[ROX-29262] Update docs for Scanner V4 installed by default

modules/rhcos-restore-node-scan-with-stackrox-scanner.adoc → _unused_topics/rhcos-restore-node-scan-with-stackrox-scanner.adoc

@@ -11,6 +11,7 @@ If you use {ocp}, you can enable scanning of {op-system-first} nodes for vulnera
 This feature is available with both the StackRox Scanner and Scanner V4.
 Follow this procedure if you want to use the StackRox Scanner to scan {op-system-first} nodes,
 but you want to keep using Scanner V4 to scan other nodes.
+//Should this module be deleted? Why would the user want to keep scanning nodes with StackRox scanner since Scanner V4 now scans nodes and is installed by default?
 
 .Prerequisites
 * For scanning {op-system} node hosts of the secured cluster, you must have installed Secured Cluster services on {ocp} {ocp-supported-version} or later. For information about supported platforms and architecture, see the link:https://access.redhat.com/articles/7045053[{product-title} Support Matrix]. For life cycle support information for {product-title-short}, see the link:https://access.redhat.com/support/policy/updates/rhacs[{product-title} Support Policy].

architecture/acs-architecture.adoc

@@ -12,6 +12,7 @@ include::modules/acs-architecture-overview.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 * xref:../architecture/acs-architecture.adoc#external-components_acs-architecture[External components]
+* xref:../operating/examine-images-for-vulnerabilities.adoc#enabling_scanner_v4_examine-images-for-vulnerabilities[Enabling Scanner V4]
 
 include::modules/acs-central-services-overview.adoc[leveloffset=+1]
 

cloud_service/acscs-architecture.adoc

@@ -10,6 +10,10 @@ Discover {rh-rhacscs-first} architecture and concepts.
 
 include::modules/acscs-architecture-overview.adoc[leveloffset=+1]
 
+[role="_additional-resources"]
+.Additional resources
+* xref:../operating/examine-images-for-vulnerabilities.adoc#enabling_scanner_v4_examine-images-for-vulnerabilities[Enabling Scanner V4]
+
 include::modules/acscs-central-overview.adoc[leveloffset=+1]
 
 include::modules/con-vuln-sources.adoc[leveloffset=+2]

cloud_service/upgrading-cloud/upgrade-cloudsvc-roxctl.adoc

@@ -57,3 +57,5 @@ include::modules/rhcos-enable-node-scan.adoc[leveloffset=+1]
 .Additional resources
 * xref:../../operating/manage-vulnerabilities/scan-rhcos-node-host.adoc#scan-rhcos-node-host[Scanning {op-system} node hosts]
 
+* xref:../../operating/examine-images-for-vulnerabilities.adoc#enabling_scanner_v4_examine-images-for-vulnerabilities[Enabling Scanner V4]
+

installing/installing_other/install-central-other.adoc

@@ -28,6 +28,7 @@ You can install {product-title-short} on your {osp} cluster without any customiz
 
 include::modules/adding-helm-repository.adoc[leveloffset=+3]
 include::modules/acs-quick-install-using-helm.adoc[leveloffset=+3]
+include::modules/automatically-generated-ca.adoc[leveloffset=+3]
 
 [id="install-using-helm-customizations-other"]
 === Install Central using Helm charts with customizations

integration/integrate-with-image-vulnerability-scanners.adoc

@@ -27,38 +27,27 @@ Red{nbsp}Hat supports the following container image registries:
 
 This enhanced support gives you greater flexibility and choice in managing your container images in your preferred registry.
 
-[discrete]
-== Supported Scanners
-
-You can set up {product-title-short} to obtain image vulnerability data from the following commercial container image vulnerability scanners:
-
-[discrete]
-=== Scanners included in {product-title-short}
+[id="rhacs-scanners_{context}"]
+== Scanners included in {product-title-short}
 
-* Scanner V4: Beginning with {product-title-short} version 4.4, a new scanner is introduced that is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. You do not have to create an integration to use this scanner, but you must enable it during or after installation. For version 4.4, if you enable this scanner, you must also enable the StackRox Scanner. For more information about Scanner V4, including links to the installation documentation, see xref:../operating/examine-images-for-vulnerabilities.adoc#about-scanner-v4_examine-images-for-vulnerabilities[About {product-title-short} Scanner V4].
-* StackRox Scanner: This scanner is the default scanner in {product-title-short}. It originates from a fork of the Clair v2 open source scanner.
-+
-[IMPORTANT]
-====
-Even if you have Scanner V4 enabled, at this time, the StackRox Scanner must still be enabled to provide scanning of RHCOS nodes and platform vulnerabilities such as {osp}, Kubernetes, and Istio. Support for that functionality in Scanner V4 is planned for a future release. Do not disable the StackRox Scanner.
-====
+* Scanner V4: Beginning with {product-title-short} version 4.4, a new scanner is introduced that is built on link:https://github.com/quay/claircore[Claircore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. Scanner V4 is enabled by default during installation beginning in release 4.8. For more information about Scanner V4, including links to the installation documentation, see xref:../operating/examine-images-for-vulnerabilities.adoc#about-scanner-v4_examine-images-for-vulnerabilities[About {product-title-short} Scanner V4].
+* StackRox Scanner: This scanner was the default scanner in {product-title-short} before being replaced by Scanner V4. It originates from a fork of the Clair v2 open source scanner. If delegated scanning is configured and only the StackRox Scanner is installed on secured clusters, StackRox Scanner must also be enabled on the cluster where Central is installed or delegated scanning will not work.
 
-[discrete]
-=== Alternative scanners
+[id="alternative-scanners_{context}"]
+== Alternative scanners
 
-* link:https://github.com/quay/clair[Clair]: As of version 4.4, you can enable Scanner V4 in {product-title-short} to provide functionality provided by ClairCore, which also powers the Clair V4 scanner. However, you can configure Clair V4 as the scanner by configuring an integration.
-* link:https://cloud.google.com/container-registry/docs/container-analysis[Google Container Analysis]
+* link:https://github.com/quay/clair[Clair]: Scanner V4 in {product-title-short} offers functionality provided by Claircore, which also powers the Clair V4 scanner. You can configure {product-title-short} to use Clair V4 instead of Scanner V4 by configuring an integration.
+* link:https://cloud.google.com/artifact-analysis/docs/artifact-analysis[Google Artifact Analysis]
 * link:https://quay.io[Red{nbsp}Hat Quay]
 
 [IMPORTANT]
 ====
-The StackRox Scanner, in conjunction with Scanner V4 (optional), is the preferred image vulnerability scanner to use with {product-title-short}.
-For more information about scanning container images with the StackRox Scanner and Scanner V4, see xref:../operating/examine-images-for-vulnerabilities.adoc#scanning-images_examine-images-for-vulnerabilities[Scanning images].
+Scanner V4 is the preferred image vulnerability scanner to use with {product-title-short}, because only Scanner V4 provides full functionality and features.
 ====
 
-If you use one of these alternative scanners in your DevOps workflow, you can use the {product-title-short} portal to configure an integration with your vulnerability scanner. After the integration, the {product-title-short} portal shows the image vulnerabilities and you can triage them easily.
+If you use one of these alternative scanners in your DevOps workflow, you can use the {product-title-short} portal to configure an integration with your vulnerability scanner. After the integration, the {product-title-short} portal shows the image vulnerabilities and you can triage them easily. However,  Scanner V4 provides functionality and features that alternative scanners might not offer.
 
-If multiple scanners are configured, {product-title-short} tries to use the non-StackRox/{product-title-short} and Clair scanners. If those scanners fail, {product-title-short} tries to use a configured Clair scanner. If that fails, {product-title-short} tries to use Scanner V4, if configured. If Scanner V4 is not configured, {product-title-short} tries to use the StackRox Scanner.
+If multiple scanners are configured, {product-title-short} tries to use the non-StackRox/{product-title-short} and non-Clair scanners. If those scanners fail, {product-title-short} tries to use a configured Clair scanner. If that fails, {product-title-short} tries to use Scanner V4. If Scanner V4 is not enabled, {product-title-short} tries to use the StackRox Scanner.
 
 include::modules/integrate-with-clair.adoc[leveloffset=+1]
 

modules/acs-architecture-overview.adoc

@@ -9,19 +9,19 @@
 
 .{product-title-short} architecture
 
-The following graphic shows the architecture with the StackRox Scanner and Scanner V4 components. Installation of Scanner V4 is optional, but provides additional benefits.
+The following graphic shows the product architecture, including the scanner components.
 
 image::acs-architecture-scannerv4.png[{product-title} architecture for Kubernetes]
 
+//Needs changes:
+// Change lines around Scanner V4 parts from dotted to solid in Cluster 1
+// ^^^ Cluster N
+
 You install {product-title-short} as a set of containers in your {ocp} or Kubernetes cluster. {product-title-short} includes the following services:
 
 * Central services you install on one cluster
 * Secured cluster services you install on each cluster you want to secure by {product-title-short}
 
 In addition to these primary services, {product-title-short} also interacts with other external components to enhance your clusters' security.
 
-[discrete]
-[id="installation-differences-architecture_{context}"]
-== Installation differences
-
-When you install {product-title-short} on {ocp} by using the Operator, {product-title-short} installs a lightweight version of Scanner on every secured cluster. The lightweight Scanner enables the scanning of images in the integrated OpenShift image registry. When you install {product-title-short} on {ocp} or Kubernetes by using the Helm install method with the _default_ values, the lightweight version of Scanner is not installed. To install the lightweight Scanner on the secured cluster by using Helm, you must set the `scanner.disable=false` parameter. You cannot install the lightweight Scanner by using the `roxctl` installation method.
+include::snippets/scannerv4-default-secured-clusters.adoc[]

modules/acs-central-services-overview.adoc

@@ -9,16 +9,4 @@
 You install Central services on a single cluster.
 These services include the following components:
 
-* *Central*: Central is the {product-title-short} application management interface and services.
-It handles API interactions and user interface ({product-title-short} Portal) access.
-You can use the same Central instance to secure multiple {ocp} or Kubernetes clusters.
-* *Central DB*: Central DB is the database for {product-title-short} and handles all data persistence. It is currently based on PostgreSQL 15.
-* *Scanner V4*: Beginning with version 4.4, {product-title-short} contains the Scanner V4 vulnerability scanner for scanning container images. Scanner V4 is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. For version 4.4, you must use this scanner in conjunction with the StackRox Scanner to provide node and platform scanning capabilities until Scanner V4 support those capabilities. Scanner V4 contains the Indexer, Matcher, and DB components.
-** *Scanner V4 Indexer*: The Scanner V4 Indexer performs image indexing, previously known as image analysis. Given an image and registry credentials, the Indexer pulls the image from the registry. It finds the base operating system, if it exists, and looks for packages. It stores and outputs an index report, which contains the findings for the given image.
-** *Scanner V4 Matcher*: The Scanner V4 Matcher performs vulnerability matching. If the Central services Scanner V4 Indexer indexed the image, then the Matcher fetches the index report from the Indexer and matches the report with the vulnerabilities stored in the Scanner V4 database. If a Secured Cluster services Scanner V4 Indexer performed the indexing, then the Matcher uses the index report that was sent from that Indexer, and then matches against vulnerabilities. The Matcher also fetches vulnerability data and updates the Scanner V4 database with the latest vulnerability data. The Scanner V4 Matcher outputs a vulnerability report, which contains the final results of an image.
-** *Scanner V4 DB*: This database stores information for Scanner V4, including all vulnerability data and index reports. A persistent volume claim (PVC) is required for Scanner V4 DB on the cluster where Central is installed.
-* *StackRox Scanner*: The StackRox Scanner is the default scanner in {product-title-short}. Version 4.4 adds a new scanner, Scanner V4. The StackRox Scanner originates from a fork of the Clair v2 open source scanner. You must continue using this scanner for RHCOS node scanning and platform scanning.
-* *Scanner-DB*: This database contains data for the StackRox Scanner.
-
-{product-title-short} scanners analyze each image layer to determine the base operating system and identify programming language packages and packages that were installed by the operating system package manager. They match the findings against known vulnerabilities from various vulnerability sources. In addition, the StackRox Scanner identifies vulnerabilities in the node's operating system and platform. These capabilities are planned for Scanner V4 in a future release.
-//moved vulnerability source info to its own module - con-vuln-sources.adoc
+include::snippets/central-components.adoc[]

modules/acs-secured-cluster-services-overview.adoc

@@ -24,11 +24,11 @@ In addition, Sensor is responsible for all cluster interactions, such as applyin
 * *Admission controller*: The Admission controller prevents users from creating workloads that violate security policies in {short-title}.
 * *Collector*: Collector analyzes and monitors container activity on cluster nodes.
 It collects container runtime and network activity information and sends the collected data to Sensor.
+* *Scanner V4*: Scanner V4 retrieves and scans images and indexes them. It is the default scanner for {product-title-short} and contains the following components:
+** *Scanner V4 Indexer*: The Scanner V4 Indexer performs image indexing, previously known as image analysis. Given an image and registry credentials, the Indexer pulls the image from the registry. The Indexer finds the base operating system, if one exists, and looks for packages. It stores and outputs an index report, which contains the findings for the given image.
+** *Scanner V4 DB*: This database stores information for Scanner V4, including index reports. For best performance, configure a persistent volume claim (PVC) for Scanner V4 DB.
 * *StackRox Scanner*: In Kubernetes, the secured cluster services include Scanner-slim as an optional component. However, on {ocp}, {short-title} installs a Scanner-slim version on each secured cluster to scan images in the {ocp} integrated registry and optionally other registries.
 * *Scanner-DB*: This database contains data for the StackRox Scanner.
-* *Scanner V4*: Scanner V4 components are installed on the secured cluster if enabled.
-** *Scanner V4 Indexer*: The Scanner V4 Indexer performs image indexing, previously known as image analysis. Given an image and registry credentials, the Indexer pulls the image from the registry. It finds the base operating system, if it exists, and looks for packages. It stores and outputs an index report, which contains the findings for the given image.
-** *Scanner V4 DB*: This component is installed if Scanner V4 is enabled. This database stores information for Scanner V4, including index reports. For best performance, configure a persistent volume claim (PVC) for Scanner V4 DB.
 +
 [NOTE]
 ====

modules/acscs-architecture-overview.adoc

@@ -13,7 +13,8 @@ You can also integrate it with your existing DevOps tools and workflows to impro
 
 .{product-title-managed-short} architecture
 
-The following graphic shows the architecture with the StackRox Scanner and Scanner V4. Installation of Scanner V4 is optional, but provides additional benefits.
+The following graphic shows the architecture with the StackRox Scanner and Scanner V4.
+//Does this graphic need updates to change Scanner V4 components to non-dotted lines since they are now not optional?
 
 image::acscs-architecture-scannerv4.png[{product-title-managed-short}]
 
@@ -24,3 +25,5 @@ You deploy your Central service through the link:https://console.redhat.com/[Red
 The clusters you secure, called Secured Clusters, are managed by you, and not by Red{nbsp}Hat.
 Secured Cluster services include optional vulnerability scanning services, admission control services, and data collection services used for runtime monitoring and compliance.
 You install Secured Cluster services on any OpenShift or Kubernetes cluster you want to secure.
+
+include::snippets/scannerv4-default-secured-clusters.adoc[]

modules/acscs-central-overview.adoc

@@ -8,12 +8,4 @@
 Red{nbsp}Hat manages Central, the control plane for {product-title-managed-short}.
 These services include the following components:
 
-* *Central*: Central is the {product-title-short} application management interface and services.
-It handles API interactions and user interface ({product-title-short} Portal) access.
-* *Central DB*: Central DB is the database for {product-title-short} and handles all data persistence. It is currently based on PostgreSQL 15.
-* *Scanner V4*: Beginning with version 4.4, {product-title-short} contains the Scanner V4 vulnerability scanner for scanning container images. Scanner V4 is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 includes the Indexer, Matcher, and Scanner V4 DB components, which are used in scanning.
-* *StackRox Scanner*: The StackRox Scanner is the default scanner in {product-title-short}. The StackRox Scanner originates from a fork of the Clair v2 open source scanner.
-* *Scanner-DB*: This database contains data for the StackRox Scanner.
-
-{product-title-short} scanners analyze each image layer to determine the base operating system and identify programming language packages and packages that were installed by the operating system package manager. They match the findings against known vulnerabilities from various vulnerability sources. In addition, the StackRox Scanner identifies vulnerabilities in the node's operating system and platform. These capabilities are planned for Scanner V4 in a future release.
-//moved vulnerability source info to its own module - con-vuln-sources.adoc
+include::snippets/central-components.adoc[]

modules/automatically-generated-ca.adoc

@@ -6,7 +6,7 @@
 [id="automatically-generated-ca_{context}"]
 = Retrieving the automatically generated certificate authority
 
-When installing {product-title-short}, a certificate authority (CA) is automatically generated and stored in a Kubernetes secret on the cluster. If you later change your installation by using Helm, you might need to supply this CA. For example, enabling Scanner V4 requires that you provide this CA.
+When installing {product-title-short}, a certificate authority (CA) is automatically generated and stored in a Kubernetes secret on the cluster. If you later change your installation by using Helm, you might need to supply this CA. For example, enabling an {product-title-short} component that was initially disabled at installation time requires that you provide this CA.
 
 The automatically generated CA is stored in a secret that is usually named similar to `stackrox-generated-_suffix_`, where _suffix_ is a randomly generated string.