diff --git a/calico-cloud/_includes/content/_rule.mdx b/calico-cloud/_includes/content/_rule.mdx index efcdb567f3..60b88de64f 100644 --- a/calico-cloud/_includes/content/_rule.mdx +++ b/calico-cloud/_includes/content/_rule.mdx @@ -12,7 +12,7 @@ are executed in order. | ipVersion | Positive IP version match. | `4`, `6` | integer | | | source | Source match parameters. | | [EntityRule](#entityrule) | | | destination | Destination match parameters. | | [EntityRule](#entityrule) | | -| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | [HTTPMatch](#httpmatch) | | +| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | HTTPMatch | | After a `Log` action, processing continues with the next rule; `Allow` and `Deny` are immediate and final and no further rules are processed. diff --git a/calico-cloud/get-started/operator-checklist.mdx b/calico-cloud/get-started/operator-checklist.mdx index c7839b83f3..d52b360362 100644 --- a/calico-cloud/get-started/operator-checklist.mdx +++ b/calico-cloud/get-started/operator-checklist.mdx @@ -11,7 +11,7 @@ If you have issues getting your cluster up and running, use this checklist. - [Check logs for fatal errors](#check-logs-for-fatal-errors) - [Check custom resources](#check-custom-resources) - [Check pod capacity](#check-pod-capacity) -- [Check the web console dashboard for traffic](#check-manager-ui-dashboard-for-traffic) +- [Check the web console dashboard for traffic](#check-the-web-console-dashboard-for-traffic) ## Check installation start errors diff --git a/calico-cloud/multicluster/kubeconfig.mdx b/calico-cloud/multicluster/kubeconfig.mdx index 11b7611cfd..e398d77b36 100644 --- a/calico-cloud/multicluster/kubeconfig.mdx +++ b/calico-cloud/multicluster/kubeconfig.mdx @@ -275,7 +275,7 @@ A cluster in the mesh can write policy rules that select pods from other cluster ### Switch to multi-cluster networking The steps above assume that you are configuring both federated endpoint identity and multi-cluster networking for the first time. If you already have federated endpoint identity, and want to use multi-cluster networking, follow these steps: -1. Validate that all [requirements](#calico-enterprise-multi-cluster-networking) for multi-cluster networking have been met. +1. Validate that all [requirements](#prerequisites-for-calico-cloud-multi-cluster-networking) for multi-cluster networking have been met. 2. Update the ClusterRole in each cluster in the cluster mesh using the RBAC manifest found in [Generate credentials for cross-cluster authentication](#generate-credentials-for-cross-cluster-resource-synchronization) 3. In all RemoteClusterConfigurations, set `Spec.OverlayRoutingMode` to `Enabled`. 4. Verify that all RemoteClusterConfigurations are bidirectional (in both directions for each cluster pair) using these [instructions](#establish-cross-cluster-resource-synchronization). @@ -371,7 +371,7 @@ If the Typha logs do not yield the expected result, review the warning or error- #### Troubleshoot multi-cluster networking ##### Basic validation * Ensure that RemoteClusterConfiguration and federated endpoint identity are [functioning correctly](#validate-federated-endpoint-identity--multi-cluster-networking) -* Verify that you have met the [prerequisites](#calico-enterprise-multi-cluster-networking) for multi-cluster networking +* Verify that you have met the [prerequisites](#prerequisites-for-calico-cloud-multi-cluster-networking) for multi-cluster networking * If you had previously set up RemoteClusterConfigurations without multi-cluster networking, and are upgrading to use the feature, review the [switching considerations](#switch-to-multi-cluster-networking) * Verify that traffic between clusters is not being denied by network policy diff --git a/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx b/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx index f69da9ebe0..fd43d0ddfd 100644 --- a/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-cloud/network-policy/beginners/kubernetes-default-deny.mdx @@ -35,8 +35,8 @@ For other endpoint types (VMs, host interfaces), the default behavior is to deny ## How to -- [Create a default deny network policy](#crate-a-default-deny-network-policy) -- [Create a global default deny network policy](#create-a-global-default-deny-network-policy) +- [Create a default deny network policy](#create-a-default-deny-network-policy) +- [Create a global default deny network policy](#create-a-global-default-deny-policy) ### Create a default deny network policy diff --git a/calico-cloud/network-policy/recommendations/policy-recommendations.mdx b/calico-cloud/network-policy/recommendations/policy-recommendations.mdx index d4a976789c..aa907a5543 100644 --- a/calico-cloud/network-policy/recommendations/policy-recommendations.mdx +++ b/calico-cloud/network-policy/recommendations/policy-recommendations.mdx @@ -44,13 +44,13 @@ Creating and managing policy recommendations is available only in the web consol ## How to -- [Enable policy recommendations](#enable-policy-recommendations) +- Enable policy recommendations - [Activate and review policy recommendations](#activate-and-review-policy-recommendations) - [Review global settings for workloads](#review-global-settings-for-workloads) - [Update policy recommendations](#update-policy-recommendations) - [Private network recommendations](#private-network-recommendations) - [Troubleshoot policy recommendations](#troubleshoot-policy-recommendations) -- [Disable the policy recommendations feature](#disable-the-policy-recommendations-feature) +- [Disable the policy recommendations feature](#disable-policy-recommendations) ### Enable policy recommendations **using the web console** @@ -63,7 +63,7 @@ The **Policy Recommendations** board is automatically displayed. **Notes**: -- A policy recommendation is generated for every namespace in your cluster (unless namespaces are filtered out by an Admin using the [selector](../../reference/resources/policyrecommendations.mdx#namespaceSpec#selector) in the PolicyRecommendationScope resource). +- A policy recommendation is generated for every namespace in your cluster (unless namespaces are filtered out by an Admin using the [selector](../../reference/resources/policyrecommendations.mdx#namespacespec) in the PolicyRecommendationScope resource). - Flow logs are continuously monitored for policy recommendations. - Recommended policies are continuously updated until you **Add to policy board** or **Dismiss policy** using the Actions menu. - Policy recommendations are created as **staged network policies** so you can safely observe the traffic before enforcing them. diff --git a/calico-cloud/network-policy/staged-network-policies.mdx b/calico-cloud/network-policy/staged-network-policies.mdx index fde5fb4357..1662dd0b3d 100644 --- a/calico-cloud/network-policy/staged-network-policies.mdx +++ b/calico-cloud/network-policy/staged-network-policies.mdx @@ -178,4 +178,4 @@ spec: - For details on how to configure RBAC for staged policy resources, see [Configuring RBAC for tiered policy](policy-tiers/rbac-tiered-policies.mdx) - For details on staged policy metrics, see - [Flow logs](../observability/elastic/flow/datatypes.mdx) - - [Prometheus metrics](../operations/monitor/metrics/index.mdx#content-main) + - [Prometheus metrics](../operations/monitor/metrics/index.mdx) diff --git a/calico-cloud/networking/configuring/bgp-to-workload.mdx b/calico-cloud/networking/configuring/bgp-to-workload.mdx index dfdb20255e..9cd6d595a3 100644 --- a/calico-cloud/networking/configuring/bgp-to-workload.mdx +++ b/calico-cloud/networking/configuring/bgp-to-workload.mdx @@ -68,7 +68,7 @@ source traffic. ## How to - [Configure global BGP settings](#configure-global-bgp-settings) -- [Create BGPFilter resources](#configure-bgpfilter-resources) +- [Create BGPFilter resources](#create-bgpfilter-resources) - [Configure parent cluster BGP topology](#configure-parent-cluster-bgp-topology) - [Configure BGP peering with workloads](#configure-bgp-peering-with-workloads) - [Configure more than one nested cluster](#configure-more-than-one-nested-cluster) diff --git a/calico-cloud/networking/configuring/dual-tor.mdx b/calico-cloud/networking/configuring/dual-tor.mdx index c77f97a14f..b974e55a53 100644 --- a/calico-cloud/networking/configuring/dual-tor.mdx +++ b/calico-cloud/networking/configuring/dual-tor.mdx @@ -208,7 +208,7 @@ For a dual ToR setup, LLGR is helpful, as explained in more detail by [this blog - [Prepare YAML resources describing the layout of your cluster](#prepare-yaml-resources-describing-the-layout-of-your-cluster) - [Arrange for dual-homed nodes to run $[nodecontainer] on each boot](#arrange-for-dual-homed-nodes-to-run-cnx-node-on-each-boot) - [Configure your ToR routers and infrastructure](#configure-your-tor-routers-and-infrastructure) -- [Install Kubernetes and $[prodname]](#install-kubernetes-and-calico-enterprise) +- [Install Kubernetes and $[prodname]](#install-kubernetes-and-calico-cloud) - [Verify the deployment](#verify-the-deployment) ### Prepare YAML resources describing the layout of your cluster diff --git a/calico-cloud/networking/egress/egress-gateway-azure.mdx b/calico-cloud/networking/egress/egress-gateway-azure.mdx index 109cbacf87..3488339069 100644 --- a/calico-cloud/networking/egress/egress-gateway-azure.mdx +++ b/calico-cloud/networking/egress/egress-gateway-azure.mdx @@ -98,13 +98,13 @@ $[prodname] CNI and IPAM are required. The ability to control the egress gateway - [Disable the default BGP node-to-node mesh](#disable-the-default-bgp-node-to-node-mesh) - [Enable BGP](#enable-bgp) - [Provision an egress IP pool](#provision-an-egress-ip-pool) -- [(Optional) Limit number of route advertisement](#limit-number-of-route-advertisement) -- [Configure route reflector](#configure-route-reflector) +- [(Optional) Limit number of route advertisement](#optional-limit-number-of-route-advertisements) +- [Configure route reflector](#configure-route-reflectors) - [Enable egress gateway support](#enable-egress-gateway-support) - [Deploy a group of egress gateways](#deploy-a-group-of-egress-gateways) - [Configure iptables backend for egress gateways](#configure-iptables-backend-for-egress-gateways) - [Configure namespaces and pods to use egress gateways](#configure-namespaces-and-pods-to-use-egress-gateways) -- [(Optional) Enable ECMP load balancing](#optionally-enable-ecmp-load-balancing) +- [(Optional) Enable ECMP load balancing](#optional-enable-ecmp-load-balancing) - [Verify the feature operation](#verify-the-feature-operation) - [Control the use of egress gateways](#control-the-use-of-egress-gateways) - [Policy enforcement for flows via an egress gateway](#policy-enforcement-for-flows-via-an-egress-gateway) diff --git a/calico-cloud/observability/alerts.mdx b/calico-cloud/observability/alerts.mdx index bb5363863c..82926de69e 100644 --- a/calico-cloud/observability/alerts.mdx +++ b/calico-cloud/observability/alerts.mdx @@ -34,7 +34,7 @@ To turn down aggregation on flow logs, go to [FelixConfiguration](../reference/r ## How to -- [Manage alerts in the web console](#manage-alerts-in-manager-ui) +- [Manage alerts in the web console](#manage-alerts-in-the-web-console) - [Manage alerts using CLI](#manage-alerts-using-cli) ### Manage alerts in the web console diff --git a/calico-cloud/observability/elastic/l7/configure.mdx b/calico-cloud/observability/elastic/l7/configure.mdx index 39a5620c40..85f19a5372 100644 --- a/calico-cloud/observability/elastic/l7/configure.mdx +++ b/calico-cloud/observability/elastic/l7/configure.mdx @@ -63,7 +63,7 @@ L7 logs require a minimum of 1 additional GB of log storage per node, per one-da 1. Configure L7 log aggregation, retention, and reporting. - For help, see [Felix Configuration documentation](../../../reference/component-resources/node/felix/configuration.mdx#calico-enterprise-specific-configuration). + For help, see [Felix Configuration documentation](../../../reference/component-resources/node/felix/configuration.mdx). ## Configure L7 logs diff --git a/calico-cloud/observability/iptables.mdx b/calico-cloud/observability/iptables.mdx index 5cc5524772..7d4c5da111 100644 --- a/calico-cloud/observability/iptables.mdx +++ b/calico-cloud/observability/iptables.mdx @@ -18,7 +18,7 @@ $[prodname] adds a Felix option `DropActionOverride` that configures how the It can add logs for denied packets, or even allow the traffic through. See the -[Felix configuration reference](../reference/component-resources/node/felix/configuration.mdx#calico-cloud-specific-configuration) for +[Felix configuration reference](../reference/component-resources/node/felix/configuration.mdx) for information on how to configure this option. `DropActionOverride` controls what happens to each packet that is denied by diff --git a/calico-cloud/operations/ebpf/troubleshoot-ebpf.mdx b/calico-cloud/operations/ebpf/troubleshoot-ebpf.mdx index b3d0087c97..a51b2046fb 100644 --- a/calico-cloud/operations/ebpf/troubleshoot-ebpf.mdx +++ b/calico-cloud/operations/ebpf/troubleshoot-ebpf.mdx @@ -202,7 +202,7 @@ Enabling logs in this way has a significant impact on eBPF program performance. To reduce the performance impact in production clusters, you can target logging to specific traffic and/or specific interfaces using the -[bpfLogFilters](../../reference/component-resources/node/felix/configuration.mdx#BPFLogFilters) Felix +[bpfLogFilters](../../reference/component-resources/node/felix/configuration.mdx) Felix configuration setting. Filters are pcap expressions. > Note that the filters are applied to the original packet, before any NAT or diff --git a/calico-cloud/operations/monitor/metrics/policy-metrics.mdx b/calico-cloud/operations/monitor/metrics/policy-metrics.mdx index 3ece13764a..fc49d366a1 100644 --- a/calico-cloud/operations/monitor/metrics/policy-metrics.mdx +++ b/calico-cloud/operations/monitor/metrics/policy-metrics.mdx @@ -135,7 +135,7 @@ sum(irate(cnx_policy_rule_packets[30s])) without (instance,rule_index,rule_direc ``` See the -[Felix configuration reference](../../../reference/component-resources/node/felix/configuration.mdx#calico-cloud-specific-configuration) for +[Felix configuration reference](../../../reference/component-resources/node/felix/configuration.mdx) for the settings that control the reporting of these metrics. $[prodname] manifests normally set `PrometheusReporterEnabled=true` and `PrometheusReporterPort=9081`, so these metrics are available on each compute diff --git a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx index 80aaecdc4e..bfcc5039f5 100644 --- a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx @@ -39,7 +39,7 @@ For the supported version of Prometheus in this release, see the [Release Notes] ### Scrape all enabled metrics In this section we create a service monitor that scrapes all enabled metrics. To enable metrics that -are not enabled by default, please consult the [next section](#scrape-metrics-from-specific-components). +are not enabled by default, please consult the [next section](#scrape-metrics-from-specific-components-directly). The following example shows a Prometheus server installed in namespace "external-prometheus" with a `serviceMonitorSelector` that selects all service monitors with the label `k8s-app=tigera-external-prometheus`. @@ -369,7 +369,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied ### Troubleshooting -This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) +This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components-directly) section. 1. Extract the TLS credentials and CA bundle from the cluster. diff --git a/calico-cloud/reference/resources/bgpfilter.mdx b/calico-cloud/reference/resources/bgpfilter.mdx index f7f6c2cd8b..1ef238cd40 100644 --- a/calico-cloud/reference/resources/bgpfilter.mdx +++ b/calico-cloud/reference/resources/bgpfilter.mdx @@ -77,7 +77,7 @@ spec: | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | | cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| prefixLength | PrefixLength | Valid integers between 0 and ipv4/6 max (32, 128) | | | | matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | | source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | | interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | @@ -88,7 +88,7 @@ spec: | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | | cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| prefixLength | PrefixLength | Valid integers between 0 and ipv4/6 max (32, 128) | | | | matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | | source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | | interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | diff --git a/calico-cloud/reference/resources/bgppeer.mdx b/calico-cloud/reference/resources/bgppeer.mdx index 35b56c4f23..8b8be1958a 100644 --- a/calico-cloud/reference/resources/bgppeer.mdx +++ b/calico-cloud/reference/resources/bgppeer.mdx @@ -45,7 +45,7 @@ spec: | asNumber | The remote AS Number of the peer. | A valid AS Number, may be specified in dotted notation. | integer/string | | nodeSelector | Selector for the nodes that should have this peering. When this is set, the `node` field must be empty. | | [selector](#selector) | | peerSelector | Selector for the remote nodes to peer with. When this is set, the `peerIP` and `asNumber` fields must be empty. | | [selector](#selector) | -| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selectors) | | +| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selector) | | | keepOriginalNextHop | Maintain and forward the original next hop BGP route attribute to a specific Peer within a different AS. | | boolean | | extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | | | password | [BGP password](../../networking/configuring/secure-bgp.mdx) for the peerings generated by this BGPPeer resource. | | [BGPPassword](#bgppassword) | `nil` (no password) | diff --git a/calico-cloud/threat/web-application-firewall.mdx b/calico-cloud/threat/web-application-firewall.mdx index 8d4d50a108..68b5ec9061 100644 --- a/calico-cloud/threat/web-application-firewall.mdx +++ b/calico-cloud/threat/web-application-firewall.mdx @@ -35,7 +35,7 @@ Every request that WAF finds an issue with, will result in a Security Event bein If you configure WAF in blocking mode, WAF will use something called [anomaly scoring mode](https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/) to determine if a request is allowed with `200 OK` or denied `403 Forbidden`. -This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-your-waf) for your specific needs in your cluster. +This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-waf-configuration) for your specific needs in your cluster. ## Before you begin diff --git a/calico-cloud/tutorials/training/about-kubernetes-services.mdx b/calico-cloud/tutorials/training/about-kubernetes-services.mdx index 61ae2ac9c5..f557bdf68e 100644 --- a/calico-cloud/tutorials/training/about-kubernetes-services.mdx +++ b/calico-cloud/tutorials/training/about-kubernetes-services.mdx @@ -73,7 +73,7 @@ reverse the NAT.) Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the service backing pod does not see the original client IP address. Typically this means that any such policy is limited to restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can -be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using +be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using $[prodname]'s eBPF data plane native service handling (rather than kube-proxy) which preserves source IP address. ## Load balancer services @@ -89,7 +89,7 @@ default will load balance evenly across the nodes using the service node port. Most network load balancers preserve the client source IP address, but because the service then goes via a node port, the backing pods themselves do not see the client IP, with the same implications for network policy. As with node -ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) +ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address. diff --git a/calico-cloud_versioned_docs/version-22-2/_includes/content/_rule.mdx b/calico-cloud_versioned_docs/version-22-2/_includes/content/_rule.mdx index efcdb567f3..60b88de64f 100644 --- a/calico-cloud_versioned_docs/version-22-2/_includes/content/_rule.mdx +++ b/calico-cloud_versioned_docs/version-22-2/_includes/content/_rule.mdx @@ -12,7 +12,7 @@ are executed in order. | ipVersion | Positive IP version match. | `4`, `6` | integer | | | source | Source match parameters. | | [EntityRule](#entityrule) | | | destination | Destination match parameters. | | [EntityRule](#entityrule) | | -| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | [HTTPMatch](#httpmatch) | | +| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | HTTPMatch | | After a `Log` action, processing continues with the next rule; `Allow` and `Deny` are immediate and final and no further rules are processed. diff --git a/calico-cloud_versioned_docs/version-22-2/get-started/operator-checklist.mdx b/calico-cloud_versioned_docs/version-22-2/get-started/operator-checklist.mdx index d79153791b..fee6bca5e0 100644 --- a/calico-cloud_versioned_docs/version-22-2/get-started/operator-checklist.mdx +++ b/calico-cloud_versioned_docs/version-22-2/get-started/operator-checklist.mdx @@ -11,7 +11,7 @@ If you have issues getting your cluster up and running, use this checklist. - [Check logs for fatal errors](#check-logs-for-fatal-errors) - [Check custom resources](#check-custom-resources) - [Check pod capacity](#check-pod-capacity) -- [Check the web console dashboard for traffic](#check-manager-ui-dashboard-for-traffic) +- [Check the web console dashboard for traffic](#check-the-web-console-dashboard-for-traffic) ## Check installation start errors diff --git a/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/cluster-scanner.mdx b/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/cluster-scanner.mdx index 5fe93b5006..3c80312681 100644 --- a/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/cluster-scanner.mdx +++ b/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/cluster-scanner.mdx @@ -62,7 +62,7 @@ $[prodname] checks running images for new vulnerabilities every 24 hours and rep Complete the following steps for each managed cluster you want enabled with the cluster scanner: -1. Modify the [Image Assurance](../../reference/installation/ia-api.mdx#image-assurance.operator.tigera.io/v1.ImageAssuranceSpec) installation resource. +1. Modify the [Image Assurance](../../reference/installation/ia-api.mdx) installation resource. ```bash kubectl edit imageassurance default @@ -78,7 +78,7 @@ That’s it. The cluster scanner will start scanning images on running pods in t ### Customize scanner settings -To change default settings, modify the [Image Assurance](../../reference/installation/ia-api.mdx#image-assurance.operator.tigera.io/v1.ImageAssuranceSpec) installation resource. +To change default settings, modify the [Image Assurance](../../reference/installation/ia-api.mdx) installation resource. - Container runtime socket path @@ -92,7 +92,7 @@ To change default settings, modify the [Image Assurance](../../reference/install To specify which namespaces should be excluded from future scans, follow the following steps. -- Modify your [Image Assurance](../../reference/installation/ia-api.mdx#image-assurance.operator.tigera.io/v1.ImageAssuranceSpec) installation resource to include the `exclusions.namespaces` field. List each namespace you want to exclude. +- Modify your [Image Assurance](../../reference/installation/ia-api.mdx) installation resource to include the `exclusions.namespaces` field. List each namespace you want to exclude. ```yaml diff --git a/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/pipeline-scanner.mdx b/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/pipeline-scanner.mdx index ea4071d064..7ef977909b 100644 --- a/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/pipeline-scanner.mdx +++ b/calico-cloud_versioned_docs/version-22-2/image-assurance/scanners/pipeline-scanner.mdx @@ -39,7 +39,7 @@ If the CLI scanner is part of your pipeline, scanning is done before runtime and - [Get the latest version of Image Assurance](#get-the-latest-version-of-image-assurance) - [Start the scanner](#start-the-scanner) -- [Integrate the scanner in your build pipeline](#integrate-the-scanner-in-your-build-pipeline) +- [Integrate the scanner in your build pipeline](#integrate-the-scanner-into-your-build-pipeline-1) - [Manually scan images](#manually-scan-images) - [Scan images using a configuration file](#scan-images-using-a-configuration-file) diff --git a/calico-cloud_versioned_docs/version-22-2/multicluster/kubeconfig.mdx b/calico-cloud_versioned_docs/version-22-2/multicluster/kubeconfig.mdx index 11b7611cfd..e398d77b36 100644 --- a/calico-cloud_versioned_docs/version-22-2/multicluster/kubeconfig.mdx +++ b/calico-cloud_versioned_docs/version-22-2/multicluster/kubeconfig.mdx @@ -275,7 +275,7 @@ A cluster in the mesh can write policy rules that select pods from other cluster ### Switch to multi-cluster networking The steps above assume that you are configuring both federated endpoint identity and multi-cluster networking for the first time. If you already have federated endpoint identity, and want to use multi-cluster networking, follow these steps: -1. Validate that all [requirements](#calico-enterprise-multi-cluster-networking) for multi-cluster networking have been met. +1. Validate that all [requirements](#prerequisites-for-calico-cloud-multi-cluster-networking) for multi-cluster networking have been met. 2. Update the ClusterRole in each cluster in the cluster mesh using the RBAC manifest found in [Generate credentials for cross-cluster authentication](#generate-credentials-for-cross-cluster-resource-synchronization) 3. In all RemoteClusterConfigurations, set `Spec.OverlayRoutingMode` to `Enabled`. 4. Verify that all RemoteClusterConfigurations are bidirectional (in both directions for each cluster pair) using these [instructions](#establish-cross-cluster-resource-synchronization). @@ -371,7 +371,7 @@ If the Typha logs do not yield the expected result, review the warning or error- #### Troubleshoot multi-cluster networking ##### Basic validation * Ensure that RemoteClusterConfiguration and federated endpoint identity are [functioning correctly](#validate-federated-endpoint-identity--multi-cluster-networking) -* Verify that you have met the [prerequisites](#calico-enterprise-multi-cluster-networking) for multi-cluster networking +* Verify that you have met the [prerequisites](#prerequisites-for-calico-cloud-multi-cluster-networking) for multi-cluster networking * If you had previously set up RemoteClusterConfigurations without multi-cluster networking, and are upgrading to use the feature, review the [switching considerations](#switch-to-multi-cluster-networking) * Verify that traffic between clusters is not being denied by network policy diff --git a/calico-cloud_versioned_docs/version-22-2/network-policy/application-layer-policies/alp.mdx b/calico-cloud_versioned_docs/version-22-2/network-policy/application-layer-policies/alp.mdx index c8a44a6efa..4157681141 100644 --- a/calico-cloud_versioned_docs/version-22-2/network-policy/application-layer-policies/alp.mdx +++ b/calico-cloud_versioned_docs/version-22-2/network-policy/application-layer-policies/alp.mdx @@ -18,7 +18,7 @@ Application layer policies let you configure access controls based on L7 attribu * Application layer policies apply to the entire cluster. They can not be namespaced. * Logs for application layer polices are not included with other L7 logs in Service Graph. - To view logs for application layer policies, you must [view them in Kibana](../../observability/elastic/l7/configure.mdx#kibana). + To view logs for application layer policies, you must [view them in Kibana](../../observability/elastic/l7/configure.mdx#view-l7-logs-in-the-web-console). * Application layer policy is supported only on Kubernetes 1.29 and later. :::important diff --git a/calico-cloud_versioned_docs/version-22-2/network-policy/beginners/kubernetes-default-deny.mdx b/calico-cloud_versioned_docs/version-22-2/network-policy/beginners/kubernetes-default-deny.mdx index f69da9ebe0..fd43d0ddfd 100644 --- a/calico-cloud_versioned_docs/version-22-2/network-policy/beginners/kubernetes-default-deny.mdx +++ b/calico-cloud_versioned_docs/version-22-2/network-policy/beginners/kubernetes-default-deny.mdx @@ -35,8 +35,8 @@ For other endpoint types (VMs, host interfaces), the default behavior is to deny ## How to -- [Create a default deny network policy](#crate-a-default-deny-network-policy) -- [Create a global default deny network policy](#create-a-global-default-deny-network-policy) +- [Create a default deny network policy](#create-a-default-deny-network-policy) +- [Create a global default deny network policy](#create-a-global-default-deny-policy) ### Create a default deny network policy diff --git a/calico-cloud_versioned_docs/version-22-2/network-policy/recommendations/policy-recommendations.mdx b/calico-cloud_versioned_docs/version-22-2/network-policy/recommendations/policy-recommendations.mdx index d4a976789c..aa907a5543 100644 --- a/calico-cloud_versioned_docs/version-22-2/network-policy/recommendations/policy-recommendations.mdx +++ b/calico-cloud_versioned_docs/version-22-2/network-policy/recommendations/policy-recommendations.mdx @@ -44,13 +44,13 @@ Creating and managing policy recommendations is available only in the web consol ## How to -- [Enable policy recommendations](#enable-policy-recommendations) +- Enable policy recommendations - [Activate and review policy recommendations](#activate-and-review-policy-recommendations) - [Review global settings for workloads](#review-global-settings-for-workloads) - [Update policy recommendations](#update-policy-recommendations) - [Private network recommendations](#private-network-recommendations) - [Troubleshoot policy recommendations](#troubleshoot-policy-recommendations) -- [Disable the policy recommendations feature](#disable-the-policy-recommendations-feature) +- [Disable the policy recommendations feature](#disable-policy-recommendations) ### Enable policy recommendations **using the web console** @@ -63,7 +63,7 @@ The **Policy Recommendations** board is automatically displayed. **Notes**: -- A policy recommendation is generated for every namespace in your cluster (unless namespaces are filtered out by an Admin using the [selector](../../reference/resources/policyrecommendations.mdx#namespaceSpec#selector) in the PolicyRecommendationScope resource). +- A policy recommendation is generated for every namespace in your cluster (unless namespaces are filtered out by an Admin using the [selector](../../reference/resources/policyrecommendations.mdx#namespacespec) in the PolicyRecommendationScope resource). - Flow logs are continuously monitored for policy recommendations. - Recommended policies are continuously updated until you **Add to policy board** or **Dismiss policy** using the Actions menu. - Policy recommendations are created as **staged network policies** so you can safely observe the traffic before enforcing them. diff --git a/calico-cloud_versioned_docs/version-22-2/network-policy/staged-network-policies.mdx b/calico-cloud_versioned_docs/version-22-2/network-policy/staged-network-policies.mdx index fde5fb4357..1662dd0b3d 100644 --- a/calico-cloud_versioned_docs/version-22-2/network-policy/staged-network-policies.mdx +++ b/calico-cloud_versioned_docs/version-22-2/network-policy/staged-network-policies.mdx @@ -178,4 +178,4 @@ spec: - For details on how to configure RBAC for staged policy resources, see [Configuring RBAC for tiered policy](policy-tiers/rbac-tiered-policies.mdx) - For details on staged policy metrics, see - [Flow logs](../observability/elastic/flow/datatypes.mdx) - - [Prometheus metrics](../operations/monitor/metrics/index.mdx#content-main) + - [Prometheus metrics](../operations/monitor/metrics/index.mdx) diff --git a/calico-cloud_versioned_docs/version-22-2/networking/configuring/bgp-to-workload.mdx b/calico-cloud_versioned_docs/version-22-2/networking/configuring/bgp-to-workload.mdx index dfdb20255e..9cd6d595a3 100644 --- a/calico-cloud_versioned_docs/version-22-2/networking/configuring/bgp-to-workload.mdx +++ b/calico-cloud_versioned_docs/version-22-2/networking/configuring/bgp-to-workload.mdx @@ -68,7 +68,7 @@ source traffic. ## How to - [Configure global BGP settings](#configure-global-bgp-settings) -- [Create BGPFilter resources](#configure-bgpfilter-resources) +- [Create BGPFilter resources](#create-bgpfilter-resources) - [Configure parent cluster BGP topology](#configure-parent-cluster-bgp-topology) - [Configure BGP peering with workloads](#configure-bgp-peering-with-workloads) - [Configure more than one nested cluster](#configure-more-than-one-nested-cluster) diff --git a/calico-cloud_versioned_docs/version-22-2/networking/configuring/dual-tor.mdx b/calico-cloud_versioned_docs/version-22-2/networking/configuring/dual-tor.mdx index c77f97a14f..b974e55a53 100644 --- a/calico-cloud_versioned_docs/version-22-2/networking/configuring/dual-tor.mdx +++ b/calico-cloud_versioned_docs/version-22-2/networking/configuring/dual-tor.mdx @@ -208,7 +208,7 @@ For a dual ToR setup, LLGR is helpful, as explained in more detail by [this blog - [Prepare YAML resources describing the layout of your cluster](#prepare-yaml-resources-describing-the-layout-of-your-cluster) - [Arrange for dual-homed nodes to run $[nodecontainer] on each boot](#arrange-for-dual-homed-nodes-to-run-cnx-node-on-each-boot) - [Configure your ToR routers and infrastructure](#configure-your-tor-routers-and-infrastructure) -- [Install Kubernetes and $[prodname]](#install-kubernetes-and-calico-enterprise) +- [Install Kubernetes and $[prodname]](#install-kubernetes-and-calico-cloud) - [Verify the deployment](#verify-the-deployment) ### Prepare YAML resources describing the layout of your cluster diff --git a/calico-cloud_versioned_docs/version-22-2/networking/egress/egress-gateway-azure.mdx b/calico-cloud_versioned_docs/version-22-2/networking/egress/egress-gateway-azure.mdx index 109cbacf87..3488339069 100644 --- a/calico-cloud_versioned_docs/version-22-2/networking/egress/egress-gateway-azure.mdx +++ b/calico-cloud_versioned_docs/version-22-2/networking/egress/egress-gateway-azure.mdx @@ -98,13 +98,13 @@ $[prodname] CNI and IPAM are required. The ability to control the egress gateway - [Disable the default BGP node-to-node mesh](#disable-the-default-bgp-node-to-node-mesh) - [Enable BGP](#enable-bgp) - [Provision an egress IP pool](#provision-an-egress-ip-pool) -- [(Optional) Limit number of route advertisement](#limit-number-of-route-advertisement) -- [Configure route reflector](#configure-route-reflector) +- [(Optional) Limit number of route advertisement](#optional-limit-number-of-route-advertisements) +- [Configure route reflector](#configure-route-reflectors) - [Enable egress gateway support](#enable-egress-gateway-support) - [Deploy a group of egress gateways](#deploy-a-group-of-egress-gateways) - [Configure iptables backend for egress gateways](#configure-iptables-backend-for-egress-gateways) - [Configure namespaces and pods to use egress gateways](#configure-namespaces-and-pods-to-use-egress-gateways) -- [(Optional) Enable ECMP load balancing](#optionally-enable-ecmp-load-balancing) +- [(Optional) Enable ECMP load balancing](#optional-enable-ecmp-load-balancing) - [Verify the feature operation](#verify-the-feature-operation) - [Control the use of egress gateways](#control-the-use-of-egress-gateways) - [Policy enforcement for flows via an egress gateway](#policy-enforcement-for-flows-via-an-egress-gateway) diff --git a/calico-cloud_versioned_docs/version-22-2/observability/alerts.mdx b/calico-cloud_versioned_docs/version-22-2/observability/alerts.mdx index 836ffac187..c396b080f2 100644 --- a/calico-cloud_versioned_docs/version-22-2/observability/alerts.mdx +++ b/calico-cloud_versioned_docs/version-22-2/observability/alerts.mdx @@ -34,7 +34,7 @@ To turn down aggregation on flow logs, go to [FelixConfiguration](../reference/r ## How to -- [Manage alerts in the web console](#manage-alerts-in-manager-ui) +- [Manage alerts in the web console](#manage-alerts-in-the-web-console) - [Manage alerts using CLI](#manage-alerts-using-cli) ### Manage alerts in the web console diff --git a/calico-cloud_versioned_docs/version-22-2/observability/elastic/l7/configure.mdx b/calico-cloud_versioned_docs/version-22-2/observability/elastic/l7/configure.mdx index 4c5920053c..edf3929292 100644 --- a/calico-cloud_versioned_docs/version-22-2/observability/elastic/l7/configure.mdx +++ b/calico-cloud_versioned_docs/version-22-2/observability/elastic/l7/configure.mdx @@ -45,14 +45,14 @@ Note removed for CC ## How to - [Configure Felix for log data collection](#configure-felix-for-log-data-collection) -- [Configure L7 logs](#configure-l7-logs) -- [View L7 logs in the web console](#view-l7-logs-in-manager-ui) +- [Configure L7 logs](#configure-l7-logs-1) +- [View L7 logs in the web console](#view-l7-logs-in-the-web-console) ### Configure Felix for log data collection 1. Configure L7 log aggregation, retention, and reporting. - For help, see [Felix Configuration documentation](../../../reference/component-resources/node/felix/configuration.mdx#calico-enterprise-specific-configuration). + For help, see [Felix Configuration documentation](../../../reference/component-resources/node/felix/configuration.mdx). ### Configure L7 logs diff --git a/calico-cloud_versioned_docs/version-22-2/observability/iptables.mdx b/calico-cloud_versioned_docs/version-22-2/observability/iptables.mdx index 5cc5524772..7d4c5da111 100644 --- a/calico-cloud_versioned_docs/version-22-2/observability/iptables.mdx +++ b/calico-cloud_versioned_docs/version-22-2/observability/iptables.mdx @@ -18,7 +18,7 @@ $[prodname] adds a Felix option `DropActionOverride` that configures how the It can add logs for denied packets, or even allow the traffic through. See the -[Felix configuration reference](../reference/component-resources/node/felix/configuration.mdx#calico-cloud-specific-configuration) for +[Felix configuration reference](../reference/component-resources/node/felix/configuration.mdx) for information on how to configure this option. `DropActionOverride` controls what happens to each packet that is denied by diff --git a/calico-cloud_versioned_docs/version-22-2/operations/comms/crypto-auth.mdx b/calico-cloud_versioned_docs/version-22-2/operations/comms/crypto-auth.mdx index 9276e7b2e7..08b0888890 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/comms/crypto-auth.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/comms/crypto-auth.mdx @@ -22,7 +22,7 @@ For clusters installed using operator, see how to [provide TLS certificates for For detailed reference information on TLS configuration parameters, refer to: -- **Node**: [Node-Typha TLS configuration](../../reference/component-resources/node/felix/configuration.mdx#felix-typha-tls-configuration) +- **Node**: [Node-Typha TLS configuration](../../reference/component-resources/node/felix/configuration.mdx) {/*TODO-XREFS-CC - **Typha**: [Node-Typha TLS configuration](../../reference/component-resources/typha/configuration#felix-typha-tls-configuration)*/} diff --git a/calico-cloud_versioned_docs/version-22-2/operations/comms/manager-tls.mdx b/calico-cloud_versioned_docs/version-22-2/operations/comms/manager-tls.mdx index 06858fbbc8..49ff30452f 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/comms/manager-tls.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/comms/manager-tls.mdx @@ -38,4 +38,4 @@ If the $[prodname] web console is already running then updating the secret shoul ## Additional resources -Additional documentation is available for securing [the $[prodname] web console connections](crypto-auth.mdx#calico-enterprise-manager-connections). +Additional documentation is available for securing [the $[prodname] web console connections](crypto-auth.mdx). diff --git a/calico-cloud_versioned_docs/version-22-2/operations/ebpf/troubleshoot-ebpf.mdx b/calico-cloud_versioned_docs/version-22-2/operations/ebpf/troubleshoot-ebpf.mdx index b3d0087c97..a51b2046fb 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/ebpf/troubleshoot-ebpf.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/ebpf/troubleshoot-ebpf.mdx @@ -202,7 +202,7 @@ Enabling logs in this way has a significant impact on eBPF program performance. To reduce the performance impact in production clusters, you can target logging to specific traffic and/or specific interfaces using the -[bpfLogFilters](../../reference/component-resources/node/felix/configuration.mdx#BPFLogFilters) Felix +[bpfLogFilters](../../reference/component-resources/node/felix/configuration.mdx) Felix configuration setting. Filters are pcap expressions. > Note that the filters are applied to the original packet, before any NAT or diff --git a/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/policy-metrics.mdx b/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/policy-metrics.mdx index 3ece13764a..fc49d366a1 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/policy-metrics.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/policy-metrics.mdx @@ -135,7 +135,7 @@ sum(irate(cnx_policy_rule_packets[30s])) without (instance,rule_index,rule_direc ``` See the -[Felix configuration reference](../../../reference/component-resources/node/felix/configuration.mdx#calico-cloud-specific-configuration) for +[Felix configuration reference](../../../reference/component-resources/node/felix/configuration.mdx) for the settings that control the reporting of these metrics. $[prodname] manifests normally set `PrometheusReporterEnabled=true` and `PrometheusReporterPort=9081`, so these metrics are available on each compute diff --git a/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx index 9be5029bd9..2c674391c6 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -39,7 +39,7 @@ For the supported version of Prometheus in this release, see the [Release Notes] ### Scrape all enabled metrics In this section we create a service monitor that scrapes all enabled metrics. To enable metrics that -are not enabled by default, please consult the [next section](#scrape-metrics-from-specific-components). +are not enabled by default, please consult the [next section](#scrape-metrics-from-specific-components-directly). The following example shows a Prometheus server installed in namespace "external-prometheus" with a `serviceMonitorSelector` that selects all service monitors with the label `k8s-app=tigera-external-prometheus`. @@ -369,7 +369,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied ### Troubleshooting -This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) +This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components-directly) section. 1. Extract the TLS credentials and CA bundle from the cluster. diff --git a/calico-cloud_versioned_docs/version-22-2/reference/resources/bgpfilter.mdx b/calico-cloud_versioned_docs/version-22-2/reference/resources/bgpfilter.mdx index f7f6c2cd8b..1ef238cd40 100644 --- a/calico-cloud_versioned_docs/version-22-2/reference/resources/bgpfilter.mdx +++ b/calico-cloud_versioned_docs/version-22-2/reference/resources/bgpfilter.mdx @@ -77,7 +77,7 @@ spec: | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | | cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| prefixLength | PrefixLength | Valid integers between 0 and ipv4/6 max (32, 128) | | | | matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | | source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | | interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | @@ -88,7 +88,7 @@ spec: | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | | cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| prefixLength | PrefixLength | Valid integers between 0 and ipv4/6 max (32, 128) | | | | matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | | source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | | interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | diff --git a/calico-cloud_versioned_docs/version-22-2/reference/resources/bgppeer.mdx b/calico-cloud_versioned_docs/version-22-2/reference/resources/bgppeer.mdx index 6138d8e325..52d9196ab1 100644 --- a/calico-cloud_versioned_docs/version-22-2/reference/resources/bgppeer.mdx +++ b/calico-cloud_versioned_docs/version-22-2/reference/resources/bgppeer.mdx @@ -45,7 +45,7 @@ spec: | asNumber | The remote AS Number of the peer. | A valid AS Number, may be specified in dotted notation. | integer/string | | nodeSelector | Selector for the nodes that should have this peering. When this is set, the `node` field must be empty. | | [selector](#selector) | | peerSelector | Selector for the remote nodes to peer with. When this is set, the `peerIP` and `asNumber` fields must be empty. | | [selector](#selector) | -| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selectors) | | +| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selector) | | | keepOriginalNextHop | Maintain and forward the original next hop BGP route attribute to a specific Peer within a different AS. | | boolean | | extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | | | password | [BGP password](../../operations/comms/secure-bgp.mdx) for the peerings generated by this BGPPeer resource. | | [BGPPassword](#bgppassword) | `nil` (no password) | diff --git a/calico-cloud_versioned_docs/version-22-2/release-notes/index.mdx b/calico-cloud_versioned_docs/version-22-2/release-notes/index.mdx index ed63f47166..40bb615d0e 100644 --- a/calico-cloud_versioned_docs/version-22-2/release-notes/index.mdx +++ b/calico-cloud_versioned_docs/version-22-2/release-notes/index.mdx @@ -157,7 +157,7 @@ For more information, see [Configure an ingress gateway](../networking/ingress-g This release adds customization options for specifying external load balancers for `Gateway` resources in your cluster. -For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/about-calico-ingress-gateway.mdx#customize-gateway-deployment-and-features). +For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/about-calico-ingress-gateway.mdx). #### Web application firewall for Calico Ingress Gateway @@ -455,7 +455,7 @@ For more information, see [Dashboards](../observability/dashboards.mdx). :::info[upgrade notice] Because of a breaking change, this version is no longer available. -Upgrade instead to [Calico Cloud 20.3.1](#20.3.1) or later. +Upgrade instead to Calico Cloud 20.3.1 or later. ::: ### New features and enhancements @@ -550,7 +550,7 @@ For more information, see [Update detector settings](../threat/container-threat- We added a way to create Security Event exceptions for processes in your cluster that you know to be safe. This can be a helpful way to eliminate noise and false positives in your alerts. -For more information, see [Exclude a process from Security Events alerts](../threat/container-threat-detection.mdx#exclude-process). +For more information, see [Exclude a process from Security Events alerts](../threat/container-threat-detection.mdx). #### Added EPSS data to Image Assurance results diff --git a/calico-cloud_versioned_docs/version-22-2/threat/container-threat-detection.mdx b/calico-cloud_versioned_docs/version-22-2/threat/container-threat-detection.mdx index ce1a17eba0..05d0594f42 100644 --- a/calico-cloud_versioned_docs/version-22-2/threat/container-threat-detection.mdx +++ b/calico-cloud_versioned_docs/version-22-2/threat/container-threat-detection.mdx @@ -66,8 +66,8 @@ so we can bundle the BTF data to precisely match the version of the kernel runni ## How to - [Enable Container threat detection in the managed cluster](#enable-container-threat-detection) -- [Monitor the Security Events page for malicious programs](#monitor-alerts-page-for-malicious-programs) -- [Exclude a process from Security Events alerts](#exclude-a-process-from-Security-Events-alerts) +- [Monitor the Security Events page for malicious programs](#monitor-the-security-events-page-for-malicious-programs) +- Exclude a process from Security Events alerts - [Update detectors settings](#update-detectors-settings) - [Configure detectors via RuntimeSecurity Custom Resource](#configure-detectors-via-runtimesecurity-custom-resource) diff --git a/calico-cloud_versioned_docs/version-22-2/threat/web-application-firewall.mdx b/calico-cloud_versioned_docs/version-22-2/threat/web-application-firewall.mdx index b92f5e6b5a..2568c16761 100644 --- a/calico-cloud_versioned_docs/version-22-2/threat/web-application-firewall.mdx +++ b/calico-cloud_versioned_docs/version-22-2/threat/web-application-firewall.mdx @@ -35,7 +35,7 @@ Every request that WAF finds an issue with, will result in a Security Event bein If you configure WAF in blocking mode, WAF will use something called [anomaly scoring mode](https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/) to determine if a request is allowed with `200 OK` or denied `403 Forbidden`. -This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-your-waf) for your specific needs in your cluster. +This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-waf-configuration) for your specific needs in your cluster. ## Before you begin diff --git a/calico-cloud_versioned_docs/version-22-2/tutorials/training/about-kubernetes-services.mdx b/calico-cloud_versioned_docs/version-22-2/tutorials/training/about-kubernetes-services.mdx index 61ae2ac9c5..f557bdf68e 100644 --- a/calico-cloud_versioned_docs/version-22-2/tutorials/training/about-kubernetes-services.mdx +++ b/calico-cloud_versioned_docs/version-22-2/tutorials/training/about-kubernetes-services.mdx @@ -73,7 +73,7 @@ reverse the NAT.) Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the service backing pod does not see the original client IP address. Typically this means that any such policy is limited to restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can -be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using +be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using $[prodname]'s eBPF data plane native service handling (rather than kube-proxy) which preserves source IP address. ## Load balancer services @@ -89,7 +89,7 @@ default will load balance evenly across the nodes using the service node port. Most network load balancers preserve the client source IP address, but because the service then goes via a node port, the backing pods themselves do not see the client IP, with the same implications for network policy. As with node -ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) +ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address. diff --git a/calico-enterprise/_includes/components/UpgradeOperatorSimple.js b/calico-enterprise/_includes/components/UpgradeOperatorSimple.js index 55e61e56b1..97d4f5deda 100644 --- a/calico-enterprise/_includes/components/UpgradeOperatorSimple.js +++ b/calico-enterprise/_includes/components/UpgradeOperatorSimple.js @@ -251,7 +251,7 @@ EOF`}
If your cluster includes egress gateways, follow the{' '}
-
+
egress gateway upgrade instructions
.
diff --git a/calico-enterprise/getting-started/install-on-clusters/aks.mdx b/calico-enterprise/getting-started/install-on-clusters/aks.mdx
index f4910b2094..696b08f64b 100644
--- a/calico-enterprise/getting-started/install-on-clusters/aks.mdx
+++ b/calico-enterprise/getting-started/install-on-clusters/aks.mdx
@@ -72,8 +72,8 @@ Install $[prodname] on an AKS managed Kubernetes cluster.
- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-1. [Option A: Install with Azure CNI networking](#install-with-azure-cni-networking)
-1. [Option B: Install with Calico networking](#install-with-calico-enterprise-networking)
+1. [Option A: Install with Azure CNI networking](#install-aks-with-azure-cni-networking)
+1. [Option B: Install with Calico networking](#install-aks-with-calico-enterprise-networking)
1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
If your cluster includes egress gateways, follow the{' '}
-
+
egress gateway upgrade instructions
.
diff --git a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/aks.mdx b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/aks.mdx
index fb6458447b..55fe4495c9 100644
--- a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/aks.mdx
+++ b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/aks.mdx
@@ -72,8 +72,8 @@ Install $[prodname] on an AKS managed Kubernetes cluster.
- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-1. [Option A: Install with Azure CNI networking](#install-with-azure-cni-networking)
-1. [Option B: Install with Calico networking](#install-with-calico-enterprise-networking)
+1. [Option A: Install with Azure CNI networking](#install-aks-with-azure-cni-networking)
+1. [Option B: Install with Calico networking](#install-aks-with-calico-enterprise-networking)
1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
If your cluster includes egress gateways, follow the{' '}
-
+
egress gateway upgrade instructions
.
diff --git a/calico-enterprise_versioned_docs/version-3.23-2/getting-started/install-on-clusters/aks.mdx b/calico-enterprise_versioned_docs/version-3.23-2/getting-started/install-on-clusters/aks.mdx
index ab21ddf9ab..76ee97b873 100644
--- a/calico-enterprise_versioned_docs/version-3.23-2/getting-started/install-on-clusters/aks.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-2/getting-started/install-on-clusters/aks.mdx
@@ -72,8 +72,8 @@ Install $[prodname] on an AKS managed Kubernetes cluster.
- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-1. [Option A: Install with Azure CNI networking](#install-with-azure-cni-networking)
-1. [Option B: Install with Calico networking](#install-with-calico-enterprise-networking)
+1. [Option A: Install with Azure CNI networking](#install-aks-with-azure-cni-networking)
+1. [Option B: Install with Calico networking](#install-aks-with-calico-enterprise-networking)
1. [Install the $[prodname] license](#install-the-calico-enterprise-license)
Default: scrape all metrics. |
| `bearerTokenSecret` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core)_ | Secret to mount to read bearer token for scraping targets. Recommended: when unset, the operator will create a Secret, a ClusterRole and a ClusterRoleBinding. |
-| `interval` _[Duration](#duration)_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
-| `scrapeTimeout` _[Duration](#duration)_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
+| `interval` _Duration_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
+| `scrapeTimeout` _Duration_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
| `honorLabels` _boolean_ | HonorLabels chooses the metric's labels on collisions with target labels. |
| `honorTimestamps` _boolean_ | HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. |
| `metricRelabelings` _RelabelConfig array_ | MetricRelabelConfigs to apply to samples before ingestion. |
@@ -3625,7 +3625,7 @@ _Appears in:_
| `disableBGPExport` _boolean_ | (Optional) DisableBGPExport specifies whether routes from this IP pool's CIDR are exported over BGP.
Default: false |
| `disableNewAllocations` _boolean_ | DisableNewAllocations specifies whether or not new IP allocations are allowed from this pool. This is useful when you want to prevent new pods from receiving IP addresses from this pool, without impacting any existing pods that have already been assigned addresses from this pool. |
| `allowedUses` _[IPPoolAllowedUse](#ippoolalloweduse) array_ | AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility |
-| `assignmentMode` _[AssignmentMode](#assignmentmode)_ | AssignmentMode determines if IP addresses from this pool should be assigned automatically or on request only |
+| `assignmentMode` _AssignmentMode_ | AssignmentMode determines if IP addresses from this pool should be assigned automatically or on request only |
### IPPoolAllowedUse
@@ -4064,7 +4064,7 @@ _Appears in:_
| `istiod` _[IstiodDeployment](#istioddeployment)_ | (Optional) IstiodDeployment defines the resource requirements and node selector for the Istio deployment. |
| `istioCNI` _[IstioCNIDaemonset](#istiocnidaemonset)_ | (Optional) IstioCNIDaemonset defines the resource requirements for the Istio CNI plugin. |
| `ztunnel` _[ZTunnelDaemonset](#ztunneldaemonset)_ | (Optional) ZTunnelDaemonset defines the resource requirements for the ZTunnelDaemonset component. |
-| `dscpMark` _[DSCP](#dscp)_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
+| `dscpMark` _DSCP_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
### IstioStatus
@@ -6084,7 +6084,7 @@ _Appears in:_
_Appears in:_
-- [TLSPassThroughRoute](#tlspassthroughroute)
+- TLSPassThroughRoute
| Field | Description |
| --- | --- |
@@ -6102,7 +6102,7 @@ _Appears in:_
_Appears in:_
-- [TLSTerminatedRoute](#tlsterminatedroute)
+- TLSTerminatedRoute
| Field | Description |
| --- | --- |
diff --git a/calico-enterprise/reference/installation/helm_customization.mdx b/calico-enterprise/reference/installation/helm_customization.mdx
index bc3bcdb5ab..82122abd3f 100644
--- a/calico-enterprise/reference/installation/helm_customization.mdx
+++ b/calico-enterprise/reference/installation/helm_customization.mdx
@@ -17,7 +17,7 @@ You can customize the following resources and settings during $[prodname] Helm-b
- [Policy recommendation](api.mdx#policyrecommendationspec)
- [Authentication](api.mdx#authenticationspec)
- [Application layer](api.mdx#applicationlayerspec)
-- [Amazon cloud integration](api.mdx#amazoncloudintegrationspec)
+- [Amazon cloud integration](api.mdx)
- [Default felix configuration](../resources/felixconfig.mdx#spec)
:::note
diff --git a/calico-enterprise/reference/resources/bgppeer.mdx b/calico-enterprise/reference/resources/bgppeer.mdx
index 056e8eb8b5..8159e2a2ad 100644
--- a/calico-enterprise/reference/resources/bgppeer.mdx
+++ b/calico-enterprise/reference/resources/bgppeer.mdx
@@ -46,7 +46,7 @@ spec:
| localASNumber | Specifies AS Number $[prodname] uses as its local AS Number for this peer, overriding the global AS Number set in the default BGPConfiguration. | A valid AS Number, may be specified in dotted notation. | integer/string |
| nodeSelector | Selector for the nodes that should have this peering. When this is set, the `node` field must be empty. | | [selector](#selector) |
| peerSelector | Selector for the remote nodes to peer with. When this is set, the `peerIP` and `asNumber` fields must be empty. | | [selector](#selector) |
-| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selectors) | |
+| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selector) | |
| keepOriginalNextHop | Maintain and forward the original next hop BGP route attribute to a specific Peer within a different AS. | | boolean |
| extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | |
| password | [BGP password](../../networking/configuring/secure-bgp.mdx) for the peerings generated by this BGPPeer resource. | | [BGPPassword](#bgppassword) | `nil` (no password) |
diff --git a/calico-enterprise/reference/resources/felixconfig.mdx b/calico-enterprise/reference/resources/felixconfig.mdx
index aeafd7998d..e052519daa 100644
--- a/calico-enterprise/reference/resources/felixconfig.mdx
+++ b/calico-enterprise/reference/resources/felixconfig.mdx
@@ -83,7 +83,7 @@ At most one selector-scoped FelixConfiguration should match any given node. If m
#### Restrictions
- The `nodeSelector` field cannot be set on the `default` resource or on `node.
Default: scrape all metrics. |
| `bearerTokenSecret` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core)_ | Secret to mount to read bearer token for scraping targets. Recommended: when unset, the operator will create a Secret, a ClusterRole and a ClusterRoleBinding. |
-| `interval` _[Duration](#duration)_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
-| `scrapeTimeout` _[Duration](#duration)_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
+| `interval` _Duration_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
+| `scrapeTimeout` _Duration_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
| `honorLabels` _boolean_ | HonorLabels chooses the metric's labels on collisions with target labels. |
| `honorTimestamps` _boolean_ | HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. |
| `metricRelabelings` _RelabelConfig array_ | MetricRelabelConfigs to apply to samples before ingestion. |
@@ -3322,7 +3322,7 @@ _Appears in:_
| `disableBGPExport` _boolean_ | (Optional) DisableBGPExport specifies whether routes from this IP pool's CIDR are exported over BGP.
Default: false |
| `disableNewAllocations` _boolean_ | DisableNewAllocations specifies whether or not new IP allocations are allowed from this pool. This is useful when you want to prevent new pods from receiving IP addresses from this pool, without impacting any existing pods that have already been assigned addresses from this pool. |
| `allowedUses` _[IPPoolAllowedUse](#ippoolalloweduse) array_ | AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility |
-| `assignmentMode` _[AssignmentMode](#assignmentmode)_ | AssignmentMode determines if IP addresses from this pool should be assigned automatically or on request only |
+| `assignmentMode` _AssignmentMode_ | AssignmentMode determines if IP addresses from this pool should be assigned automatically or on request only |
### IPPoolAllowedUse
@@ -5338,7 +5338,7 @@ _Appears in:_
_Appears in:_
-- [TLSPassThroughRoute](#tlspassthroughroute)
+- TLSPassThroughRoute
| Field | Description |
| --- | --- |
@@ -5356,7 +5356,7 @@ _Appears in:_
_Appears in:_
-- [TLSTerminatedRoute](#tlsterminatedroute)
+- TLSTerminatedRoute
| Field | Description |
| --- | --- |
diff --git a/calico-enterprise_versioned_docs/version-3.21-2/reference/installation/helm_customization.mdx b/calico-enterprise_versioned_docs/version-3.21-2/reference/installation/helm_customization.mdx
index 7f1f0bd045..b03de84670 100644
--- a/calico-enterprise_versioned_docs/version-3.21-2/reference/installation/helm_customization.mdx
+++ b/calico-enterprise_versioned_docs/version-3.21-2/reference/installation/helm_customization.mdx
@@ -17,7 +17,7 @@ You can customize the following resources and settings during $[prodname] Helm-b
- [Policy recommendation](api.mdx#policyrecommendationspec)
- [Authentication](api.mdx#authenticationspec)
- [Application layer](api.mdx#applicationlayerspec)
-- [Amazon cloud integration](api.mdx#amazoncloudintegrationspec)
+- [Amazon cloud integration](api.mdx)
- [Default felix configuration](../resources/felixconfig.mdx#spec)
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.21-2/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.21-2/reference/resources/bgppeer.mdx
index 362dd7f4bc..8b9a4e906b 100644
--- a/calico-enterprise_versioned_docs/version-3.21-2/reference/resources/bgppeer.mdx
+++ b/calico-enterprise_versioned_docs/version-3.21-2/reference/resources/bgppeer.mdx
@@ -45,7 +45,7 @@ spec:
| asNumber | The remote AS Number of the peer. | A valid AS Number, may be specified in dotted notation. | integer/string |
| nodeSelector | Selector for the nodes that should have this peering. When this is set, the `node` field must be empty. | | [selector](#selector) |
| peerSelector | Selector for the remote nodes to peer with. When this is set, the `peerIP` and `asNumber` fields must be empty. | | [selector](#selector) |
-| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selectors) | |
+| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selector) | |
| keepOriginalNextHop | Maintain and forward the original next hop BGP route attribute to a specific Peer within a different AS. | | boolean |
| extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | |
| password | [BGP password](../../operations/comms/secure-bgp.mdx) for the peerings generated by this BGPPeer resource. | | [BGPPassword](#bgppassword) | `nil` (no password) |
diff --git a/calico-enterprise_versioned_docs/version-3.21-2/threat/web-application-firewall.mdx b/calico-enterprise_versioned_docs/version-3.21-2/threat/web-application-firewall.mdx
index b9e851afe7..45e152b957 100644
--- a/calico-enterprise_versioned_docs/version-3.21-2/threat/web-application-firewall.mdx
+++ b/calico-enterprise_versioned_docs/version-3.21-2/threat/web-application-firewall.mdx
@@ -35,7 +35,7 @@ Every request that WAF finds an issue with, will result in a Security Event bein
If you configure WAF in blocking mode, WAF will use something called [anomaly scoring mode](https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/) to determine if a request is allowed with `200 OK` or denied `403 Forbidden`.
-This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-your-waf) for your specific needs in your cluster.
+This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-waf-configuration) for your specific needs in your cluster.
## Before you begin
@@ -112,7 +112,7 @@ kubectl patch deployment frontend -n default -p '{"spec":{"template":{"metadata"
Alternatively, you can use the web console to apply WAF to the `frontend` deployment if you opted for sidecars.
In this example, we applied WAF to the `frontend` pods. This means that every request that goes through the `frontend` deployment is inspected.
-However, the traffic is not blocked because the WAF rule is set to `DetectionOnly` by default. You can adjust rules and start blocking traffic by [fine-tuning your WAF](#manage-your-waf).
+However, the traffic is not blocked because the WAF rule is set to `DetectionOnly` by default. You can adjust rules and start blocking traffic by [fine-tuning your WAF](#manage-waf-configuration).
In the previous example, we applied WAF to the `frontend` deployment of the sample application. Here, we are
applying WAF to a deployment of your own application.
diff --git a/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/UpgradeOperatorSimple.js b/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/UpgradeOperatorSimple.js
index 55e61e56b1..97d4f5deda 100644
--- a/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/UpgradeOperatorSimple.js
+++ b/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/UpgradeOperatorSimple.js
@@ -251,7 +251,7 @@ EOF`}
Default: scrape all metrics. |
| `bearerTokenSecret` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core)_ | Secret to mount to read bearer token for scraping targets. Recommended: when unset, the operator will create a Secret, a ClusterRole and a ClusterRoleBinding. |
-| `interval` _[Duration](#duration)_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
-| `scrapeTimeout` _[Duration](#duration)_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
+| `interval` _Duration_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
+| `scrapeTimeout` _Duration_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
| `honorLabels` _boolean_ | HonorLabels chooses the metric's labels on collisions with target labels. |
| `honorTimestamps` _boolean_ | HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. |
| `metricRelabelings` _RelabelConfig array_ | MetricRelabelConfigs to apply to samples before ingestion. |
@@ -3887,7 +3887,7 @@ _Appears in:_
| `istiod` _[IstiodDeployment](#istioddeployment)_ | (Optional) IstiodDeployment defines the resource requirements and node selector for the Istio deployment. |
| `istioCNI` _[IstioCNIDaemonset](#istiocnidaemonset)_ | (Optional) IstioCNIDaemonset defines the resource requirements for the Istio CNI plugin. |
| `ztunnel` _[ZTunnelDaemonset](#ztunneldaemonset)_ | (Optional) ZTunnelDaemonset defines the resource requirements for the ZTunnelDaemonset component. |
-| `dscpMark` _[DSCP](#dscp)_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
+| `dscpMark` _DSCP_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
### IstioStatus
@@ -5746,7 +5746,7 @@ _Appears in:_
_Appears in:_
-- [TLSPassThroughRoute](#tlspassthroughroute)
+- TLSPassThroughRoute
| Field | Description |
| --- | --- |
@@ -5764,7 +5764,7 @@ _Appears in:_
_Appears in:_
-- [TLSTerminatedRoute](#tlsterminatedroute)
+- TLSTerminatedRoute
| Field | Description |
| --- | --- |
diff --git a/calico-enterprise_versioned_docs/version-3.22-2/reference/installation/helm_customization.mdx b/calico-enterprise_versioned_docs/version-3.22-2/reference/installation/helm_customization.mdx
index d58ff05147..a6a5607b5c 100644
--- a/calico-enterprise_versioned_docs/version-3.22-2/reference/installation/helm_customization.mdx
+++ b/calico-enterprise_versioned_docs/version-3.22-2/reference/installation/helm_customization.mdx
@@ -17,7 +17,7 @@ You can customize the following resources and settings during $[prodname] Helm-b
- [Policy recommendation](api.mdx#policyrecommendationspec)
- [Authentication](api.mdx#authenticationspec)
- [Application layer](api.mdx#applicationlayerspec)
-- [Amazon cloud integration](api.mdx#amazoncloudintegrationspec)
+- [Amazon cloud integration](api.mdx)
- [Default felix configuration](../resources/felixconfig.mdx#spec)
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.22-2/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.22-2/reference/resources/bgppeer.mdx
index e818572a52..23bec373db 100644
--- a/calico-enterprise_versioned_docs/version-3.22-2/reference/resources/bgppeer.mdx
+++ b/calico-enterprise_versioned_docs/version-3.22-2/reference/resources/bgppeer.mdx
@@ -46,7 +46,7 @@ spec:
| localASNumber | Specifies AS Number $[prodname] uses as its local AS Number for this peer, overriding the global AS Number set in the default BGPConfiguration. | A valid AS Number, may be specified in dotted notation. | integer/string |
| nodeSelector | Selector for the nodes that should have this peering. When this is set, the `node` field must be empty. | | [selector](#selector) |
| peerSelector | Selector for the remote nodes to peer with. When this is set, the `peerIP` and `asNumber` fields must be empty. | | [selector](#selector) |
-| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selectors) | |
+| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selector) | |
| keepOriginalNextHop | Maintain and forward the original next hop BGP route attribute to a specific Peer within a different AS. | | boolean |
| extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | |
| password | [BGP password](../../operations/comms/secure-bgp.mdx) for the peerings generated by this BGPPeer resource. | | [BGPPassword](#bgppassword) | `nil` (no password) |
diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx
index 818be642f3..8ced7afa19 100644
--- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx
+++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx
@@ -28,7 +28,7 @@ For more information, see [Deploying WAF with an ingress gateway](../threat/depl
This release adds customization options for specifying external load balancers for `Gateway` resources in your cluster.
-For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/customize-ingress-gateway.mdx#customize-gateway-deployment-and-features).
+For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/customize-ingress-gateway.mdx).
### Istio Ambient Mode (tech preview)
diff --git a/calico-enterprise_versioned_docs/version-3.23-2/_includes/components/UpgradeOperatorSimple.js b/calico-enterprise_versioned_docs/version-3.23-2/_includes/components/UpgradeOperatorSimple.js
index 55e61e56b1..97d4f5deda 100644
--- a/calico-enterprise_versioned_docs/version-3.23-2/_includes/components/UpgradeOperatorSimple.js
+++ b/calico-enterprise_versioned_docs/version-3.23-2/_includes/components/UpgradeOperatorSimple.js
@@ -251,7 +251,7 @@ EOF`}
Default: scrape all metrics. |
| `bearerTokenSecret` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core)_ | Secret to mount to read bearer token for scraping targets. Recommended: when unset, the operator will create a Secret, a ClusterRole and a ClusterRoleBinding. |
-| `interval` _[Duration](#duration)_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
-| `scrapeTimeout` _[Duration](#duration)_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
+| `interval` _Duration_ | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. |
+| `scrapeTimeout` _Duration_ | Timeout after which the scrape is ended. If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used. |
| `honorLabels` _boolean_ | HonorLabels chooses the metric's labels on collisions with target labels. |
| `honorTimestamps` _boolean_ | HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. |
| `metricRelabelings` _RelabelConfig array_ | MetricRelabelConfigs to apply to samples before ingestion. |
@@ -3888,7 +3888,7 @@ _Appears in:_
| `istiod` _[IstiodDeployment](#istioddeployment)_ | (Optional) IstiodDeployment defines the resource requirements and node selector for the Istio deployment. |
| `istioCNI` _[IstioCNIDaemonset](#istiocnidaemonset)_ | (Optional) IstioCNIDaemonset defines the resource requirements for the Istio CNI plugin. |
| `ztunnel` _[ZTunnelDaemonset](#ztunneldaemonset)_ | (Optional) ZTunnelDaemonset defines the resource requirements for the ZTunnelDaemonset component. |
-| `dscpMark` _[DSCP](#dscp)_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
+| `dscpMark` _DSCP_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
### IstioStatus
@@ -5747,7 +5747,7 @@ _Appears in:_
_Appears in:_
-- [TLSPassThroughRoute](#tlspassthroughroute)
+- TLSPassThroughRoute
| Field | Description |
| --- | --- |
@@ -5765,7 +5765,7 @@ _Appears in:_
_Appears in:_
-- [TLSTerminatedRoute](#tlsterminatedroute)
+- TLSTerminatedRoute
| Field | Description |
| --- | --- |
diff --git a/calico-enterprise_versioned_docs/version-3.23-2/reference/installation/helm_customization.mdx b/calico-enterprise_versioned_docs/version-3.23-2/reference/installation/helm_customization.mdx
index bc3bcdb5ab..82122abd3f 100644
--- a/calico-enterprise_versioned_docs/version-3.23-2/reference/installation/helm_customization.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-2/reference/installation/helm_customization.mdx
@@ -17,7 +17,7 @@ You can customize the following resources and settings during $[prodname] Helm-b
- [Policy recommendation](api.mdx#policyrecommendationspec)
- [Authentication](api.mdx#authenticationspec)
- [Application layer](api.mdx#applicationlayerspec)
-- [Amazon cloud integration](api.mdx#amazoncloudintegrationspec)
+- [Amazon cloud integration](api.mdx)
- [Default felix configuration](../resources/felixconfig.mdx#spec)
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/bgppeer.mdx b/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/bgppeer.mdx
index ba573b2fca..c3af3de311 100644
--- a/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/bgppeer.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/bgppeer.mdx
@@ -46,7 +46,7 @@ spec:
| localASNumber | Specifies AS Number $[prodname] uses as its local AS Number for this peer, overriding the global AS Number set in the default BGPConfiguration. | A valid AS Number, may be specified in dotted notation. | integer/string |
| nodeSelector | Selector for the nodes that should have this peering. When this is set, the `node` field must be empty. | | [selector](#selector) |
| peerSelector | Selector for the remote nodes to peer with. When this is set, the `peerIP` and `asNumber` fields must be empty. | | [selector](#selector) |
-| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selectors) | |
+| localWorkloadSelector | Selector for the local workloads that the node should peer with. When this is set, the `peerSelector` and `peerIP` fields must be empty and the `localWorkloadPeeringIPV4` and/or `localWorkloadPeeringIPV6` fields in the `BGPConfiguration` resource must be configured. It is also important to configure appropriate import/export filters when using this feature. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | | [selector](#selector) | |
| keepOriginalNextHop | Maintain and forward the original next hop BGP route attribute to a specific Peer within a different AS. | | boolean |
| extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | |
| password | [BGP password](../../networking/configuring/secure-bgp.mdx) for the peerings generated by this BGPPeer resource. | | [BGPPassword](#bgppassword) | `nil` (no password) |
diff --git a/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/felixconfig.mdx
index aeafd7998d..e052519daa 100644
--- a/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/felixconfig.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-2/reference/resources/felixconfig.mdx
@@ -83,7 +83,7 @@ At most one selector-scoped FelixConfiguration should match any given node. If m
#### Restrictions
- The `nodeSelector` field cannot be set on the `default` resource or on `node.
Default: false |
| `disableNewAllocations` _boolean_ | DisableNewAllocations specifies whether or not new IP allocations are allowed from this pool. This is useful when you want to prevent new pods from receiving IP addresses from this pool, without impacting any existing pods that have already been assigned addresses from this pool. |
| `allowedUses` _[IPPoolAllowedUse](#ippoolalloweduse) array_ | AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility |
-| `assignmentMode` _[AssignmentMode](#assignmentmode)_ | AssignmentMode determines if IP addresses from this pool should be assigned automatically or on request only |
+| `assignmentMode` _AssignmentMode_ | AssignmentMode determines if IP addresses from this pool should be assigned automatically or on request only |
### IPPoolAllowedUse
@@ -1996,7 +1996,7 @@ _Appears in:_
| `istiod` _[IstiodDeployment](#istioddeployment)_ | (Optional) IstiodDeployment defines the resource requirements and node selector for the Istio deployment. |
| `istioCNI` _[IstioCNIDaemonset](#istiocnidaemonset)_ | (Optional) IstioCNIDaemonset defines the resource requirements for the Istio CNI plugin. |
| `ztunnel` _[ZTunnelDaemonset](#ztunneldaemonset)_ | (Optional) ZTunnelDaemonset defines the resource requirements for the ZTunnelDaemonset component. |
-| `dscpMark` _[DSCP](#dscp)_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
+| `dscpMark` _DSCP_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
### IstioStatus
diff --git a/calico/reference/resources/bgpconfig.mdx b/calico/reference/resources/bgpconfig.mdx
index 90545cfa78..658024b2fb 100644
--- a/calico/reference/resources/bgpconfig.mdx
+++ b/calico/reference/resources/bgpconfig.mdx
@@ -74,7 +74,7 @@ spec:
| Field | Description | Accepted Values | Schema |
| ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `name` | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string |
+| `name` | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string |
| `value` | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string |
### prefixAdvertisements
diff --git a/calico/reference/resources/node.mdx b/calico/reference/resources/node.mdx
index e58cd6e582..826f4c8811 100644
--- a/calico/reference/resources/node.mdx
+++ b/calico/reference/resources/node.mdx
@@ -46,7 +46,7 @@ spec:
| vxlanTunnelMACAddr | MAC address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| ipv6VXLANTunnelAddr | IPv6 address of the VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| vxlanTunnelMACAddrV6 | MAC address of the IPv6 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
-| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#OrchRef) |
+| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#orchref) |
| wireguard | WireGuard configuration for this node. This is applicable only if WireGuard is enabled in [Felix Configuration](felixconfig.mdx). | | [WireGuard](#wireguard) |
### OrchRef
diff --git a/calico_versioned_docs/version-3.29/about/kubernetes-training/about-ebpf.mdx b/calico_versioned_docs/version-3.29/about/kubernetes-training/about-ebpf.mdx
index 68924082a6..54369013ef 100644
--- a/calico_versioned_docs/version-3.29/about/kubernetes-training/about-ebpf.mdx
+++ b/calico_versioned_docs/version-3.29/about/kubernetes-training/about-ebpf.mdx
@@ -69,7 +69,7 @@ eBPF program depend hugely on the hook to which it is attached:
- Several types of **socket** programs hook into various operations on sockets, allowing the eBPF program to, for
example, change the destination IP of a newly-created socket, or force a socket to bind to the "correct" source
IP address. $[prodname] uses such programs to do connect-time load balancing of Kubernetes Services; this
- reduces overhead because there is no [DNAT](about-networking.mdx#NAT) on the packet processing path.
+ reduces overhead because there is no [DNAT](about-networking.mdx#nat) on the packet processing path.
- There are various security-related hooks that allow for program behaviour to be policed in various ways. For
example, the **seccomp** hooks allow for syscalls to be policed in fine-grained ways.
diff --git a/calico_versioned_docs/version-3.29/about/kubernetes-training/about-kubernetes-services.mdx b/calico_versioned_docs/version-3.29/about/kubernetes-training/about-kubernetes-services.mdx
index 71422d5031..2f55197da9 100644
--- a/calico_versioned_docs/version-3.29/about/kubernetes-training/about-kubernetes-services.mdx
+++ b/calico_versioned_docs/version-3.29/about/kubernetes-training/about-kubernetes-services.mdx
@@ -73,7 +73,7 @@ reverse the NAT.)
Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the
service backing pod does not see the original client IP address. Typically this means that any such policy is limited to
restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can
-be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using
+be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using
$[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address.
## Load balancer services
@@ -89,7 +89,7 @@ default will load balance evenly across the nodes using the service node port.
Most network load balancers preserve the client source IP address, but because the service then goes via a node port,
the backing pods themselves do not see the client IP, with the same implications for network policy. As with node
-ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal)
+ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy)
or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather
than kube-proxy) which preserves source IP address.
diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/k3s/multi-node-install.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/k3s/multi-node-install.mdx
index 9c0c54254f..bf6afa8584 100644
--- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/k3s/multi-node-install.mdx
+++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/k3s/multi-node-install.mdx
@@ -76,7 +76,7 @@ K3s stores a kubeconfig file in your server at `/etc/rancher/k3s/k3s.yaml`, copy
To add additional nodes to your cluster you need two piece of information.
- `K3S_URL` which is going to be your main node ip address.
-- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-master-instance).
+- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-control-plane-instance).
Execute following command in your node instance and join it to the cluster.
:::note
diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/vpp/ipsec.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/vpp/ipsec.mdx
index c9d038b0a3..8b6e07e303 100644
--- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/vpp/ipsec.mdx
+++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/vpp/ipsec.mdx
@@ -22,7 +22,7 @@ To enable IPsec encryption, you will need a Kubernetes cluster with:
## How to
- [Create the IKEv2 PSK](#create-the-ikev2-psk)
-- [Configure the VPP data plane](#configure-the-vpp-dataplane)
+- [Configure the VPP data plane](#configure-the-vpp-data-plane)
### Create the IKEv2 PSK
diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/windows-calico/troubleshoot.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/windows-calico/troubleshoot.mdx
index 63395a0987..0deda89104 100644
--- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/windows-calico/troubleshoot.mdx
+++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/windows-calico/troubleshoot.mdx
@@ -105,7 +105,7 @@ items:
### Felix starts, but does not output logs
-By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx#general-configuration) to "info" or "debug" level.
+By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx) to "info" or "debug" level.
### $[prodname] BGP mode: connectivity issues, Linux calico/node pods report unready
diff --git a/calico_versioned_docs/version-3.29/network-policy/comms/crypto-auth.mdx b/calico_versioned_docs/version-3.29/network-policy/comms/crypto-auth.mdx
index d52e4fde98..954bc478b6 100644
--- a/calico_versioned_docs/version-3.29/network-policy/comms/crypto-auth.mdx
+++ b/calico_versioned_docs/version-3.29/network-policy/comms/crypto-auth.mdx
@@ -30,7 +30,7 @@ its connections as follows.
- [`calicoctl`](../../operations/calicoctl/configure/etcd.mdx)
- [CNI plugin](../../reference/configure-cni-plugins.mdx#etcd-location) (Kubernetes and OpenShift only)
- [Kubernetes controllers](../../reference/kube-controllers/configuration.mdx#configuring-datastore-access) (Kubernetes and OpenShift only)
- - [Felix](../../reference/felix/configuration.mdx#etcd-datastore-configuration)
+ - [Felix](../../reference/felix/configuration.mdx)
- [Typha](../../reference/typha/configuration.mdx#etcd-datastore-configuration) (often deployed in
larger Kubernetes deployments)
- [Neutron plugin or ML2 driver](../../networking/openstack/configuration.mdx#neutron-server-etcneutronneutronconf) (OpenStack only)
@@ -138,7 +138,7 @@ For detailed reference information on these parameters, refer to:
- **Typha**: [Felix-Typha TLS configuration](../../reference/typha/configuration.mdx#felix-typha-tls-configuration)
-- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx#felix-typha-tls-configuration)
+- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx)
diff --git a/calico_versioned_docs/version-3.29/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.29/network-policy/get-started/kubernetes-default-deny.mdx
index 51ddfa6965..fad1e748ed 100644
--- a/calico_versioned_docs/version-3.29/network-policy/get-started/kubernetes-default-deny.mdx
+++ b/calico_versioned_docs/version-3.29/network-policy/get-started/kubernetes-default-deny.mdx
@@ -39,8 +39,8 @@ To apply the sample $[prodname] network policies in the following section, [inst
## How to
-- [Create a default deny network policy](#crate-a-default-deny-network-policy)
-- [Create a global default deny network policy](#create-a-global-default-deny-network-policy)
+- [Create a default deny network policy](#create-a-default-deny-network-policy)
+- [Create a global default deny network policy](#create-a-global-default-deny-policy)
### Create a default deny network policy
diff --git a/calico_versioned_docs/version-3.29/network-policy/policy-rules/icmp-ping.mdx b/calico_versioned_docs/version-3.29/network-policy/policy-rules/icmp-ping.mdx
index c9cba6e793..be09c1aaf9 100644
--- a/calico_versioned_docs/version-3.29/network-policy/policy-rules/icmp-ping.mdx
+++ b/calico_versioned_docs/version-3.29/network-policy/policy-rules/icmp-ping.mdx
@@ -30,7 +30,7 @@ For details, see [ICMP type and code](https://en.wikipedia.org/wiki/Internet_Con
- [Deny all ICMP, all workloads and host endpoints](#deny-all-icmp-all-workloads-and-host-endpoints)
- [Allow ICMP ping, all workloads and host endpoints](#allow-icmp-ping-all-workloads-and-host-endpoints)
-- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-Kubernetes-pods)
+- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-kubernetes-pods)
### Deny all ICMP, all workloads and host endpoints
diff --git a/calico_versioned_docs/version-3.29/networking/configuring/use-ipvs.mdx b/calico_versioned_docs/version-3.29/networking/configuring/use-ipvs.mdx
index 9f45f86b6f..3a7f468993 100644
--- a/calico_versioned_docs/version-3.29/networking/configuring/use-ipvs.mdx
+++ b/calico_versioned_docs/version-3.29/networking/configuring/use-ipvs.mdx
@@ -33,7 +33,7 @@ Kube-proxy IPVS mode supports NodePort services and cluster IPs. $[prodname] als
### iptables: when to change mark bits
-To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx#ipvs-bits).
+To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx).
### $[prodname] auto detects ipvs mode
diff --git a/calico_versioned_docs/version-3.29/networking/openstack/configuration.mdx b/calico_versioned_docs/version-3.29/networking/openstack/configuration.mdx
index ca584a2025..3d1326e958 100644
--- a/calico_versioned_docs/version-3.29/networking/openstack/configuration.mdx
+++ b/calico_versioned_docs/version-3.29/networking/openstack/configuration.mdx
@@ -72,7 +72,7 @@ node belongs to.
When specified, the value of `openstack_region` must be a string of lower case alphanumeric
characters or '-', starting and ending with an alphanumeric character, and must match the value of
-[`OpenStackRegion`](../../reference/felix/configuration.mdx#openstack-specific-configuration)
+[`OpenStackRegion`](../../reference/felix/configuration.mdx)
configured for the Felixes in the same region.
## ML2 (.../ml2_conf.ini)
diff --git a/calico_versioned_docs/version-3.29/networking/openstack/neutron-api.mdx b/calico_versioned_docs/version-3.29/networking/openstack/neutron-api.mdx
index c0f1d8a9c0..00ff12602c 100644
--- a/calico_versioned_docs/version-3.29/networking/openstack/neutron-api.mdx
+++ b/calico_versioned_docs/version-3.29/networking/openstack/neutron-api.mdx
@@ -38,7 +38,7 @@ In $[prodname], because all traffic is L3 and routed, the role of Neutron
network as L2 connectivity domain is not helpful. Therefore, in $[prodname],
Neutron networks are simply containers for subnets. Best practices for
operators configuring Neutron networks in $[prodname] deployments can be
-found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
It is not useful for non-administrator tenants to create their own
Neutron networks. Although $[prodname] will allow non-administrator tenants
@@ -66,7 +66,7 @@ subnets associated with it. Each Neutron subnet represents either an
IPv4 or IPv6 block of addresses.
Best practices for configuring Neutron subnets in $[prodname] deployments can
-be found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+be found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
In $[prodname], these roles for the Neutron subnet are preserved in their
entirety. All properties associated with these Neutron subnets are
@@ -114,7 +114,7 @@ apply to the other attributes:
Neutron quotas function unchanged.
In most deployments we recommend setting non-administrator tenant quotas
-for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
## Security Groups
@@ -216,7 +216,7 @@ groups to set up their connectivity appropriately.
#### Tab: Network -> Network Topology
For the 'Create Network' button, see the [Networks](#networks) section.
-For the 'Create Router' button, see the [Layer 3 Routing](#routers) section.
+For the 'Create Router' button, see the [Layer 3 Routing](#neutron-routers) section.
#### Tab: Network -> Networks
@@ -226,7 +226,7 @@ For networks and subnets, see the sections on [Networks](#networks) and
#### Tab: Network -> Routers
Tenants should be prevented from creating routers, as they serve no
-purpose in a $[prodname] network. See [Layer 3 Routing](#routers) for more.
+purpose in a $[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
### Section: Admin
@@ -240,4 +240,4 @@ network setup, this panel may be used to make changes. See
#### Tab: System Panel -> Routers
Administrators should not create routers, as they serve no purpose in a
-$[prodname] network. See [Layer 3 Routing](#routers) for more.
+$[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
diff --git a/calico_versioned_docs/version-3.29/operations/ebpf/enabling-ebpf.mdx b/calico_versioned_docs/version-3.29/operations/ebpf/enabling-ebpf.mdx
index fe2875e443..e58ce1a8fa 100644
--- a/calico_versioned_docs/version-3.29/operations/ebpf/enabling-ebpf.mdx
+++ b/calico_versioned_docs/version-3.29/operations/ebpf/enabling-ebpf.mdx
@@ -39,8 +39,8 @@ eBPF (or "extended Berkeley Packet Filter"), is a technology that allows safe mi
- OpenShift
- EKS
- AKS with limitations:
- - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
- - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-networking) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
+ - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-azure-cni-for-networking-and-self-managed-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
+ - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-self-managed-calico-for-networking-and-network-policy) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
- RKE (RKE2 recommended because it supports disabling `kube-proxy`)
- MKE
diff --git a/calico_versioned_docs/version-3.29/reference/architecture/overview.mdx b/calico_versioned_docs/version-3.29/reference/architecture/overview.mdx
index 34324bf5f3..3bcb2882fd 100644
--- a/calico_versioned_docs/version-3.29/reference/architecture/overview.mdx
+++ b/calico_versioned_docs/version-3.29/reference/architecture/overview.mdx
@@ -62,7 +62,7 @@ Depending on the specific orchestrator environment, Felix is responsible for:
## BIRD
-**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx#content-main).
+**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx).
The BGP client is responsible for:
@@ -80,7 +80,7 @@ The BGP client is responsible for:
**Main task**: Monitors $[prodname] datastore for changes to BGP configuration and global defaults such as AS number, logging levels, and IPAM information. Open source, lightweight configuration management tool.
-Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx#content-main), and [confd project](https://github.com/kelseyhightower/confd).
+Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx), and [confd project](https://github.com/kelseyhightower/confd).
## Dikastes
diff --git a/calico_versioned_docs/version-3.29/reference/etcd-rbac/certificate-generation.mdx b/calico_versioned_docs/version-3.29/reference/etcd-rbac/certificate-generation.mdx
index 358d7e390a..6ec29d2aca 100644
--- a/calico_versioned_docs/version-3.29/reference/etcd-rbac/certificate-generation.mdx
+++ b/calico_versioned_docs/version-3.29/reference/etcd-rbac/certificate-generation.mdx
@@ -43,9 +43,9 @@ generated files are written.
Generating certificates with hack/tls-setup:
-1. Edit the [etcd certificate config](#configuration-for-the-etcd-certificates).
+1. Edit the etcd certificate config.
2. Add the
- [per-user/per-component configuration files](#configuration-for-per-userper-components-etcd-certificates)
+ per-user/per-component configuration files
3. Run `make`. (Re-running `make` will regenerate the CA and all certificates.)
Generating the certificates creates:
diff --git a/calico_versioned_docs/version-3.29/reference/etcd-rbac/kubernetes-advanced.mdx b/calico_versioned_docs/version-3.29/reference/etcd-rbac/kubernetes-advanced.mdx
index 20153c56b7..49c8fd6c5b 100644
--- a/calico_versioned_docs/version-3.29/reference/etcd-rbac/kubernetes-advanced.mdx
+++ b/calico_versioned_docs/version-3.29/reference/etcd-rbac/kubernetes-advanced.mdx
@@ -67,7 +67,7 @@ component type listed above (cni-plugin, $[prodname] Kubernetes controllers, and
`$[nodecontainer]`).
This setup needs similar updates to the manifest like what is described in
-[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-Calico-manifest),
+[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-calico-manifest),
with the in addition to those updates a separate Secret for _each_ component
must be created which holds the CA, certificate, and key data base64 encoded.
Then the specific Secret for each component must be in the `volumes` list
diff --git a/calico_versioned_docs/version-3.29/reference/resources/bgpconfig.mdx b/calico_versioned_docs/version-3.29/reference/resources/bgpconfig.mdx
index e84c6df45a..e38e89d07e 100644
--- a/calico_versioned_docs/version-3.29/reference/resources/bgpconfig.mdx
+++ b/calico_versioned_docs/version-3.29/reference/resources/bgpconfig.mdx
@@ -69,7 +69,7 @@ spec:
| Field | Description | Accepted Values | Schema |
| ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string |
+| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string |
| value | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string |
### prefixAdvertisements
diff --git a/calico_versioned_docs/version-3.29/reference/resources/node.mdx b/calico_versioned_docs/version-3.29/reference/resources/node.mdx
index e55e0180a1..8b41cce574 100644
--- a/calico_versioned_docs/version-3.29/reference/resources/node.mdx
+++ b/calico_versioned_docs/version-3.29/reference/resources/node.mdx
@@ -46,7 +46,7 @@ spec:
| vxlanTunnelMACAddr | MAC address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| ipv6VXLANTunnelAddr | IPv6 address of the VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| vxlanTunnelMACAddrV6 | MAC address of the IPv6 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
-| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#OrchRef) |
+| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#orchref) |
| wireguard | WireGuard configuration for this node. This is applicable only if WireGuard is enabled in [Felix Configuration](felixconfig.mdx). | | [WireGuard](#wireguard) |
### OrchRef
diff --git a/calico_versioned_docs/version-3.30/about/kubernetes-training/about-kubernetes-services.mdx b/calico_versioned_docs/version-3.30/about/kubernetes-training/about-kubernetes-services.mdx
index 71422d5031..2f55197da9 100644
--- a/calico_versioned_docs/version-3.30/about/kubernetes-training/about-kubernetes-services.mdx
+++ b/calico_versioned_docs/version-3.30/about/kubernetes-training/about-kubernetes-services.mdx
@@ -73,7 +73,7 @@ reverse the NAT.)
Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the
service backing pod does not see the original client IP address. Typically this means that any such policy is limited to
restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can
-be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using
+be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using
$[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address.
## Load balancer services
@@ -89,7 +89,7 @@ default will load balance evenly across the nodes using the service node port.
Most network load balancers preserve the client source IP address, but because the service then goes via a node port,
the backing pods themselves do not see the client IP, with the same implications for network policy. As with node
-ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal)
+ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy)
or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather
than kube-proxy) which preserves source IP address.
diff --git a/calico_versioned_docs/version-3.30/getting-started/kubernetes/k3s/multi-node-install.mdx b/calico_versioned_docs/version-3.30/getting-started/kubernetes/k3s/multi-node-install.mdx
index 308aff7404..0f7760c6e2 100644
--- a/calico_versioned_docs/version-3.30/getting-started/kubernetes/k3s/multi-node-install.mdx
+++ b/calico_versioned_docs/version-3.30/getting-started/kubernetes/k3s/multi-node-install.mdx
@@ -76,7 +76,7 @@ K3s stores a kubeconfig file in your server at `/etc/rancher/k3s/k3s.yaml`, copy
To add additional nodes to your cluster you need two piece of information.
- `K3S_URL` which is going to be your main node ip address.
-- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-master-instance).
+- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-control-plane-instance).
Execute following command in your node instance and join it to the cluster.
:::note
diff --git a/calico_versioned_docs/version-3.30/getting-started/kubernetes/vpp/ipsec.mdx b/calico_versioned_docs/version-3.30/getting-started/kubernetes/vpp/ipsec.mdx
index c9d038b0a3..8b6e07e303 100644
--- a/calico_versioned_docs/version-3.30/getting-started/kubernetes/vpp/ipsec.mdx
+++ b/calico_versioned_docs/version-3.30/getting-started/kubernetes/vpp/ipsec.mdx
@@ -22,7 +22,7 @@ To enable IPsec encryption, you will need a Kubernetes cluster with:
## How to
- [Create the IKEv2 PSK](#create-the-ikev2-psk)
-- [Configure the VPP data plane](#configure-the-vpp-dataplane)
+- [Configure the VPP data plane](#configure-the-vpp-data-plane)
### Create the IKEv2 PSK
diff --git a/calico_versioned_docs/version-3.30/getting-started/kubernetes/windows-calico/troubleshoot.mdx b/calico_versioned_docs/version-3.30/getting-started/kubernetes/windows-calico/troubleshoot.mdx
index 937bc4cc28..daadf24c0b 100644
--- a/calico_versioned_docs/version-3.30/getting-started/kubernetes/windows-calico/troubleshoot.mdx
+++ b/calico_versioned_docs/version-3.30/getting-started/kubernetes/windows-calico/troubleshoot.mdx
@@ -104,7 +104,7 @@ items:
```
### Felix starts, but does not output logs
-By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx#general-configuration) to "info" or "debug" level.
+By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx#environment-variables) to "info" or "debug" level.
### $[prodname] BGP mode: connectivity issues, Linux calico/node pods report unready
diff --git a/calico_versioned_docs/version-3.30/network-policy/comms/crypto-auth.mdx b/calico_versioned_docs/version-3.30/network-policy/comms/crypto-auth.mdx
index d52e4fde98..954bc478b6 100644
--- a/calico_versioned_docs/version-3.30/network-policy/comms/crypto-auth.mdx
+++ b/calico_versioned_docs/version-3.30/network-policy/comms/crypto-auth.mdx
@@ -30,7 +30,7 @@ its connections as follows.
- [`calicoctl`](../../operations/calicoctl/configure/etcd.mdx)
- [CNI plugin](../../reference/configure-cni-plugins.mdx#etcd-location) (Kubernetes and OpenShift only)
- [Kubernetes controllers](../../reference/kube-controllers/configuration.mdx#configuring-datastore-access) (Kubernetes and OpenShift only)
- - [Felix](../../reference/felix/configuration.mdx#etcd-datastore-configuration)
+ - [Felix](../../reference/felix/configuration.mdx)
- [Typha](../../reference/typha/configuration.mdx#etcd-datastore-configuration) (often deployed in
larger Kubernetes deployments)
- [Neutron plugin or ML2 driver](../../networking/openstack/configuration.mdx#neutron-server-etcneutronneutronconf) (OpenStack only)
@@ -138,7 +138,7 @@ For detailed reference information on these parameters, refer to:
- **Typha**: [Felix-Typha TLS configuration](../../reference/typha/configuration.mdx#felix-typha-tls-configuration)
-- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx#felix-typha-tls-configuration)
+- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx)
diff --git a/calico_versioned_docs/version-3.30/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.30/network-policy/get-started/kubernetes-default-deny.mdx
index 51ddfa6965..fad1e748ed 100644
--- a/calico_versioned_docs/version-3.30/network-policy/get-started/kubernetes-default-deny.mdx
+++ b/calico_versioned_docs/version-3.30/network-policy/get-started/kubernetes-default-deny.mdx
@@ -39,8 +39,8 @@ To apply the sample $[prodname] network policies in the following section, [inst
## How to
-- [Create a default deny network policy](#crate-a-default-deny-network-policy)
-- [Create a global default deny network policy](#create-a-global-default-deny-network-policy)
+- [Create a default deny network policy](#create-a-default-deny-network-policy)
+- [Create a global default deny network policy](#create-a-global-default-deny-policy)
### Create a default deny network policy
diff --git a/calico_versioned_docs/version-3.30/network-policy/policy-rules/icmp-ping.mdx b/calico_versioned_docs/version-3.30/network-policy/policy-rules/icmp-ping.mdx
index c9cba6e793..be09c1aaf9 100644
--- a/calico_versioned_docs/version-3.30/network-policy/policy-rules/icmp-ping.mdx
+++ b/calico_versioned_docs/version-3.30/network-policy/policy-rules/icmp-ping.mdx
@@ -30,7 +30,7 @@ For details, see [ICMP type and code](https://en.wikipedia.org/wiki/Internet_Con
- [Deny all ICMP, all workloads and host endpoints](#deny-all-icmp-all-workloads-and-host-endpoints)
- [Allow ICMP ping, all workloads and host endpoints](#allow-icmp-ping-all-workloads-and-host-endpoints)
-- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-Kubernetes-pods)
+- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-kubernetes-pods)
### Deny all ICMP, all workloads and host endpoints
diff --git a/calico_versioned_docs/version-3.30/networking/configuring/bgp-to-workload.mdx b/calico_versioned_docs/version-3.30/networking/configuring/bgp-to-workload.mdx
index abf9da9ee4..b25f05adae 100644
--- a/calico_versioned_docs/version-3.30/networking/configuring/bgp-to-workload.mdx
+++ b/calico_versioned_docs/version-3.30/networking/configuring/bgp-to-workload.mdx
@@ -66,7 +66,7 @@ them available through `kubectl`), or by using [calicoctl](../../operations/cali
## How to
- [Configure global BGP settings](#configure-global-bgp-settings)
-- [Create BGPFilter resources](#configure-bgpfilter-resources)
+- [Create BGPFilter resources](#create-bgpfilter-resources)
- [Configure parent cluster BGP topology](#configure-parent-cluster-bgp-topology)
- [Configure BGP peering with workloads](#configure-bgp-peering-with-workloads)
- [Configure more than one nested cluster](#configure-more-than-one-nested-cluster)
diff --git a/calico_versioned_docs/version-3.30/networking/configuring/use-ipvs.mdx b/calico_versioned_docs/version-3.30/networking/configuring/use-ipvs.mdx
index 9f45f86b6f..3a7f468993 100644
--- a/calico_versioned_docs/version-3.30/networking/configuring/use-ipvs.mdx
+++ b/calico_versioned_docs/version-3.30/networking/configuring/use-ipvs.mdx
@@ -33,7 +33,7 @@ Kube-proxy IPVS mode supports NodePort services and cluster IPs. $[prodname] als
### iptables: when to change mark bits
-To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx#ipvs-bits).
+To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx).
### $[prodname] auto detects ipvs mode
diff --git a/calico_versioned_docs/version-3.30/networking/openstack/configuration.mdx b/calico_versioned_docs/version-3.30/networking/openstack/configuration.mdx
index 1f59427322..0c02cc4a0d 100644
--- a/calico_versioned_docs/version-3.30/networking/openstack/configuration.mdx
+++ b/calico_versioned_docs/version-3.30/networking/openstack/configuration.mdx
@@ -70,7 +70,7 @@ node belongs to.
When specified, the value of `openstack_region` must be a string of lower case alphanumeric
characters or '-', starting and ending with an alphanumeric character, and must match the value of
-[`OpenStackRegion`](../../reference/felix/configuration.mdx#openstack-specific-configuration)
+[`OpenStackRegion`](../../reference/felix/configuration.mdx)
configured for the Felixes in the same region.
## ML2 (.../ml2_conf.ini)
diff --git a/calico_versioned_docs/version-3.30/networking/openstack/neutron-api.mdx b/calico_versioned_docs/version-3.30/networking/openstack/neutron-api.mdx
index c0f1d8a9c0..00ff12602c 100644
--- a/calico_versioned_docs/version-3.30/networking/openstack/neutron-api.mdx
+++ b/calico_versioned_docs/version-3.30/networking/openstack/neutron-api.mdx
@@ -38,7 +38,7 @@ In $[prodname], because all traffic is L3 and routed, the role of Neutron
network as L2 connectivity domain is not helpful. Therefore, in $[prodname],
Neutron networks are simply containers for subnets. Best practices for
operators configuring Neutron networks in $[prodname] deployments can be
-found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
It is not useful for non-administrator tenants to create their own
Neutron networks. Although $[prodname] will allow non-administrator tenants
@@ -66,7 +66,7 @@ subnets associated with it. Each Neutron subnet represents either an
IPv4 or IPv6 block of addresses.
Best practices for configuring Neutron subnets in $[prodname] deployments can
-be found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+be found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
In $[prodname], these roles for the Neutron subnet are preserved in their
entirety. All properties associated with these Neutron subnets are
@@ -114,7 +114,7 @@ apply to the other attributes:
Neutron quotas function unchanged.
In most deployments we recommend setting non-administrator tenant quotas
-for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
## Security Groups
@@ -216,7 +216,7 @@ groups to set up their connectivity appropriately.
#### Tab: Network -> Network Topology
For the 'Create Network' button, see the [Networks](#networks) section.
-For the 'Create Router' button, see the [Layer 3 Routing](#routers) section.
+For the 'Create Router' button, see the [Layer 3 Routing](#neutron-routers) section.
#### Tab: Network -> Networks
@@ -226,7 +226,7 @@ For networks and subnets, see the sections on [Networks](#networks) and
#### Tab: Network -> Routers
Tenants should be prevented from creating routers, as they serve no
-purpose in a $[prodname] network. See [Layer 3 Routing](#routers) for more.
+purpose in a $[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
### Section: Admin
@@ -240,4 +240,4 @@ network setup, this panel may be used to make changes. See
#### Tab: System Panel -> Routers
Administrators should not create routers, as they serve no purpose in a
-$[prodname] network. See [Layer 3 Routing](#routers) for more.
+$[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
diff --git a/calico_versioned_docs/version-3.30/operations/ebpf/enabling-ebpf.mdx b/calico_versioned_docs/version-3.30/operations/ebpf/enabling-ebpf.mdx
index a5b7a28c2a..8be583337d 100644
--- a/calico_versioned_docs/version-3.30/operations/ebpf/enabling-ebpf.mdx
+++ b/calico_versioned_docs/version-3.30/operations/ebpf/enabling-ebpf.mdx
@@ -39,8 +39,8 @@ eBPF (or "extended Berkeley Packet Filter"), is a technology that allows safe mi
- OpenShift
- EKS
- AKS with limitations:
- - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
- - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-networking) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
+ - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-azure-cni-for-networking-and-self-managed-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
+ - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-self-managed-calico-for-networking-and-network-policy) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
- RKE (RKE2 recommended because it supports disabling `kube-proxy`)
- MKE
diff --git a/calico_versioned_docs/version-3.30/reference/architecture/overview.mdx b/calico_versioned_docs/version-3.30/reference/architecture/overview.mdx
index 34324bf5f3..3bcb2882fd 100644
--- a/calico_versioned_docs/version-3.30/reference/architecture/overview.mdx
+++ b/calico_versioned_docs/version-3.30/reference/architecture/overview.mdx
@@ -62,7 +62,7 @@ Depending on the specific orchestrator environment, Felix is responsible for:
## BIRD
-**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx#content-main).
+**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx).
The BGP client is responsible for:
@@ -80,7 +80,7 @@ The BGP client is responsible for:
**Main task**: Monitors $[prodname] datastore for changes to BGP configuration and global defaults such as AS number, logging levels, and IPAM information. Open source, lightweight configuration management tool.
-Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx#content-main), and [confd project](https://github.com/kelseyhightower/confd).
+Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx), and [confd project](https://github.com/kelseyhightower/confd).
## Dikastes
diff --git a/calico_versioned_docs/version-3.30/reference/etcd-rbac/certificate-generation.mdx b/calico_versioned_docs/version-3.30/reference/etcd-rbac/certificate-generation.mdx
index 358d7e390a..6ec29d2aca 100644
--- a/calico_versioned_docs/version-3.30/reference/etcd-rbac/certificate-generation.mdx
+++ b/calico_versioned_docs/version-3.30/reference/etcd-rbac/certificate-generation.mdx
@@ -43,9 +43,9 @@ generated files are written.
Generating certificates with hack/tls-setup:
-1. Edit the [etcd certificate config](#configuration-for-the-etcd-certificates).
+1. Edit the etcd certificate config.
2. Add the
- [per-user/per-component configuration files](#configuration-for-per-userper-components-etcd-certificates)
+ per-user/per-component configuration files
3. Run `make`. (Re-running `make` will regenerate the CA and all certificates.)
Generating the certificates creates:
diff --git a/calico_versioned_docs/version-3.30/reference/etcd-rbac/kubernetes-advanced.mdx b/calico_versioned_docs/version-3.30/reference/etcd-rbac/kubernetes-advanced.mdx
index 20153c56b7..49c8fd6c5b 100644
--- a/calico_versioned_docs/version-3.30/reference/etcd-rbac/kubernetes-advanced.mdx
+++ b/calico_versioned_docs/version-3.30/reference/etcd-rbac/kubernetes-advanced.mdx
@@ -67,7 +67,7 @@ component type listed above (cni-plugin, $[prodname] Kubernetes controllers, and
`$[nodecontainer]`).
This setup needs similar updates to the manifest like what is described in
-[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-Calico-manifest),
+[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-calico-manifest),
with the in addition to those updates a separate Secret for _each_ component
must be created which holds the CA, certificate, and key data base64 encoded.
Then the specific Secret for each component must be in the `volumes` list
diff --git a/calico_versioned_docs/version-3.30/reference/resources/bgpconfig.mdx b/calico_versioned_docs/version-3.30/reference/resources/bgpconfig.mdx
index fee05fffef..0017182b65 100644
--- a/calico_versioned_docs/version-3.30/reference/resources/bgpconfig.mdx
+++ b/calico_versioned_docs/version-3.30/reference/resources/bgpconfig.mdx
@@ -71,7 +71,7 @@ spec:
| Field | Description | Accepted Values | Schema |
| ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string |
+| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string |
| value | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string |
### prefixAdvertisements
diff --git a/calico_versioned_docs/version-3.30/reference/resources/node.mdx b/calico_versioned_docs/version-3.30/reference/resources/node.mdx
index e55e0180a1..8b41cce574 100644
--- a/calico_versioned_docs/version-3.30/reference/resources/node.mdx
+++ b/calico_versioned_docs/version-3.30/reference/resources/node.mdx
@@ -46,7 +46,7 @@ spec:
| vxlanTunnelMACAddr | MAC address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| ipv6VXLANTunnelAddr | IPv6 address of the VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| vxlanTunnelMACAddrV6 | MAC address of the IPv6 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
-| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#OrchRef) |
+| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#orchref) |
| wireguard | WireGuard configuration for this node. This is applicable only if WireGuard is enabled in [Felix Configuration](felixconfig.mdx). | | [WireGuard](#wireguard) |
### OrchRef
diff --git a/calico_versioned_docs/version-3.31/about/kubernetes-training/about-kubernetes-services.mdx b/calico_versioned_docs/version-3.31/about/kubernetes-training/about-kubernetes-services.mdx
index 71422d5031..2f55197da9 100644
--- a/calico_versioned_docs/version-3.31/about/kubernetes-training/about-kubernetes-services.mdx
+++ b/calico_versioned_docs/version-3.31/about/kubernetes-training/about-kubernetes-services.mdx
@@ -73,7 +73,7 @@ reverse the NAT.)
Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the
service backing pod does not see the original client IP address. Typically this means that any such policy is limited to
restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can
-be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using
+be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using
$[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address.
## Load balancer services
@@ -89,7 +89,7 @@ default will load balance evenly across the nodes using the service node port.
Most network load balancers preserve the client source IP address, but because the service then goes via a node port,
the backing pods themselves do not see the client IP, with the same implications for network policy. As with node
-ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal)
+ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy)
or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather
than kube-proxy) which preserves source IP address.
diff --git a/calico_versioned_docs/version-3.31/getting-started/kubernetes/k3s/multi-node-install.mdx b/calico_versioned_docs/version-3.31/getting-started/kubernetes/k3s/multi-node-install.mdx
index 308aff7404..0f7760c6e2 100644
--- a/calico_versioned_docs/version-3.31/getting-started/kubernetes/k3s/multi-node-install.mdx
+++ b/calico_versioned_docs/version-3.31/getting-started/kubernetes/k3s/multi-node-install.mdx
@@ -76,7 +76,7 @@ K3s stores a kubeconfig file in your server at `/etc/rancher/k3s/k3s.yaml`, copy
To add additional nodes to your cluster you need two piece of information.
- `K3S_URL` which is going to be your main node ip address.
-- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-master-instance).
+- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-control-plane-instance).
Execute following command in your node instance and join it to the cluster.
:::note
diff --git a/calico_versioned_docs/version-3.31/getting-started/kubernetes/vpp/ipsec.mdx b/calico_versioned_docs/version-3.31/getting-started/kubernetes/vpp/ipsec.mdx
index c9d038b0a3..8b6e07e303 100644
--- a/calico_versioned_docs/version-3.31/getting-started/kubernetes/vpp/ipsec.mdx
+++ b/calico_versioned_docs/version-3.31/getting-started/kubernetes/vpp/ipsec.mdx
@@ -22,7 +22,7 @@ To enable IPsec encryption, you will need a Kubernetes cluster with:
## How to
- [Create the IKEv2 PSK](#create-the-ikev2-psk)
-- [Configure the VPP data plane](#configure-the-vpp-dataplane)
+- [Configure the VPP data plane](#configure-the-vpp-data-plane)
### Create the IKEv2 PSK
diff --git a/calico_versioned_docs/version-3.31/getting-started/kubernetes/windows-calico/troubleshoot.mdx b/calico_versioned_docs/version-3.31/getting-started/kubernetes/windows-calico/troubleshoot.mdx
index 63395a0987..124b119248 100644
--- a/calico_versioned_docs/version-3.31/getting-started/kubernetes/windows-calico/troubleshoot.mdx
+++ b/calico_versioned_docs/version-3.31/getting-started/kubernetes/windows-calico/troubleshoot.mdx
@@ -105,7 +105,7 @@ items:
### Felix starts, but does not output logs
-By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx#general-configuration) to "info" or "debug" level.
+By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx#environment-variables) to "info" or "debug" level.
### $[prodname] BGP mode: connectivity issues, Linux calico/node pods report unready
diff --git a/calico_versioned_docs/version-3.31/network-policy/comms/crypto-auth.mdx b/calico_versioned_docs/version-3.31/network-policy/comms/crypto-auth.mdx
index d52e4fde98..954bc478b6 100644
--- a/calico_versioned_docs/version-3.31/network-policy/comms/crypto-auth.mdx
+++ b/calico_versioned_docs/version-3.31/network-policy/comms/crypto-auth.mdx
@@ -30,7 +30,7 @@ its connections as follows.
- [`calicoctl`](../../operations/calicoctl/configure/etcd.mdx)
- [CNI plugin](../../reference/configure-cni-plugins.mdx#etcd-location) (Kubernetes and OpenShift only)
- [Kubernetes controllers](../../reference/kube-controllers/configuration.mdx#configuring-datastore-access) (Kubernetes and OpenShift only)
- - [Felix](../../reference/felix/configuration.mdx#etcd-datastore-configuration)
+ - [Felix](../../reference/felix/configuration.mdx)
- [Typha](../../reference/typha/configuration.mdx#etcd-datastore-configuration) (often deployed in
larger Kubernetes deployments)
- [Neutron plugin or ML2 driver](../../networking/openstack/configuration.mdx#neutron-server-etcneutronneutronconf) (OpenStack only)
@@ -138,7 +138,7 @@ For detailed reference information on these parameters, refer to:
- **Typha**: [Felix-Typha TLS configuration](../../reference/typha/configuration.mdx#felix-typha-tls-configuration)
-- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx#felix-typha-tls-configuration)
+- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx)
diff --git a/calico_versioned_docs/version-3.31/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.31/network-policy/get-started/kubernetes-default-deny.mdx
index 51ddfa6965..fad1e748ed 100644
--- a/calico_versioned_docs/version-3.31/network-policy/get-started/kubernetes-default-deny.mdx
+++ b/calico_versioned_docs/version-3.31/network-policy/get-started/kubernetes-default-deny.mdx
@@ -39,8 +39,8 @@ To apply the sample $[prodname] network policies in the following section, [inst
## How to
-- [Create a default deny network policy](#crate-a-default-deny-network-policy)
-- [Create a global default deny network policy](#create-a-global-default-deny-network-policy)
+- [Create a default deny network policy](#create-a-default-deny-network-policy)
+- [Create a global default deny network policy](#create-a-global-default-deny-policy)
### Create a default deny network policy
diff --git a/calico_versioned_docs/version-3.31/network-policy/policy-rules/icmp-ping.mdx b/calico_versioned_docs/version-3.31/network-policy/policy-rules/icmp-ping.mdx
index c9cba6e793..be09c1aaf9 100644
--- a/calico_versioned_docs/version-3.31/network-policy/policy-rules/icmp-ping.mdx
+++ b/calico_versioned_docs/version-3.31/network-policy/policy-rules/icmp-ping.mdx
@@ -30,7 +30,7 @@ For details, see [ICMP type and code](https://en.wikipedia.org/wiki/Internet_Con
- [Deny all ICMP, all workloads and host endpoints](#deny-all-icmp-all-workloads-and-host-endpoints)
- [Allow ICMP ping, all workloads and host endpoints](#allow-icmp-ping-all-workloads-and-host-endpoints)
-- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-Kubernetes-pods)
+- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-kubernetes-pods)
### Deny all ICMP, all workloads and host endpoints
diff --git a/calico_versioned_docs/version-3.31/networking/configuring/bgp-to-workload.mdx b/calico_versioned_docs/version-3.31/networking/configuring/bgp-to-workload.mdx
index abf9da9ee4..b25f05adae 100644
--- a/calico_versioned_docs/version-3.31/networking/configuring/bgp-to-workload.mdx
+++ b/calico_versioned_docs/version-3.31/networking/configuring/bgp-to-workload.mdx
@@ -66,7 +66,7 @@ them available through `kubectl`), or by using [calicoctl](../../operations/cali
## How to
- [Configure global BGP settings](#configure-global-bgp-settings)
-- [Create BGPFilter resources](#configure-bgpfilter-resources)
+- [Create BGPFilter resources](#create-bgpfilter-resources)
- [Configure parent cluster BGP topology](#configure-parent-cluster-bgp-topology)
- [Configure BGP peering with workloads](#configure-bgp-peering-with-workloads)
- [Configure more than one nested cluster](#configure-more-than-one-nested-cluster)
diff --git a/calico_versioned_docs/version-3.31/networking/configuring/use-ipvs.mdx b/calico_versioned_docs/version-3.31/networking/configuring/use-ipvs.mdx
index 9f45f86b6f..3a7f468993 100644
--- a/calico_versioned_docs/version-3.31/networking/configuring/use-ipvs.mdx
+++ b/calico_versioned_docs/version-3.31/networking/configuring/use-ipvs.mdx
@@ -33,7 +33,7 @@ Kube-proxy IPVS mode supports NodePort services and cluster IPs. $[prodname] als
### iptables: when to change mark bits
-To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx#ipvs-bits).
+To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx).
### $[prodname] auto detects ipvs mode
diff --git a/calico_versioned_docs/version-3.31/networking/openstack/configuration.mdx b/calico_versioned_docs/version-3.31/networking/openstack/configuration.mdx
index 1f59427322..0c02cc4a0d 100644
--- a/calico_versioned_docs/version-3.31/networking/openstack/configuration.mdx
+++ b/calico_versioned_docs/version-3.31/networking/openstack/configuration.mdx
@@ -70,7 +70,7 @@ node belongs to.
When specified, the value of `openstack_region` must be a string of lower case alphanumeric
characters or '-', starting and ending with an alphanumeric character, and must match the value of
-[`OpenStackRegion`](../../reference/felix/configuration.mdx#openstack-specific-configuration)
+[`OpenStackRegion`](../../reference/felix/configuration.mdx)
configured for the Felixes in the same region.
## ML2 (.../ml2_conf.ini)
diff --git a/calico_versioned_docs/version-3.31/networking/openstack/neutron-api.mdx b/calico_versioned_docs/version-3.31/networking/openstack/neutron-api.mdx
index c0f1d8a9c0..00ff12602c 100644
--- a/calico_versioned_docs/version-3.31/networking/openstack/neutron-api.mdx
+++ b/calico_versioned_docs/version-3.31/networking/openstack/neutron-api.mdx
@@ -38,7 +38,7 @@ In $[prodname], because all traffic is L3 and routed, the role of Neutron
network as L2 connectivity domain is not helpful. Therefore, in $[prodname],
Neutron networks are simply containers for subnets. Best practices for
operators configuring Neutron networks in $[prodname] deployments can be
-found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
It is not useful for non-administrator tenants to create their own
Neutron networks. Although $[prodname] will allow non-administrator tenants
@@ -66,7 +66,7 @@ subnets associated with it. Each Neutron subnet represents either an
IPv4 or IPv6 block of addresses.
Best practices for configuring Neutron subnets in $[prodname] deployments can
-be found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+be found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
In $[prodname], these roles for the Neutron subnet are preserved in their
entirety. All properties associated with these Neutron subnets are
@@ -114,7 +114,7 @@ apply to the other attributes:
Neutron quotas function unchanged.
In most deployments we recommend setting non-administrator tenant quotas
-for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
## Security Groups
@@ -216,7 +216,7 @@ groups to set up their connectivity appropriately.
#### Tab: Network -> Network Topology
For the 'Create Network' button, see the [Networks](#networks) section.
-For the 'Create Router' button, see the [Layer 3 Routing](#routers) section.
+For the 'Create Router' button, see the [Layer 3 Routing](#neutron-routers) section.
#### Tab: Network -> Networks
@@ -226,7 +226,7 @@ For networks and subnets, see the sections on [Networks](#networks) and
#### Tab: Network -> Routers
Tenants should be prevented from creating routers, as they serve no
-purpose in a $[prodname] network. See [Layer 3 Routing](#routers) for more.
+purpose in a $[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
### Section: Admin
@@ -240,4 +240,4 @@ network setup, this panel may be used to make changes. See
#### Tab: System Panel -> Routers
Administrators should not create routers, as they serve no purpose in a
-$[prodname] network. See [Layer 3 Routing](#routers) for more.
+$[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
diff --git a/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx b/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx
index abcabd91b7..ebfb163081 100644
--- a/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx
+++ b/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx
@@ -64,8 +64,8 @@ This section explains how to enable the eBPF data plane on all compatible cluste
- OpenShift
- EKS
- AKS with limitations:
- - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
- - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-networking) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
+ - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-azure-cni-for-networking-and-self-managed-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
+ - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-self-managed-calico-for-networking-and-network-policy) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
- RKE (RKE2 recommended because it supports disabling `kube-proxy`)
- MKE
- Linux distribution/kernel:
diff --git a/calico_versioned_docs/version-3.31/reference/architecture/overview.mdx b/calico_versioned_docs/version-3.31/reference/architecture/overview.mdx
index 34324bf5f3..3bcb2882fd 100644
--- a/calico_versioned_docs/version-3.31/reference/architecture/overview.mdx
+++ b/calico_versioned_docs/version-3.31/reference/architecture/overview.mdx
@@ -62,7 +62,7 @@ Depending on the specific orchestrator environment, Felix is responsible for:
## BIRD
-**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx#content-main).
+**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx).
The BGP client is responsible for:
@@ -80,7 +80,7 @@ The BGP client is responsible for:
**Main task**: Monitors $[prodname] datastore for changes to BGP configuration and global defaults such as AS number, logging levels, and IPAM information. Open source, lightweight configuration management tool.
-Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx#content-main), and [confd project](https://github.com/kelseyhightower/confd).
+Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx), and [confd project](https://github.com/kelseyhightower/confd).
## Dikastes
diff --git a/calico_versioned_docs/version-3.31/reference/etcd-rbac/certificate-generation.mdx b/calico_versioned_docs/version-3.31/reference/etcd-rbac/certificate-generation.mdx
index 358d7e390a..6ec29d2aca 100644
--- a/calico_versioned_docs/version-3.31/reference/etcd-rbac/certificate-generation.mdx
+++ b/calico_versioned_docs/version-3.31/reference/etcd-rbac/certificate-generation.mdx
@@ -43,9 +43,9 @@ generated files are written.
Generating certificates with hack/tls-setup:
-1. Edit the [etcd certificate config](#configuration-for-the-etcd-certificates).
+1. Edit the etcd certificate config.
2. Add the
- [per-user/per-component configuration files](#configuration-for-per-userper-components-etcd-certificates)
+ per-user/per-component configuration files
3. Run `make`. (Re-running `make` will regenerate the CA and all certificates.)
Generating the certificates creates:
diff --git a/calico_versioned_docs/version-3.31/reference/etcd-rbac/kubernetes-advanced.mdx b/calico_versioned_docs/version-3.31/reference/etcd-rbac/kubernetes-advanced.mdx
index 20153c56b7..49c8fd6c5b 100644
--- a/calico_versioned_docs/version-3.31/reference/etcd-rbac/kubernetes-advanced.mdx
+++ b/calico_versioned_docs/version-3.31/reference/etcd-rbac/kubernetes-advanced.mdx
@@ -67,7 +67,7 @@ component type listed above (cni-plugin, $[prodname] Kubernetes controllers, and
`$[nodecontainer]`).
This setup needs similar updates to the manifest like what is described in
-[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-Calico-manifest),
+[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-calico-manifest),
with the in addition to those updates a separate Secret for _each_ component
must be created which holds the CA, certificate, and key data base64 encoded.
Then the specific Secret for each component must be in the `volumes` list
diff --git a/calico_versioned_docs/version-3.31/reference/installation/_api.mdx b/calico_versioned_docs/version-3.31/reference/installation/_api.mdx
index f594176226..c46ac58e78 100644
--- a/calico_versioned_docs/version-3.31/reference/installation/_api.mdx
+++ b/calico_versioned_docs/version-3.31/reference/installation/_api.mdx
@@ -1822,7 +1822,7 @@ _Appears in:_
| `istiod` _[IstiodDeployment](#istioddeployment)_ | (Optional) IstiodDeployment defines the resource requirements and node selector for the Istio deployment. |
| `istioCNI` _[IstioCNIDaemonset](#istiocnidaemonset)_ | (Optional) IstioCNIDaemonset defines the resource requirements for the Istio CNI plugin. |
| `ztunnel` _[ZTunnelDaemonset](#ztunneldaemonset)_ | (Optional) ZTunnelDaemonset defines the resource requirements for the ZTunnelDaemonset component. |
-| `dscpMark` _[DSCP](#dscp)_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
+| `dscpMark` _DSCP_ | (Optional) DSCPMark define the value of the DSCP mark done by Felix and recognised by Istio CNI for Transparent NetworkPolicies. |
### IstioStatus
diff --git a/calico_versioned_docs/version-3.31/reference/resources/bgpconfig.mdx b/calico_versioned_docs/version-3.31/reference/resources/bgpconfig.mdx
index fee05fffef..0017182b65 100644
--- a/calico_versioned_docs/version-3.31/reference/resources/bgpconfig.mdx
+++ b/calico_versioned_docs/version-3.31/reference/resources/bgpconfig.mdx
@@ -71,7 +71,7 @@ spec:
| Field | Description | Accepted Values | Schema |
| ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string |
+| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string |
| value | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string |
### prefixAdvertisements
diff --git a/calico_versioned_docs/version-3.31/reference/resources/node.mdx b/calico_versioned_docs/version-3.31/reference/resources/node.mdx
index e55e0180a1..8b41cce574 100644
--- a/calico_versioned_docs/version-3.31/reference/resources/node.mdx
+++ b/calico_versioned_docs/version-3.31/reference/resources/node.mdx
@@ -46,7 +46,7 @@ spec:
| vxlanTunnelMACAddr | MAC address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| ipv6VXLANTunnelAddr | IPv6 address of the VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| vxlanTunnelMACAddrV6 | MAC address of the IPv6 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
-| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#OrchRef) |
+| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#orchref) |
| wireguard | WireGuard configuration for this node. This is applicable only if WireGuard is enabled in [Felix Configuration](felixconfig.mdx). | | [WireGuard](#wireguard) |
### OrchRef
diff --git a/calico_versioned_docs/version-3.32/_includes/content/_rule.mdx b/calico_versioned_docs/version-3.32/_includes/content/_rule.mdx
index 54a04d392e..6ed49affa9 100644
--- a/calico_versioned_docs/version-3.32/_includes/content/_rule.mdx
+++ b/calico_versioned_docs/version-3.32/_includes/content/_rule.mdx
@@ -12,7 +12,7 @@ are executed in order.
| ipVersion | Positive IP version match. | `4`, `6` | integer | |
| source | Source match parameters. | | [EntityRule](#entityrule) | |
| destination | Destination match parameters. | | [EntityRule](#entityrule) | |
-| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | [HTTPMatch](#httpmatch) | |
+| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | HTTPMatch | |
After a `Log` action, processing continues with the next rule; `Allow` and `Deny` are immediate
and final and no further rules are processed.
diff --git a/calico_versioned_docs/version-3.32/about/kubernetes-training/about-kubernetes-services.mdx b/calico_versioned_docs/version-3.32/about/kubernetes-training/about-kubernetes-services.mdx
index 3000c446d6..9fcab11ce3 100644
--- a/calico_versioned_docs/version-3.32/about/kubernetes-training/about-kubernetes-services.mdx
+++ b/calico_versioned_docs/version-3.32/about/kubernetes-training/about-kubernetes-services.mdx
@@ -73,7 +73,7 @@ reverse the NAT.)
Note that because the connection source IP address is SNATed to the node IP address, ingress network policy for the
service backing pod does not see the original client IP address. Typically this means that any such policy is limited to
restricting the destination protocol and port, and cannot restrict based on the client / source IP. This limitation can
-be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal) or by using
+be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy) or by using
$[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather than kube-proxy) which preserves source IP address.
## Load balancer services
@@ -89,7 +89,7 @@ default will load balance evenly across the nodes using the service node port.
Most network load balancers preserve the client source IP address, but because the service then goes via a node port,
the backing pods themselves do not see the client IP, with the same implications for network policy. As with node
-ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicylocal)
+ports, this limitation can be circumvented in some scenarios by using [externalTrafficPolicy](#externaltrafficpolicy)
or by using $[prodname]'s eBPF data plane [native service handling](#calico-ebpf-native-service-handling) (rather
than kube-proxy) which preserves source IP address.
diff --git a/calico_versioned_docs/version-3.32/getting-started/kubernetes/k3s/multi-node-install.mdx b/calico_versioned_docs/version-3.32/getting-started/kubernetes/k3s/multi-node-install.mdx
index 206692d650..b6c0e38855 100644
--- a/calico_versioned_docs/version-3.32/getting-started/kubernetes/k3s/multi-node-install.mdx
+++ b/calico_versioned_docs/version-3.32/getting-started/kubernetes/k3s/multi-node-install.mdx
@@ -76,7 +76,7 @@ K3s stores a kubeconfig file in your server at `/etc/rancher/k3s/k3s.yaml`, copy
To add additional nodes to your cluster you need two piece of information.
- `K3S_URL` which is going to be your main node ip address.
-- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-master-instance).
+- `K3S_TOKEN` which is stored in `/var/lib/rancher/k3s/server/node-token` file in main Node [(Step 1)](#initializing-control-plane-instance).
Execute following command in your node instance and join it to the cluster.
:::note
diff --git a/calico_versioned_docs/version-3.32/getting-started/kubernetes/vpp/ipsec.mdx b/calico_versioned_docs/version-3.32/getting-started/kubernetes/vpp/ipsec.mdx
index a457047035..56f1aeaffb 100644
--- a/calico_versioned_docs/version-3.32/getting-started/kubernetes/vpp/ipsec.mdx
+++ b/calico_versioned_docs/version-3.32/getting-started/kubernetes/vpp/ipsec.mdx
@@ -22,7 +22,7 @@ To enable IPsec encryption, you will need a Kubernetes cluster with:
## How to
- [Create the IKEv2 PSK](#create-the-ikev2-psk)
-- [Configure the VPP data plane](#configure-the-vpp-dataplane)
+- [Configure the VPP data plane](#configure-the-vpp-data-plane)
### Create the IKEv2 PSK
diff --git a/calico_versioned_docs/version-3.32/getting-started/kubernetes/windows-calico/troubleshoot.mdx b/calico_versioned_docs/version-3.32/getting-started/kubernetes/windows-calico/troubleshoot.mdx
index 62ecf19f91..b06bc65f07 100644
--- a/calico_versioned_docs/version-3.32/getting-started/kubernetes/windows-calico/troubleshoot.mdx
+++ b/calico_versioned_docs/version-3.32/getting-started/kubernetes/windows-calico/troubleshoot.mdx
@@ -109,7 +109,7 @@ items:
### Felix starts, but does not output logs
-By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx#general-configuration) to "info" or "debug" level.
+By default, Felix waits to connect to the datastore before logging (in case the datastore configuration intentionally disables logging). To start logging at startup, update the [FELIX_LOGSEVERITYSCREEN environment variable](../../../reference/felix/configuration.mdx) to "info" or "debug" level.
### $[prodname] BGP mode: connectivity issues, Linux calico/node pods report unready
diff --git a/calico_versioned_docs/version-3.32/network-policy/comms/crypto-auth.mdx b/calico_versioned_docs/version-3.32/network-policy/comms/crypto-auth.mdx
index cf72a8db76..d3c0813a75 100644
--- a/calico_versioned_docs/version-3.32/network-policy/comms/crypto-auth.mdx
+++ b/calico_versioned_docs/version-3.32/network-policy/comms/crypto-auth.mdx
@@ -30,7 +30,7 @@ its connections as follows.
- [`calicoctl`](../../operations/calicoctl/configure/etcd.mdx)
- [CNI plugin](../../reference/configure-cni-plugins.mdx#etcd-location) (Kubernetes and OpenShift only)
- [Kubernetes controllers](../../reference/kube-controllers/configuration.mdx#configuring-datastore-access) (Kubernetes and OpenShift only)
- - [Felix](../../reference/felix/configuration.mdx#etcd-datastore-configuration)
+ - [Felix](../../reference/felix/configuration.mdx)
- [Typha](../../reference/typha/configuration.mdx#etcd-datastore-configuration) (often deployed in
larger Kubernetes deployments)
- [Neutron plugin](../../networking/openstack/configuration.mdx#neutron-server-etcneutronneutronconf) (OpenStack only)
@@ -138,7 +138,7 @@ For detailed reference information on these parameters, refer to:
- **Typha**: [Felix-Typha TLS configuration](../../reference/typha/configuration.mdx#felix-typha-tls-configuration)
-- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx#felix-typha-tls-configuration)
+- **Felix**: [Felix-Typha TLS configuration](../../reference/felix/configuration.mdx)
diff --git a/calico_versioned_docs/version-3.32/network-policy/get-started/kubernetes-default-deny.mdx b/calico_versioned_docs/version-3.32/network-policy/get-started/kubernetes-default-deny.mdx
index 5de1e7be3d..a5ee46f064 100644
--- a/calico_versioned_docs/version-3.32/network-policy/get-started/kubernetes-default-deny.mdx
+++ b/calico_versioned_docs/version-3.32/network-policy/get-started/kubernetes-default-deny.mdx
@@ -39,8 +39,8 @@ To apply the sample $[prodname] network policies in the following section, [inst
## How to
-- [Create a default deny network policy](#crate-a-default-deny-network-policy)
-- [Create a global default deny network policy](#create-a-global-default-deny-network-policy)
+- [Create a default deny network policy](#create-a-default-deny-network-policy)
+- [Create a global default deny network policy](#create-a-global-default-deny-policy)
### Create a default deny network policy
diff --git a/calico_versioned_docs/version-3.32/network-policy/policy-rules/icmp-ping.mdx b/calico_versioned_docs/version-3.32/network-policy/policy-rules/icmp-ping.mdx
index 51ba2588c1..9efeab8d28 100644
--- a/calico_versioned_docs/version-3.32/network-policy/policy-rules/icmp-ping.mdx
+++ b/calico_versioned_docs/version-3.32/network-policy/policy-rules/icmp-ping.mdx
@@ -30,7 +30,7 @@ For details, see [ICMP type and code](https://en.wikipedia.org/wiki/Internet_Con
- [Deny all ICMP, all workloads and host endpoints](#deny-all-icmp-all-workloads-and-host-endpoints)
- [Allow ICMP ping, all workloads and host endpoints](#allow-icmp-ping-all-workloads-and-host-endpoints)
-- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-Kubernetes-pods)
+- [Allow ICMP matching protocol type and code, all Kubernetes pods](#allow-icmp-matching-protocol-type-and-code-all-kubernetes-pods)
### Deny all ICMP, all workloads and host endpoints
diff --git a/calico_versioned_docs/version-3.32/networking/configuring/bgp-to-workload.mdx b/calico_versioned_docs/version-3.32/networking/configuring/bgp-to-workload.mdx
index 2a011fdb31..67feed352e 100644
--- a/calico_versioned_docs/version-3.32/networking/configuring/bgp-to-workload.mdx
+++ b/calico_versioned_docs/version-3.32/networking/configuring/bgp-to-workload.mdx
@@ -66,7 +66,7 @@ them available through `kubectl`), or by using [calicoctl](../../operations/cali
## How to
- [Configure global BGP settings](#configure-global-bgp-settings)
-- [Create BGPFilter resources](#configure-bgpfilter-resources)
+- [Create BGPFilter resources](#create-bgpfilter-resources)
- [Configure parent cluster BGP topology](#configure-parent-cluster-bgp-topology)
- [Configure BGP peering with workloads](#configure-bgp-peering-with-workloads)
- [Configure more than one nested cluster](#configure-more-than-one-nested-cluster)
diff --git a/calico_versioned_docs/version-3.32/networking/configuring/use-ipvs.mdx b/calico_versioned_docs/version-3.32/networking/configuring/use-ipvs.mdx
index 3a403f6956..93b19d357a 100644
--- a/calico_versioned_docs/version-3.32/networking/configuring/use-ipvs.mdx
+++ b/calico_versioned_docs/version-3.32/networking/configuring/use-ipvs.mdx
@@ -33,7 +33,7 @@ Kube-proxy IPVS mode supports NodePort services and cluster IPs. $[prodname] als
### iptables: when to change mark bits
-To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx#ipvs-bits).
+To police traffic in IPVS mode, $[prodname] uses additional iptables mark bits to store an ID for each local $[prodname] endpoint. If you are planning to run more than 1,022 pods per host with IPVS enabled, you may need to adjust the mark bit size using the `IptablesMarkMask` parameter in $[prodname] [FelixConfiguration](../../reference/felix/configuration.mdx).
### $[prodname] auto detects ipvs mode
diff --git a/calico_versioned_docs/version-3.32/networking/openstack/configuration.mdx b/calico_versioned_docs/version-3.32/networking/openstack/configuration.mdx
index 08dde4fbfb..f700c8b106 100644
--- a/calico_versioned_docs/version-3.32/networking/openstack/configuration.mdx
+++ b/calico_versioned_docs/version-3.32/networking/openstack/configuration.mdx
@@ -57,5 +57,5 @@ node belongs to.
When specified, the value of `openstack_region` must be a string of lower case alphanumeric
characters or '-', starting and ending with an alphanumeric character, and must match the value of
-[`OpenStackRegion`](../../reference/felix/configuration.mdx#openstack-specific-configuration)
+[`OpenStackRegion`](../../reference/felix/configuration.mdx#data-plane-openstack-support)
configured for the Felixes in the same region.
diff --git a/calico_versioned_docs/version-3.32/networking/openstack/neutron-api.mdx b/calico_versioned_docs/version-3.32/networking/openstack/neutron-api.mdx
index 78f5b90afc..3c26adb71c 100644
--- a/calico_versioned_docs/version-3.32/networking/openstack/neutron-api.mdx
+++ b/calico_versioned_docs/version-3.32/networking/openstack/neutron-api.mdx
@@ -38,7 +38,7 @@ In $[prodname], because all traffic is L3 and routed, the role of Neutron
network as L2 connectivity domain is not helpful. Therefore, in $[prodname],
Neutron networks are simply containers for subnets. Best practices for
operators configuring Neutron networks in $[prodname] deployments can be
-found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
It is not useful for non-administrator tenants to create their own
Neutron networks. Although $[prodname] will allow non-administrator tenants
@@ -66,7 +66,7 @@ subnets associated with it. Each Neutron subnet represents either an
IPv4 or IPv6 block of addresses.
Best practices for configuring Neutron subnets in $[prodname] deployments can
-be found in [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+be found in [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
In $[prodname], these roles for the Neutron subnet are preserved in their
entirety. All properties associated with these Neutron subnets are
@@ -114,7 +114,7 @@ apply to the other attributes:
Neutron quotas function unchanged.
In most deployments we recommend setting non-administrator tenant quotas
-for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#opens-external-conn-setup).
+for almost all Neutron objects to zero. For more information, see [Set up OpenStack](connectivity.mdx#part-2-set-up-openstack).
## Security Groups
@@ -216,7 +216,7 @@ groups to set up their connectivity appropriately.
#### Tab: Network -> Network Topology
For the 'Create Network' button, see the [Networks](#networks) section.
-For the 'Create Router' button, see the [Layer 3 Routing](#routers) section.
+For the 'Create Router' button, see the [Layer 3 Routing](#neutron-routers) section.
#### Tab: Network -> Networks
@@ -226,7 +226,7 @@ For networks and subnets, see the sections on [Networks](#networks) and
#### Tab: Network -> Routers
Tenants should be prevented from creating routers, as they serve no
-purpose in a $[prodname] network. See [Layer 3 Routing](#routers) for more.
+purpose in a $[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
### Section: Admin
@@ -240,4 +240,4 @@ network setup, this panel may be used to make changes. See
#### Tab: System Panel -> Routers
Administrators should not create routers, as they serve no purpose in a
-$[prodname] network. See [Layer 3 Routing](#routers) for more.
+$[prodname] network. See [Layer 3 Routing](#neutron-routers) for more.
diff --git a/calico_versioned_docs/version-3.32/operations/ebpf/enabling-ebpf.mdx b/calico_versioned_docs/version-3.32/operations/ebpf/enabling-ebpf.mdx
index 4a04da48c1..7070ae3290 100644
--- a/calico_versioned_docs/version-3.32/operations/ebpf/enabling-ebpf.mdx
+++ b/calico_versioned_docs/version-3.32/operations/ebpf/enabling-ebpf.mdx
@@ -64,8 +64,8 @@ This section explains how to enable the eBPF data plane on all compatible cluste
- OpenShift
- EKS
- AKS with limitations:
- - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-for-network-policy) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
- - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-calico-networking) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
+ - [AKS with Azure CNI and Calico network policy](../../getting-started/kubernetes/managed-public-cloud/aks.mdx) works, but it is not possible to disable kube-proxy resulting in wasted resources and suboptimal performance.
+ - [AKS with $[prodname] networking](../../getting-started/kubernetes/managed-public-cloud/aks.mdx#install-aks-with-self-managed-calico-for-networking-and-network-policy) is in testing with the eBPF data plane. This should be a better solution overall but, at time of writing, the testing was not complete.
- RKE (RKE2 recommended because it supports disabling `kube-proxy`)
- MKE
- Linux distribution/kernel:
diff --git a/calico_versioned_docs/version-3.32/reference/architecture/overview.mdx b/calico_versioned_docs/version-3.32/reference/architecture/overview.mdx
index 7e52dffe24..64a4db5f43 100644
--- a/calico_versioned_docs/version-3.32/reference/architecture/overview.mdx
+++ b/calico_versioned_docs/version-3.32/reference/architecture/overview.mdx
@@ -64,7 +64,7 @@ Depending on the specific orchestrator environment, Felix is responsible for:
## BIRD
-**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx#content-main).
+**Main task**: Gets routes from Felix and distributes to BGP peers on the network for inter-host routing. Runs on each node that hosts a Felix agent. Open source, internet routing daemon. [BIRD](../configure-calico-node.mdx).
The BGP client is responsible for:
@@ -85,7 +85,7 @@ The BGP client is responsible for:
{/* vale Vale.Repetition = YES */}
Open source, lightweight configuration management tool.
-Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx#content-main), and [confd project](https://github.com/kelseyhightower/confd).
+Confd dynamically generates BIRD configuration files based on the updates to data in the datastore. When the configuration file changes, confd triggers BIRD to load the new files. [Configure confd](../configure-calico-node.mdx), and [confd project](https://github.com/kelseyhightower/confd).
## Dikastes
diff --git a/calico_versioned_docs/version-3.32/reference/etcd-rbac/certificate-generation.mdx b/calico_versioned_docs/version-3.32/reference/etcd-rbac/certificate-generation.mdx
index 7a3aa15af2..3e1ecd50b8 100644
--- a/calico_versioned_docs/version-3.32/reference/etcd-rbac/certificate-generation.mdx
+++ b/calico_versioned_docs/version-3.32/reference/etcd-rbac/certificate-generation.mdx
@@ -43,9 +43,9 @@ generated files are written.
Generating certificates with hack/tls-setup:
-1. Edit the [etcd certificate config](#configuration-for-the-etcd-certificates).
+1. Edit the etcd certificate config.
2. Add the
- [per-user/per-component configuration files](#configuration-for-per-userper-components-etcd-certificates)
+ per-user/per-component configuration files
3. Run `make`. (Re-running `make` will regenerate the CA and all certificates.)
Generating the certificates creates:
diff --git a/calico_versioned_docs/version-3.32/reference/etcd-rbac/kubernetes-advanced.mdx b/calico_versioned_docs/version-3.32/reference/etcd-rbac/kubernetes-advanced.mdx
index 31f35fc04c..51214c0f50 100644
--- a/calico_versioned_docs/version-3.32/reference/etcd-rbac/kubernetes-advanced.mdx
+++ b/calico_versioned_docs/version-3.32/reference/etcd-rbac/kubernetes-advanced.mdx
@@ -67,7 +67,7 @@ component type listed above (cni-plugin, $[prodname] Kubernetes controllers, and
`$[nodecontainer]`).
This setup needs similar updates to the manifest like what is described in
-[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-Calico-manifest),
+[Using etcd RBAC to segment Kubernetes and $[prodname]: Updating a hosted $[prodname] manifest](kubernetes.mdx#updating-a-hosted-calico-manifest),
with the in addition to those updates a separate Secret for _each_ component
must be created which holds the CA, certificate, and key data base64 encoded.
Then the specific Secret for each component must be in the `volumes` list
diff --git a/calico_versioned_docs/version-3.32/reference/resources/bgpconfig.mdx b/calico_versioned_docs/version-3.32/reference/resources/bgpconfig.mdx
index 90545cfa78..658024b2fb 100644
--- a/calico_versioned_docs/version-3.32/reference/resources/bgpconfig.mdx
+++ b/calico_versioned_docs/version-3.32/reference/resources/bgpconfig.mdx
@@ -74,7 +74,7 @@ spec:
| Field | Description | Accepted Values | Schema |
| ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `name` | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string |
+| `name` | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string |
| `value` | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string |
### prefixAdvertisements
diff --git a/calico_versioned_docs/version-3.32/reference/resources/node.mdx b/calico_versioned_docs/version-3.32/reference/resources/node.mdx
index e58cd6e582..826f4c8811 100644
--- a/calico_versioned_docs/version-3.32/reference/resources/node.mdx
+++ b/calico_versioned_docs/version-3.32/reference/resources/node.mdx
@@ -46,7 +46,7 @@ spec:
| vxlanTunnelMACAddr | MAC address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| ipv6VXLANTunnelAddr | IPv6 address of the VXLAN tunnel. This is system configured and should not be updated manually. | | string |
| vxlanTunnelMACAddrV6 | MAC address of the IPv6 VXLAN tunnel. This is system configured and should not be updated manually. | | string |
-| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#OrchRef) |
+| orchRefs | Correlates this node to a node in another orchestrator. | | list of [OrchRefs](#orchref) |
| wireguard | WireGuard configuration for this node. This is applicable only if WireGuard is enabled in [Felix Configuration](felixconfig.mdx). | | [WireGuard](#wireguard) |
### OrchRef
diff --git a/use-cases/cluster-mesh.mdx b/use-cases/cluster-mesh.mdx
index 2da76831eb..c3ca401018 100644
--- a/use-cases/cluster-mesh.mdx
+++ b/use-cases/cluster-mesh.mdx
@@ -118,7 +118,7 @@ Typha logs will contain the remote cluster connection status.
## Implementing cluster mesh
-In order to set up a cluster mesh with Calico Enterprise or Calico Cloud, you need to make sure that you are using the Calico CNI and that you have [ensured pod IP routability](/calico-enterprise/latest/multicluster/federation/kubeconfig#ensure-pod-ip-routability).
+In order to set up a cluster mesh with Calico Enterprise or Calico Cloud, you need to make sure that you are using the Calico CNI and that you have [ensured pod IP routability](/calico-enterprise/latest/multicluster/federation/kubeconfig).
An overview of the key steps to set up cluster mesh are outlined below.
@@ -156,7 +156,7 @@ contexts:
current-context: tigera-federation-remote-cluster-ctx
```
-For detailed instructions on correctly creating these `kubeconfig` files, follow the documentation for either [Calico Enterprise](/calico-enterprise/latest/multicluster/federation/kubeconfig#create-kubeconfig-files) or [Calico Cloud](/calico-cloud/multicluster/kubeconfig#create-kubeconfig-files).
+For detailed instructions on correctly creating these `kubeconfig` files, follow the documentation for either [Calico Enterprise](/calico-enterprise/latest/multicluster/federation/kubeconfig) or [Calico Cloud](/calico-cloud/multicluster/kubeconfig).
### The RemoteClusterConfiguration object
@@ -212,7 +212,7 @@ You should see an entry for each `RemoteClusterConfiguration` object in the loca
These steps will need to be performed on both the local and remote clusters to allow bidirectional synchronization.
-For detailed instructions on correctly creating the `RemoteClusterConfiguration` object, follow the documentation for either [Calico Enterprise](/calico-enterprise/latest/multicluster/federation/kubeconfig#create-remoteclusterconfigurations) or [Calico Cloud](/calico-cloud/multicluster/kubeconfig#create-remoteclusterconfigurations).
+For detailed instructions on correctly creating the `RemoteClusterConfiguration` object, follow the documentation for either [Calico Enterprise](/calico-enterprise/latest/multicluster/federation/kubeconfig) or [Calico Cloud](/calico-cloud/multicluster/kubeconfig).
### Enable multi-cluster service discovery and federation
diff --git a/use-cases/microsegmentation.mdx b/use-cases/microsegmentation.mdx
index ae54affd85..47f31180c0 100644
--- a/use-cases/microsegmentation.mdx
+++ b/use-cases/microsegmentation.mdx
@@ -110,7 +110,7 @@ Calico's network policies include:
* more flexible match rules
* applicable to multiple endpoints (pods, VMs, and host interfaces).
-There is a more detailed list of Calico network policy features available [here](/calico/latest/network-policy/get-started/calico-policy/calico-network-policy#features).
+There is a more detailed list of Calico network policy features available [here](/calico/latest/network-policy/get-started/calico-policy/calico-network-policy).
The Kubernetes documentation outlines what network policies [do](https://kubernetes.io/docs/concepts/services-networking/network-policies/) and [do not](https://kubernetes.io/docs/concepts/services-networking/network-policies/#what-you-can-t-do-with-network-policies-at-least-not-yet) support.
Project Calico integration with Istio providers application security, and service mesh.