tigera · ctauchen · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024
@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | SIEM integration                                                            |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |

@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
     EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 :::note
 
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
    EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
 
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
    EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
 You can build your own, or use a third-party implementation like the MetalLB project.

@@ -714,7 +714,7 @@ Release of Container Threat Detection
 
 With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
 
-To get started see, [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
 
 ## September 26, 2022
 
@@ -754,7 +754,7 @@ We've made it easier for platform operators to share Image Assurance scan result
 * Export one row per image or one row per image and CVE.
 * Export CSV or JSON files.
 
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
 
 ### Malware detection is GA
 
@@ -765,7 +765,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
 If there's a match to known malware from our threat intelligence library, you receive an alert.
 You can view your alerts on the _Alerts_ page on Manager UI.
 
-To get started see, [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
 
 ## July 27, 2022
 
@@ -849,4 +849,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
 
 $[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
 
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
@@ -36,7 +36,7 @@ Typically, when you troubleshoot microservices and applications for connectivity
 1. Start/schedule a packet capture job in Service Graph (Manager UI) or the CLI.
 1. After the capture is finished, download the packet capture files (known as `pcap` files), and import them into your analysis tool (for example, WireShark).
 
-For a simple use case workflow see, [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
+For a simple use case workflow, see [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
 
 ## Before you begin
 

@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | SIEM integration                                                            |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |

@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
     EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 :::note
 
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
    EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
 
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
    EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
 You can build your own, or use a third-party implementation like the MetalLB project.

@@ -661,7 +661,7 @@ Release of Container Threat Detection
 
 With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
 
-To get started see, [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
 
 ## September 26, 2022
 
@@ -701,7 +701,7 @@ We've made it easier for platform operators to share Image Assurance scan result
 * Export one row per image or one row per image and CVE.
 * Export CSV or JSON files.
 
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
 
 ### Malware detection is GA
 
@@ -712,7 +712,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
 If there's a match to known malware from our threat intelligence library, you receive an alert.
 You can view your alerts on the _Alerts_ page on Manager UI.
 
-To get started see, [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
 
 ## July 27, 2022
 
@@ -796,4 +796,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
 
 $[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
 
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
@@ -36,7 +36,7 @@ Typically, when you troubleshoot microservices and applications for connectivity
 1. Start/schedule a packet capture job in Service Graph (Manager UI) or the CLI.
 1. After the capture is finished, download the packet capture files (known as `pcap` files), and import them into your analysis tool (for example, WireShark).
 
-For a simple use case workflow see, [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
+For a simple use case workflow, see [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
 
 ## Before you begin
 

@@ -62,7 +62,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | SIEM integration                                                            |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>               |                                   | <center><CheckIcon /></center>              |
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |

@@ -116,7 +116,7 @@ If your $[prodname] deployment is configured to peer with BGP routers outside th
     EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 :::note
 
@@ -179,7 +179,7 @@ You will still need to enable service cluster IP advertisement via BGP configura
    EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 1. When configuring a Kubernetes service that you want to be reachable via an external IP, specify that external IP in the service's `externalIPs` field.
 
@@ -219,7 +219,7 @@ The following steps will configure $[prodname] to advertise Service `status.Load
    EOF
    ```
 
-   For help see, [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
+   For help, see [BGP configuration resource](../../reference/resources/bgpconfig.mdx).
 
 Service LoadBalancer address allocation is outside the current scope of $[prodname], but can be implemented with an external controller.
 You can build your own, or use a third-party implementation like the MetalLB project.

@@ -710,7 +710,7 @@ Release of Container Threat Detection
 
 With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
 
-To get started see, [Container Threat Detection](../threat/container-threat-detection.mdx)
+To get started, see [Container Threat Detection](../threat/container-threat-detection.mdx)
 
 ## September 26, 2022
 
@@ -750,7 +750,7 @@ We've made it easier for platform operators to share Image Assurance scan result
 * Export one row per image or one row per image and CVE.
 * Export CSV or JSON files.
 
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
 
 ### Malware detection is GA
 
@@ -761,7 +761,7 @@ Calico Cloud uses eBPF-based monitoring to log file hashes of programs running i
 If there's a match to known malware from our threat intelligence library, you receive an alert.
 You can view your alerts on the _Alerts_ page on Manager UI.
 
-To get started see, [Malware Detection](../threat/container-threat-detection.mdx))
+To get started, see [Malware Detection](../threat/container-threat-detection.mdx))
 
 ## July 27, 2022
 
@@ -845,4 +845,4 @@ The $[prodname] installation process will now require running a `kubectl apply`
 
 $[prodname] introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
 
-To get started see, [Image Assurance](../image-assurance).
+To get started, see [Image Assurance](../image-assurance).
@@ -36,7 +36,7 @@ Typically, when you troubleshoot microservices and applications for connectivity
 1. Start/schedule a packet capture job in Service Graph (Manager UI) or the CLI.
 1. After the capture is finished, download the packet capture files (known as `pcap` files), and import them into your analysis tool (for example, WireShark).
 
-For a simple use case workflow see, [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
+For a simple use case workflow, see [Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture](https://www.tigera.io/blog/faster-troubleshooting-of-microservices-containers-and-kubernetes-with-dynamic-packet-capture/).
 
 ## Before you begin
 

@@ -64,7 +64,7 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Data-in-transit encryption for pod traffic using WireGuard                  | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | SIEM integration                                                            |                          | <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | **Non-cluster hosts**                                                       | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
-| Restrict traffic to/from hosts using network policy                         | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
+| Restrict traffic to/from hosts and VMs using network policy                         | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Automatic host endpoints                                                    | <center><CheckIcon /></center>|                          | <center><CheckIcon /></center>|
 | Secure Kubernetes nodes with host endpoints managed by Calico               | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|
 | Apply policy to host-forwarded traffic                                      | <center><CheckIcon /></center>| <center><CheckIcon /></center>| <center><CheckIcon /></center>|

@@ -24,7 +24,7 @@ In the following diagram, a Kubernetes cluster is running $[prodname] with netwo
 
 For non-cluster hosts and VMs, you can secure host interfaces using **host endpoints**. Host endpoints can have labels that work the same as labels on pods/workload endpoints in Kubernetes. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can easily write a global policy that applies to every host, VM, or pod that is running Calico.
 
-To learn how to restrict traffic to/from hosts using Calico network policy see, [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
+To learn how to restrict traffic to/from hosts and VMs using Calico network policy, see [Protect hosts and VMs](../../network-policy/hosts/protect-hosts.mdx).
 
 ## Before you begin