of v3.15) the encapsulated traffic between host and egress gateway is auto-allowed by
-$[prodname] and other ingress traffic is blocked. That means that there are effectively two places where
-policy can be applied:
-
-1. on egress from the client pod
-2. on egress from the egress gateway pod (see limitations below).
-
-The policy applied at (1) is the most powerful since it implicitly sees the original source of the traffic (by
-virtue of being attached to that original source). It also sees the external destination of the traffic.
-
-Since an egress gateway will never originate its own traffic, one option is to rely on policy applied at (1) and
-to allow all traffic to at (2) (either by applying no policy or by applying an "allow all").
-
-Alternatively, for maximum "defense in depth" applying policy at both (1) and (2) provides extra protection should
-the policy at (1) be disabled or bypassed by an attacker. Policy at (2) has the following limitations:
-
-- [Domain-based policy](../../network-policy/domain-based-policy.mdx) is not supported at egress from egress
- gateways. It will either fail to match the expected traffic, or it will work intermittently if the egress gateway
- happens to be scheduled to the same node as its clients. This is because any DNS lookup happens at the client pod.
- By the time the policy reaches (2) the DNS information is lost and only the IP addresses of the traffic are available.
-
-- The traffic source will appear to be the egress gateway pod, the source information is lost in the address
- translation that occurs inside the egress gateway pod.
-
-That means that policies at (2) will usually take the form of rules that match only on destination port and IP address,
-either directly in the rule (via a CIDR match) or via a (non-domain based) NetworkSet. Matching on source has little
-utility since the IP will always be the egress gateway and the port of translated traffic is not always preserved.
-
-:::note
-
-Since v3.15.0, $[prodname] also sends health probes to the egress gateway pods from the nodes where
-their clients are located. In iptables mode, this traffic is auto-allowed at egress from the host and ingress
-to the egress gateway. In eBPF mode, the probe traffic can be blocked by policy, so you must ensure that this traffic allowed; this should be fixed in an upcoming
-patch release.
-
-:::
-
-## Before you begin
-
-**Required**
-
-- Calico CNI
-- Open port UDP 4790 on the host
-
-**Not Supported**
-
-- GKE
-- Windows
-
-## How to
-
-- [Enable egress gateway support](#enable-egress-gateway-support)
-- [Provision an egress IP pool](#provision-an-egress-ip-pool)
-- [Deploy a group of egress gateways](#deploy-a-group-of-egress-gateways)
-- [Configure iptables backend for egress gateways](#configure-iptables-backend-for-egress-gateways)
-- [Configure namespaces and pods to use egress gateways](#configure-namespaces-and-pods-to-use-egress-gateways)
-- [Optionally enable ECMP load balancing](#optionally-enable-ecmp-load-balancing)
-- [Verify the feature operation](#verify-the-feature-operation)
-- [Control the use of egress gateways](#control-the-use-of-egress-gateways)
-- [Upgrade egress gateways](#upgrade-egress-gateways)
-
-### Enable egress gateway support
-
-In the default **FelixConfiguration**, set the `egressIPSupport` field to `EnabledPerNamespace` or
-`EnabledPerNamespaceOrPerPod`, according to the level of support that you need in your cluster. For
-support on a per-namespace basis only:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespace"}}'
-```
-
-Or for support both per-namespace and per-pod:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespaceOrPerPod"}}'
-```
-
-:::note
-
-- `egressIPSupport` must be the same on all cluster nodes, so you should set them only in the
- `default` FelixConfiguration resource.
-- The operator automatically enables the required policy sync API in the FelixConfiguration.
-
-:::
-
-### Provision an egress IP pool
-
-Provision a small IP Pool with the range of source IPs that you want to use for a particular
-application when it connects to an external service. For example:
-
-```bash
-kubectl apply -f - < egress.projectcalico.org/selector="egress-code == 'red'"
-```
-
-By default, that selector can only match egress gateways in the same namespace. To select gateways
-in a different namespace, specify a `namespaceSelector` annotation as well, like this:
-
-```bash
-kubectl annotate ns egress.projectcalico.org/namespaceSelector="projectcalico.org/name == 'default'"
-```
-
-Egress gateway annotations have the same [syntax and range of expressions](../../reference/resources/networkpolicy.mdx#selector) as the selector fields in
-$[prodname] [network policy](../../reference/resources/networkpolicy.mdx#entityrule).
-
-To configure a specific Kubernetes Pod to use egress gateways, specify the same annotations when
-creating the pod. For example:
-
-```bash
-kubectl apply -f - < egress.projectcalico.org/egressGatewayPolicy="egw-policy1"
-```
-
-To configure a specific Kubernetes pod to use the same policy, specify the same annotations when
-creating the pod.
-For example:
-
-```bash
-kubectl apply -f - < -n -- nc 8089 ` should be the IP address of the netcat server.
-
-Then, if you check the logs or output of the netcat server, you should see:
-
-```
-Connection from received
-```
-
-with `` being one of the IPs of the egress IP pool that you provisioned.
-
-## Upgrade egress gateways
-
-From v3.16, egress gateway deployments are managed by the Tigera Operator.
-
-- When upgrading from a pre-v3.16 release, no automatic upgrade will occur. To upgrade a pre-v3.16 egress gateway deployment,
- create an equivalent EgressGateway resource with the same namespace and the same name as mentioned [above](#deploy-a-group-of-egress-gateways);
- the operator will then take over management of the old Deployment resource, replacing it with the upgraded version.
-
-- Use `kubectl apply` to create the egress gateway resource. Tigera Operator will read the newly created resource and wait
- for the other $[prodname] components to be upgraded. Once the other $[prodname] components are upgraded, Tigera Operator
- will upgrade the existing egress gateway deployment with the new image.
-
-By default, upgrading egress gateways will sever any connections that are flowing through them. To minimise impact,
-the egress gateway feature supports some advanced options that give feedback to affected pods. For more details see
-the [egress gateway maintenance guide](egress-gateway-maintenance.mdx).
-
-## Additional resources
-
-Please see also:
-
-- The `egressIP...` fields of the [FelixConfiguration resource](../../reference/resources/felixconfig.mdx#spec).
-- [Additional configuration for egress gateway maintenance](egress-gateway-maintenance.mdx)
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/external-network.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/external-network.mdx
deleted file mode 100644
index 829fe6c76e..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/external-network.mdx
+++ /dev/null
@@ -1,195 +0,0 @@
----
-description: Steer Calico Enterprise egress gateway traffic onto multiple external networks with potentially overlapping IPs by associating gateways with named ExternalNetworks.
----
-
-# Configure egress traffic to multiple external networks
-
-## Big picture
-
-Allows workloads from different namespaces of a Kubernetes cluster to egress onto different external networks that (may) have overlapping IPs with each other.
-
-## Value
-
-When traffic from particular applications leaves the cluster to access an external destination, egress gateway enables users to control the source IP of that traffic. However, in this case, egress gateway sees all the external destinations as a flat L3 network. If a user has a network topology which involves multiple external networks and the service endpoints in those networks may have overlapping IPs, it becomes a mandatory requirement that $[prodname] should be able to direct the egress traffic to the service endpoint in the correct network.
-
-For example, suppose a user has a network setup as below:
-There are two external networks (Red and Yellow) outside the cluster. A web server on network Red is exposing its service at `105.8.10.1`. A database server on network Yellow is exposing its service at `105.8.10.1` too.
-
-Then the cluster could have requirements as follows:
-Pods in Red namespace should send traffic via egress gateways to `105.8.10.1` on external network Red.
-Pods in Yellow namespace should send traffic via egress gateways to `105.8.10.1` on external network Yellow.
-
-External network support is introduced into $[prodname] to meet those requirements. It allows user to associate a egress gateway to external networks so that the egress traffic originated from the client via that egress gateway will be routed to the service endpoints on the associated external networks. In a nutshell, the external network feature adds support for L3 segmentation of outgoing egress traffic.
-
-## Prerequisites
-
-- IPs on multiple external networks may overlap with each other, however, those IPs must not overlap with the IPs of pods within the cluster or their hosts.
-- IPs of the BGP peers peering with the cluster should not overlap.
-
-## Limitations
-
-- This feature should be used in combination with egress gateways. Sending traffic from a client pod to external networks without going through an egress gateway is not supported.
-- This feature only supports IPv4.
-
-## Before you begin
-
-This feature requires you to understand how to configure a functioning egress gateway deployment in a cluster. For more information on deploying egress gateways, [see our other egress gateway guides](./).
-
-## Concepts
-
-### Egress node
-A node in the cluster which is peering with external networks and populating routes to direct traffic from the egress gateway to the destinations on external networks. Any egress gateway which is associated to an external network should be scheduled to be running on a egress node.
-
-### BGP bootstrap routes
-BGP bootstrapping routes are routes on the node for traffic from that node to reach other nodes in the cluster, or other destinations outside the cluster, via whatever routers and external networks the user may need. This is considered outside of the scope of $[prodname], as both $[prodname] and external BGP routers on external networks may require bootstrapping routes to be set up before peering with each other.
-
-## How to
-
-### Enable egress gateway support
-
-In the default **FelixConfiguration**, set the `egressIPSupport` field to `EnabledPerNamespace` or
-`EnabledPerNamespaceOrPerPod`, according to the level of granularity that you need in your cluster. For support on a per-namespace basis only:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespace"}}'
-```
-
-Or to support both per-namespace and per-pod:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPSupport":"EnabledPerNamespaceOrPerPod"}}'
-```
-
-### Enable external network support
-
-In the default **FelixConfiguration**, set the `externalNetworkSupport` field to `Enabled`.
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"externalNetworkSupport":"Enabled"}}'
-```
-
-### Configure egress interfaces
-
-To configure which host interfaces should be used for egress traffic and have the `src_valid_mark` set, configure the `egressIPHostIfacePattern` field in the default **FelixConfiguration**. This field accepts a comma-separated list of interface names and/or regular expressions. Regular expressions must be wrapped in `/.../ `.
-
-For example, to configure interfaces matching the pattern `ens20` or `ens21` with VLAN IDs 100 or 200:
-
-```bash
-kubectl patch felixconfiguration default --type='merge' -p \
- '{"spec":{"egressIPHostIfacePattern":"/^ens2[01][./](100|200)$/"}}'
-```
-
-This ensures that $[prodname] sets the `src_valid_mark` on interfaces matching the specified patterns, which is required for proper egress gateway functionality with external networks.
-
-### Create external network resources
-
-Add an `ExternalNetwork` resource to the cluster for each external networks. For example, to create an `ExternalNetwork` for `red` network.
-
-```bash
-kubectl create -f - <
-# -
-# timeoutSeconds: 15
-# intervalSeconds: 5
-# httpProbe:
-# urls:
-# -
-# -
-# timeoutSeconds: 30
-# intervalSeconds: 10
- template:
- metadata:
- labels:
- egress-code: red
- spec:
- nodeSelector:
- kubernetes.io/os: linux
- terminationGracePeriodSeconds: 0
-EOF
-```
-
-Where:
-- Where externalNetworks associates this egress gateway deployments with external network `red`. All traffic leaving the egress gateway to an external destination will be routed to the destination on external network `red`.
-- Node selector `egress: true` forces egress gateway pods of the deployment to be scheduled on egress nodes.
-
-:::warning
-
-If multiple networks in the `externalNetworkNames` list (of the egress gateway) advertise the same prefix to $[prodname] then traffic to those prefixes will flow to a non-deterministic network, which may result in hard-to-debug connectivity issues. It is the user's responsibility to make sure it will never happen.
-
-:::
-
-### Use egress gateways
-
-Add annotations to namespaces or pods to configure them to use the relevant egress gateways created by the step above. Egress traffic from the application pods will be routed to destinations within the designated external networks.
-
-## Additional resources
-
-- [Troubleshooting egress gateways](troubleshoot.mdx).
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/index.mdx
deleted file mode 100644
index 8f5a409b81..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/index.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-description: Egress gateways in Calico Enterprise — pin per-namespace or per-pod source IPs for outbound traffic, integrate with cloud fabrics, and segment external networks.
-hide_table_of_contents: true
----
-
-# Egress gateways
-
-import DocCardList from '@theme/DocCardList';
-import { useCurrentSidebarCategory } from '@docusaurus/theme-common';
-
-
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/troubleshoot.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/troubleshoot.mdx
deleted file mode 100644
index 7c72cfb6e5..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/egress/troubleshoot.mdx
+++ /dev/null
@@ -1,276 +0,0 @@
----
-description: Troubleshooting guide for Calico Enterprise egress gateways covering connection failures, source IP mismatches, BGP route advertisement, and required pod metadata.
----
-
-# Troubleshoot egress gateways
-
-- [Checklist of common problems](#checklist-of-common-problems)
-- [Connection to an egress gateway cannot be established](#connection-to-an-egress-gateway-cannot-be-established)
-- [Connection to an egress gateway is established, but destination is not getting correct IP](#connection-to-an-egress-gateway-is-established-but-destination-is-not-getting-correct-ip)
-
-## Checklist of common problems
-
-Use the following checklist to troubleshoot, or to collect details before opening a Support ticket.
-
-### Is the egress gateway feature enabled?
-
-Egress gateway is disabled by default. Have you enabled it in [Felix configuration](../../reference/resources/felixconfig.mdx) by setting `egressIPSupport` to `EnabledPerNamespace` or `EnabledPerNamespaceOrPerPod`?
-
-### Does your egress gateway routing go through a router? (On-prem only.)
-
-As shown in the following diagram, from the gateway to the destination, the source IP is the egress IP. On the return path, from the destination back to the gateway, the destination IP is the egress IP. If there are any routers between the gateway and the destination, they must all know how to route the egress IP back to the gateway. If they don’t, the attempted connection cannot be established.
-
-
-
-Options to make routers aware of egress IP:
-
-- Program routes statically on routers
-- Peer routers with the cluster, directly or indirectly using BGP or some other protocol, or other method so routers learn about the egress IP
-
-### Does your egress gateway have required metadata?
-
-Review important egress gateway metadata (for example, namespace and labels); they are required for a client to identify the gateway(s) that it should use.
-
-### Is natOutgoing on your IPPool set up correctly?
-
-For most egress gateway scenarios you should have: `natOutgoing: false` on the egress IPPool. If you have `natOutgoing: true`, the egress gateway will SNAT to its own IP, which is the intended egress gateway IP. But then the egress gateway’s node will also SNAT to its own IP (i.e. the node IP), which immediately overrides the egress gateway IP.
-
-### Do clients and nodes have required selectors?
-
-Review the following annotations that are required for the client to identify its egress gateways:
-
-- egress.projectcalico.org/egressGatewayPolicy
-- egress.projectcalico.org/selector
-- egress.projectcalico.org/namespaceSelector
-
-on
-
-- Client pod
-- Client pod’s namespace
-
-### Does Calico have enough route tables?
-
-On Linux, Calico claims a number of routing tables for various purposes. The exact number of tables allocated is determined by the [FelixConfiguration](../../reference/resources/felixconfig.mdx) option `routeTableRanges`. Failing to allocate enough route tables will result in Calico failing to program the networking needed for Egress Gateways to function.
-
-Under these conditions, `calico-node` pods will log error messages and report [unhealthy](#check-calico-node-health).
-
-[See more about routeTableRanges](../../reference/resources/felixconfig.mdx#routetableranges)
-
-### Check egress gateway health
-
-As of v3.15.0, the egress gateway `Deployment` includes a Kubernetes `readinessProbe`. The egress gateway will
-only report ready if it is able to connect to the local `calico-node` pod and if any configured HTTP/ICMP probes
-are succeeding.
-
-If the egress gateway reports not-Ready then more information can be found in its logs. The egress gateway logs to
-`stdout` so its logs are available via `kubectl logs -n `.
-
-### Check health of calico-node to egress gateway probes
-
-As of v3.15.0, each `calico-node` pod probes the health of the remote egress gateways that its local pods are using.
-If probes fail, the failures are logged in `calico-node`'s log (search for `egress_gw_tracker`) and reported via Prometheus metrics:
-
-```
-felix_egress_gateway_remote_polls{status="probe-failed"} 0
-felix_egress_gateway_remote_polls{status="total"} 2
-felix_egress_gateway_remote_polls{status="up"} 2
-```
-
-Where, the `total` metric reports the total number of remote egress gateways that are being polled and the `up` and `probe-failed`
-metrics report the number of egress gateways in each of those states.
-
-### Check calico-node health
-
-Check that your calico-node pods are consistently running and ready, especially on the nodes hosting the client and
-gateway pods. Confirming healthy pods will rule out possible issues. If you find that `calico-node` is not ready,
-describing the pod should show which health check is failing:
-
-```bash
-kubectl describe pod ...
-```
-
-In AWS, issues such as permissions problems will report a problem with the `"aws-eni-addresses-in-sync"` health check.
-For more information on the problem, review the `calico-node` log. For example, a permissions issue will result in a
-log such as the following:
-
-```
-2021-11-16 13:11:59.292 [ERROR][26606] felix/aws_iface_provisioner.go 343: Failed to resync with AWS. Will retry after backoff. error=failed to create ENI: operation error EC2: CreateNetworkInterface, https response error StatusCode: 403, RequestID: 13dead98-7da0-4695-9be8-80cab4d5528e, api error UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: j4x3cFwZdJ......ShGkw
-```
-
-If you see such a log, check the AWS IAM permissions assigned to the nodes in your cluster to ensure that the nodes
-have the [required permissions](egress-gateway-aws.mdx#configure-aws-iam-roles). It is also possible
-to decode the "encoded authorization failure message" in the log by following [this guide](https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-encoded-authorization-failure/); this gives more detail on the error.
-
-### Check IP rule and routing setup on the client node
-
-**Run `ip rule`**
-
-On the client node, run:
-
-```
-ip rule
-```
-
-**Sample output**
-
-You will see a line for each pod on the node that is configured to use an egress gateway.
-
-```
-from 192.168.24.35 fwmark 0x80000/0x80000 lookup 250
-```
-
-Where:
-
-- `192.168.24.35` is the relevant client's pod IP
-- `250` is the routing table number
-- `fwmark 0x80000/0x80000` is the bit/mask
-
-If you don’t see this, it means one of the following:
-
-- egressIPSupport is not enabled
-- egressIPSupport is enabled, but you have not configured egress annotations on the client pod or on its namespace
-- egressIPSupport is EnabledPerNamespace and you have configured egress annotations on the client pod, but not on its namespace
-
-**Run `ip route show table`**
-
-On the client node, run the following command using the routing table number from the `ip rule` command. For example: `250`.
-
-```
-ip route show table
-```
-
-**Sample output: clients using a single egress gateway**
-
-```
-default via 11.11.11.1 dev egress.calico onlink
-```
-
-**Sample: clients using multiple gateways**
-
-```
-default onlink
- nexthop via 11.11.11.1 dev egress.calico weight 1 onlink
- nexthop via 11.11.11.2 dev egress.calico weight 1 onlink
-```
-
-**Sample: clients using the following egress gateway policy**
-
-```yaml noValidation
-apiVersion: projectcalico.org/v3
-kind: EgressGatewayPolicy
-metadata:
- name: "egw-policy1"
-spec:
- rules:
- - destination:
- cidr: 10.0.0.0/8
- description: "Local: no gateway"
- - destination:
- cidr: 11.0.0.0/8
- description: "Gateway to on prem"
- gateway:
- namespaceSelector: "projectcalico.org/name == 'default'"
- selector: "egress-code == 'blue'"
- maxNextHops: 2
- - description: "Gateway to internet"
- gateway:
- namespaceSelector: "projectcalico.org/name == 'default'"
- selector: "egress-code == 'red'"
-```
-
-```
-default onlink
- nexthop via 11.11.11.1 dev egress.calico weight 1 onlink
- nexthop via 11.11.11.2 dev egress.calico weight 1 onlink
- nexthop via 11.11.11.3 dev egress.calico weight 1 onlink
-throw 10.0.0.0/8
-11.0.0.0/8 onlink
- nexthop via 11.11.12.1 dev egress.calico weight 1 onlink
- nexthop via 11.11.12.2 dev egress.calico weight 1 onlink
-```
-
-If you see nothing at all, or the following:
-
-```
-unreachable default scope link
-```
-
-- Verify that you have provisioned the gateways
-- Review the selectors, and gateway namespace and labels to determine why they aren’t matching each other
-
-### Do you have egress IPs in BGPConfiguration svcExternalIPs?
-
-You should not have any egress IPs or pod IP ranges in BGPConfiguration `serviceExternalIPs` or `serviceClusterIPs` fields; it causes problems if you do.
-
-By default, $[prodname] BGP exports all pod IPs, which includes egress gateway IPs because they are pod IPs. But you can also use [BGPConfiguration resource parameters](../../reference/resources/bgpconfig.mdx) like `BGPConfiguration`, `serviceClusterIPs`, `serviceExternalIPs` and `serviceLoadBalancerIPs` to export additional IP ranges, in particular Kubernetes Service IPs. Because $[prodname] exports additional IP ranges in a different way from pod IPs, things can go wrong if you include pod IPs in the additional ranges.
-
-## Connection to an egress gateway cannot be established
-
-If the outbound connection cannot be established, the policy may be denying the flow. As shown in the following diagram, policy is enforced at more points in an egress gateway flow.
-
-
-
-**Policy enforcement**:
-
-- From the client pod, egress
-- To the gateway pod, ingress
-- From the gateway pod, egress
-- Any relevant HostEndpoints that are configured in your cluster
-
-In [the web console](../../observability/get-started-cem.mdx), check for dropped packets because of policy on the outbound connection path. If you are using the iptables data plane, you can also run the following command on the client and gateway nodes to look at a lower level.
-
-```
-watch iptables-save -c | grep DROP | grep -v 0:0
-```
-
-## Connection to an egress gateway is established, but destination is not getting correct IP
-
-If you see that the outbound connection established, but the source IP is incorrect at the destination, this can indicate that other SNAT or MASQUERADE is taking effect after the packet leaves the egress gateway pod and is overriding the egress gateway IP. If you intentionally have a MASQUERADE/SNAT for another general purpose, you must filter it so it does not apply to traffic whose source IP comes from the egress gateway pool.
-
-To check the egress gateway’s node, use iptables:
-
-```
-iptables-save -c | grep -i MASQUERADE
-iptables-save -c | grep -i SNAT
-```
-
-## Finding leaked AWS ENIs
-
-In normal usage of the AWS-backed IP pools feature, the $[noderunning] Pod on each node will manage the
-secondary ENIs used for networking AWS-backed IP pools. It also marks its secondary ENIs for deletion on
-instance termination to avoid leaking any ENIs when an instance is terminated.
-
-However, in certain highly unusual situations, such as the following sequence of events:
-
-- $[noderunning] adds an ENI.
-- The AWS API call to mark the ENI for "delete on termination" fails.
-- The entire instance is deleted before the automatic retry of the above operation succeeds.
-
-Then, it would be possible for an ENI to be leaked. $[prodname] marks all the ENIs that it creates with tags
-to identify them as $[prodname] secondary ENIs and the ID of the instance they _should_ belong to.
-To find potentially leaked ENIs, you can use the AWS command line tool as follows:
-
-```bash
-aws ec2 describe-network-interfaces --filters Name=status,Values=available Name=tag-key,Values=calico:use
-```
-
-Then, examine the "Tag set" of the returned network interface values to see if any of them belong to nodes that have
-been deleted:
-
-```
-"TagSet": [
- {
- "Key": "calico:use",
- "Value": "secondary"
- },
- {
- "Key": "calico:instance",
- "Value": "i-00122bf604c6ab776"
- }
-],
-```
-
-If the instance ID recorded in the "calico:instance" tag is for an instance that no longer exists then the ENI
-has been leaked; it is safe to delete the ENI. If the instance ID belongs to an active instance then there
-is no need to delete the ENI, it should be cleaned up (or put into use) by the $[noderunning] Pod running
-on that instance.
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/networking/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/networking/index.mdx
deleted file mode 100644
index ffb67b7d0f..0000000000
--- a/calico-enterprise_versioned_docs/version-3.23-1/networking/index.mdx
+++ /dev/null
@@ -1,62 +0,0 @@
----
-description: Calico Enterprise networking covers BGP, overlay encapsulation, IPAM, egress gateways, ingress gateways, eBPF acceleration, and Kubernetes networking training.
----
-
-import { DocCardLink, DocCardLinkLayout } from '/src/___new___/components';
-
-# Networking
-
-The $[prodname] network plugins provide a range of networking options to fit your implementation and maximize performance.
-
-## Getting started
-
-