Merge branch 'main' into ben-migration-cleanup-cloudsec

Author: benironside

deploy-manage/_snippets/field-doc-sec-limitations.md

@@ -0,0 +1,44 @@
+Field and document security is subject to the following limitations: 
+
+### Document level security limitations
+
+When a user’s role enables [document level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) for a data stream or index:
+
+* Document level security doesn’t affect global index statistics that relevancy scoring uses. This means that scores are computed without taking the role query into account. Documents that don’t match the role query are never returned.
+* The `has_child` and `has_parent` queries aren’t supported as query parameters in the role definition. The `has_child` and `has_parent` queries can be used in the search API with document level security enabled.
+* [Date math](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/rest-apis/common-options.md#date-math) expressions cannot contain `now` in [range queries with date fields](asciidocalypse://docs/elasticsearch/docs/reference/query-languages/query-dsl-range-query.md#ranges-on-dates).
+* Any query that makes remote calls to fetch query data isn’t supported, including the following queries:
+
+    * `terms` query with terms lookup
+    * `geo_shape` query with indexed shapes
+    * `percolate` query
+
+* If suggesters are specified and document level security is enabled, the specified suggesters are ignored.
+* A search request cannot be profiled if document level security is enabled.
+* The [terms enum API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-terms-enum) does not return terms if document level security is enabled.
+* The [`multi_match`](asciidocalypse://docs/elasticsearch/docs/reference/query-languages/query-dsl-multi-match-query.md) query does not support specifying fields using wildcards.
+
+:::{note} 
+While document-level security prevents users from viewing restricted documents, it’s still possible to write search requests that return aggregate information about the entire index. A user whose access is restricted to specific documents in an index could still learn about field names and terms that only exist in inaccessible documents, and count how many inaccessible documents contain a given term.
+:::
+
+### Field level security limitations
+
+When a user’s role enables document or [field level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) for a data stream or index:
+
+* The user cannot perform write operations:
+
+    * The update API isn’t supported.
+    * Update requests included in bulk requests aren’t supported.
+
+* The user cannot perform operations that effectively make contents accessible under another name, including actions from the following APIs:
+
+    * [Clone index API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-clone)
+    * [Shrink index API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-shrink)
+    * [Split index API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-split)
+    * [Aliases API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-update-aliases)
+
+* The request cache is disabled for search requests if either of the following are true:
+
+    * The role query that defines document level security is [templated](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md#templating-role-query) using a [stored script](/explore-analyze/scripting/modules-scripting-using.md#script-stored-scripts).
+    * The target indices are a mix of local and remote indices.

deploy-manage/api-keys/serverless-project-api-keys.md

@@ -70,7 +70,7 @@ For example, the following `role_descriptors` object defines a `books-read-only`
 }
 ```
 
-For the `role_descriptors` object schema, check out the [`/_security/api_key` endpoint](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/operation/operation-security-create-api-key) docs. For supported privileges, check [Security privileges](../users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-indices).
+For the `role_descriptors` object schema, check out the [`/_security/api_key` endpoint](https://www.elastic.co/docs/api/doc/elasticsearch-serverless/operation/operation-security-create-api-key) docs. For supported privileges, check [Security privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md#privileges-list-indices).
 
 
 ## Update an API key [api-keys-update-an-api-key]

deploy-manage/deploy/cloud-enterprise/configure-host-rhel-cloud.md

@@ -72,16 +72,24 @@ Verify that required traffic is allowed. Check the [Networking prerequisites](ec
 
 4. Install podman:
 
-    * For RHEL 8 and Rocky Linux, install version `4.*`.
+    * Install the latest available version `4.*` using dnf.
 
         ```sh
         sudo dnf install podman-4.* podman-remote-4.*
         ```
 
-    * For RHEL 9, install the latest available version `4.*` using dnf.
+    * To prevent automatic Podman major version updates, configure the Podman version to be locked while still allowing minor and patch updates.
 
         ```sh
-        sudo dnf install podman-4.* podman-remote-4.*
+        ## Install versionlock
+        sudo dnf install 'dnf-command(versionlock)'
+
+        ## Lock major version
+        sudo dnf versionlock add --raw 'podman-4.*'
+        sudo dnf versionlock add --raw 'podman-remote-4.*'
+
+        ## Verify that podman-4.* and podman-remote-4.* appear in the output
+        sudo dnf versionlock list
         ```
 
 5. [This step is for RHEL 9 and Rocky Linux 9 only] Switch the network stack from Netavark to CNI:

deploy-manage/deploy/cloud-enterprise/configure-host-rhel-onprem.md

@@ -70,16 +70,24 @@ Verify that required traffic is allowed.
 
 4. Install podman:
 
-    * For RHEL 8 and Rocky Linux, install version `4.*`.
+    * Install the latest available version `4.*` using dnf.
 
         ```sh
         sudo dnf install podman-4.* podman-remote-4.*
         ```
 
-    * For RHEL 9, install the latest available version `4.*` using dnf.
+    * To prevent automatic Podman major version updates, configure the Podman version to be locked while still allowing minor and patch updates.
 
         ```sh
-        sudo dnf install podman-4.* podman-remote-4.*
+        ## Install versionlock
+        sudo dnf install 'dnf-command(versionlock)'
+
+        ## Lock major version
+        sudo dnf versionlock add --raw 'podman-4.*'
+        sudo dnf versionlock add --raw 'podman-remote-4.*'
+
+        ## Verify that podman-4.* and podman-remote-4.* appear in the output
+        sudo dnf versionlock list
         ```
 
 5. [This step is for RHEL 9 and Rocky Linux 9 only] Switch the network stack from Netavark to CNI:

deploy-manage/deploy/cloud-enterprise/migrate-ece-to-podman-hosts.md

@@ -111,16 +111,24 @@ Otherwise, when the file content changes, the corresponding user is mentioned as
 
 4. Install podman:
 
-    * For RHEL 8 and Rocky Linux, install version `4.*`.
+    * Install the latest available version `4.*` using dnf.
 
         ```sh
         sudo dnf install podman-4.* podman-remote-4.*
         ```
 
-    * For RHEL 9, install the latest available version `4.*` using dnf.
+    * To prevent automatic Podman major version updates, configure the Podman version to be locked while still allowing minor and patch updates.
 
         ```sh
-        sudo dnf install podman-4.* podman-remote-4.*
+        ## Install versionlock
+        sudo dnf install 'dnf-command(versionlock)'
+
+        ## Lock major version
+        sudo dnf versionlock add --raw 'podman-4.*'
+        sudo dnf versionlock add --raw 'podman-remote-4.*'
+
+        ## Verify that podman-4.* and podman-remote-4.* appear in the output
+        sudo dnf versionlock list
         ```
 
 5. [This step is for RHEL 9 and Rocky Linux 9 only] Switch the network stack from Netavark to CNI:

deploy-manage/deploy/cloud-on-k8s.md

@@ -68,12 +68,14 @@ This section outlines the supported Kubernetes and Elastic Stack versions for EC
 ECK is compatible with the following Kubernetes distributions and related technologies:
 
 * Kubernetes 1.28-1.32
-* OpenShift 4.12-4.17
+* OpenShift 4.13-4.18
 * Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS), and Amazon Elastic Kubernetes Service (EKS)
 * Helm: 3.2.0+
 
 ECK should work with all conformant **installers** listed in these [FAQs](https://github.com/cncf/k8s-conformance/blob/master/faq.md#what-is-a-distribution-hosted-platform-and-an-installer). Distributions include source patches and so may not work as-is with ECK.
 
+Alpha, beta, and stable API versions follow the same [conventions used by Kubernetes](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning).
+
 ### Elastic Stack compatibility
 
 ECK is compatible with the following Elastic Stack applications:

deploy-manage/deploy/cloud-on-k8s/air-gapped-install.md

@@ -1,5 +1,5 @@
 ---
-navigation_title: Air gapped environments
+navigation_title: Air-gapped environments
 applies_to:
   deployment:
     eck: all
@@ -8,51 +8,9 @@ mapped_urls:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-air-gapped.html
 ---
 
-# Air gapped install
-
-% What needs to be done: Refine
-
-% GitHub issue: https://github.com/elastic/docs-projects/issues/309
-
-% Scope notes: Curate and merget the content to have a proper guide for air gapped installations. Similar to ECE activity
-
-% Use migrated content from existing pages that map to this page:
-
-% - [ ] ./raw-migrated-files/stack-docs/elastic-stack/air-gapped-install.md
-
-% already removed
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-air-gapped.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$air-gapped-install$$$
-
-$$$k8s-container-registry-override$$$
-
-$$$k8s-eck-diag-air-gapped$$$
-
-% There are two concepts and areas to explore here:
-% ECK installation on air-gapped. This has no complexity as it's all a matter of docker registry and docker images.
-% Managing deployments on an ECK running on air-gapped is something not really covered in the official ECK book and partly covered in stack-docs
-
-% In this doc we will focus on ECK operator installation in air gapped environments, and we will link to Manage Deployments -> Air gapped (doesn't exist yet) for the content and examples about the rest.
-
-% from fleet air-gapped
-% Kibana is able to reach the Elastic Package Registry to download package metadata and content.
-% Elastic Agents are able to download binaries during upgrades from the Elastic Artifact Registry.
-
-% what about Elasticsearch requirements for example for GeoIP database, etc?
-
-Pending to determine what to do with this:
-* Syncing container images for ECK and all other {{stack}} components over to a locally-accessible container repository.
-* Modifying the ECK helm chart configuration so that ECK is aware that it is supposed to use your offline container repository instead of the public Elastic repository.
-* Optionally, disabling ECK telemetry collection in the ECK helm chart. This configuration propagates to all other Elastic components, such as {{kib}}.
-* Building your custom deployment container image for the {{artifact-registry}}.
-* Building your custom deployment container image for the Elastic Endpoint Artifact Repository.
-
 # Running in air-gapped environments [k8s-air-gapped]
 
-The ECK operator can be run in an air-gapped environment without access to the open internet when it is configured not to pull container images from `docker.elastic.co`.
+The ECK operator can be run in an air-gapped environment without access to the open internet when configured to avoid pulling container images from `docker.elastic.co`.
 
 By default ECK does not require you to specify the container image for each Elastic Stack application you deploy.
 
@@ -63,13 +21,13 @@ metadata:
   name: quickstart
 spec:
   version: 8.16.1
-  # image: docker.elastic.co/elasticsearch/elasticsearch:8.16.1 <1>
+  # image: docker.elastic.co/elasticsearch/elasticsearch:8.16.1 // <1>
   nodeSets:
   - name: default
     count: 1
   # podTemplate:
   #   spec:
-  #     imagePullSecrets: <2>
+  #     imagePullSecrets: // <2>
   #     - name: private-registry-credentials-secret
 ```
 
@@ -113,49 +71,4 @@ For example, if your private registry is `my.registry` and all Elastic images ar
 
 The [eck-diagnostics tool](../../../troubleshoot/deployments/cloud-on-k8s/run-eck-diagnostics.md) optionally runs diagnostics for Elastic Stack applications in a separate container that is deployed into the Kubernetes cluster.
 
-In air-gapped environments with no access to the `docker.elastic.co` registry, you should copy the latest support-diagnostics container image to your internal image registry and then run the tool with the additional flag `--diagnostic-image <custom-support-diagnostics-image-name>`. To find out which support diagnostics container image matches your version of eck-diagnostics run the tool once without arguments and it will print the default image in use.
-
-
-% FROM THE OTHER CONTENT (ELASTIC-STACK):
-
-### 2. Kubernetes & OpenShift Install [air-gapped-kubernetes-and-openshift]
-
-Setting up air-gapped Kubernetes or OpenShift installs of the {{stack}} has some unique concerns, but the general dependencies are the same as in the self-managed install case on a regular Linux machine.
-
-
-#### 2.1. Elastic Kubernetes Operator (ECK) [air-gapped-k8s-os-elastic-kubernetes-operator]
-
-The Elastic Kubernetes operator is an additional component in the Kubernetes OpenShift install that, essentially, does a lot of the work in installing, configuring, and updating deployments of the {{stack}}. For details, refer to the [{{eck}} install instructions](../../../deploy-manage/deploy/cloud-on-k8s/air-gapped-install.md).
-
-The main requirements are:
-
-* Syncing container images for ECK and all other {{stack}} components over to a locally-accessible container repository.
-* Modifying the ECK helm chart configuration so that ECK is aware that it is supposed to use your offline container repository instead of the public Elastic repository.
-* Optionally, disabling ECK telemetry collection in the ECK helm chart. This configuration propagates to all other Elastic components, such as {{kib}}.
-* Building your custom deployment container image for the {{artifact-registry}}.
-* Building your custom deployment container image for the Elastic Endpoint Artifact Repository.
-
-
-#### 2.2. Elastic Package Registry [air-gapped-k8s-os-elastic-package-registry]
-
-The container image can be downloaded from the official Elastic Docker repository, as described in the {{fleet}} and {{elastic-agent}} [air-gapped environments](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/air-gapped.md) documentation.
-
-This container would, ideally, run as a Kubernetes deployment. Refer to [Appendix C - EPR Kubernetes Deployment](../../../deploy-manage/deploy/self-managed/air-gapped-install.md#air-gapped-epr-kubernetes-example) for examples.
-
-
-#### 2.3. {{artifact-registry}} [air-gapped-k8s-os-elastic-artifact-registry]
-
-A custom container would need to be created following similar instructions to setting up a web server in the [self-managed install case](../../../deploy-manage/deploy/self-managed/air-gapped-install.md#air-gapped-elastic-artifact-registry). For example, a container file using an NGINX base image could be used to run a build similar to the example described in [Appendix B - {{artifact-registry}}](../../../deploy-manage/deploy/self-managed/air-gapped-install.md#air-gapped-elastic-artifact-registry-example).
-
-
-#### 2.4. Elastic Endpoint Artifact Repository [air-gapped-k8s-os-elastic-endpoint-artifact-repository]
-
-Just like the {{artifact-registry}}. A custom container needs to be created following similar instructions to setting up a web server for the [self-managed install case](../../../deploy-manage/deploy/self-managed/air-gapped-install.md#air-gapped-elastic-artifact-registry).
-
-
-#### 2.5. Ironbank Secure Images for Elastic [air-gapped-k8s-os-ironbank-secure-images]
-
-Besides the public [Elastic container repository](https://www.docker.elastic.co), most {{stack}} container images are also available in Platform One’s [Iron Bank](https://ironbank.dso.mil/repomap?vendorFilters=Elastic&page=1&sort=1).
-
-
-
+In air-gapped environments with no access to the `docker.elastic.co` registry, you should copy the latest support-diagnostics container image to your internal image registry and then run the tool with the additional flag `--diagnostic-image <custom-support-diagnostics-image-name>`. To find out which support diagnostics container image matches your version of eck-diagnostics, run the tool once without arguments and it will print the default image in use.

deploy-manage/deploy/elastic-cloud/add-plugins-extensions.md

@@ -1,10 +1,11 @@
 ---
+mapped_urls:
+  - https://www.elastic.co/guide/en/cloud-heroku/current/ech-adding-plugins.html
+  - https://www.elastic.co/guide/en/cloud-heroku/current/ech-adding-elastic-plugins.html
+  - https://www.elastic.co/guide/en/cloud/current/ec-adding-plugins.html
 applies_to:
   deployment:
     ess: ga
-mapped_pages:
-  - https://www.elastic.co/guide/en/cloud/current/ec-adding-plugins.html
-  - https://www.elastic.co/guide/en/cloud-heroku/current/ech-adding-elastic-plugins.html
 ---
 
 # Add plugins and extensions [ec-adding-plugins]

deploy-manage/monitor/autoops/ec-autoops-faq.md

@@ -20,7 +20,7 @@ $$$faq-autoops-monitoring$$$Does AutoOps monitor the entire Elastic Stack?
 :   AutoOps is currently limited to {{es}} (not {{kib}}, Logstash and Beats).
 
 $$$faq-autoops-supported-versions$$$What versions of Elasticsearch are supported for Elastic Cloud Hosted?
-:   AutoOps is currently available for {{es}} versions 7.17 and above.
+:   AutoOps supports {es} versions according to the [supported Elastic Stack versions](https://www.elastic.co/support/eol).
 
 $$$faq-autoops-license$$$How is AutoOps currently licensed?
 :   AutoOps current feature set is available to Elastic Cloud Hosted customers at all subscription tiers. For more information please refer to the [subscription page](https://www.elastic.co/subscriptions/cloud).

deploy-manage/monitor/stack-monitoring/elastic-cloud-stack-monitoring.md

@@ -60,6 +60,13 @@ $$$ech-logging-and-monitoring-production$$$
 
 $$$ech-logging-and-monitoring-retention$$$
 
+% Please leave the AutoOps banner in the final content of this page
+
+:::{important}
+ If you’re using Elastic Cloud Hosted, then you can use AutoOps to monitor your cluster. AutoOps significantly simplifies cluster management with performance recommendations, resource utilization visibility, real-time issue detection and resolution paths. For more information, refer to [Monitor with AutoOps](/deploy-manage/monitor/autoops.md).
+:::
+
+
 **This page is a work in progress.** The documentation team is working to combine content pulled from the following pages:
 
 * [/raw-migrated-files/cloud/cloud-heroku/ech-monitoring.md](/raw-migrated-files/cloud/cloud-heroku/ech-monitoring.md)