[Cloud Sec] Container Updates

docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/container-network-exposure-overview.adoc

@@ -28,6 +28,8 @@ CNA supports only inbound calculation. The data refresh or ingestion occurs once
 
 Prisma Cloud does not support the following for Container Exposure:
 
+* AWS Classic Load Balancers
+
 * Red Hat Openshift clusters
 
 * Non-Kubernetes based orchestration platforms (AWS ECS, Azure WebApp/Container Instances, GCP Cloud Run)

docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/deploy-satellite.adoc

@@ -40,4 +40,17 @@ Once the deployment is complete, the cluster state will change to *Active*.
 +
 Once a cluster is in the Active state, it sends keep-alives to Prisma Cloud every 30 minutes. If there is a communication issue or if the Satellite gets removed from the cluster, the object will move into an *Offline* state until the communication is re-established or the object is deleted on the Prisma Cloud console.
 +
-image::administration/k8s-deploy-satellite-4.png[]
+image::administration/k8s-deploy-satellite-4.png[]
+
+
+=== Uninstall Satellite
+
+To uninstall the Satellite operator: 
+
+. Use the following command to uninstall Helm:
++
+`prismacloud-satellite -n pc-satellite`
+
+. Delete the cluster from the Satellite UI:
++
+On *Settings > K8s Satellite* select *Delete* under Actions for the corresponding cluster entry.

docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/satellite-prerequisites.adoc

@@ -37,6 +37,14 @@ Satellite ingests the following objects:
 * DaemonSet
 * NetworkPolicy
 * Core DNS Logs
+* Replication Controller
+* Ingress
+* Cilium Network Policy
+* Service Account
+* Role
+* RoleBinding
+* ClusterRole
+* ClusterRoleBinding
 
 
 === Supported Platforms

docs/en/enterprise-edition/content-collections/administration/network-security/container-network-exposure/troubleshoot-container-network-exposure.adoc

@@ -54,17 +54,4 @@ NOTE: If each of the above troubleshooting steps work as expected, there can be
 
 * If there is a 'Reject' path to the nodes, it indicates that certain security configurations, such as security groups, NACLS, firewalls, NSGS are hindering the flow of traffic.
 
-* If there is no path, there might be an issue with resource ingestion of non-k8s resources, such as instances or load balancers.
-
-
-=== Uninstall Satellite
-
-To uninstall the Satellite operator: 
-
-. Use the following command to uninstall Helm:
-+
-`prismacloud-satellite -n pc-satellite`
-
-. Delete the cluster from the Satellite UI:
-+
-On *Settings > K8s Satellite* select *Delete* under Actions for the corresponding cluster entry.
+* If there is no path, there might be an issue with resource ingestion of non-k8s resources, such as instances or load balancers.

docs/en/enterprise-edition/content-collections/administration/network-security/investigate-network-exposure-on-prisma-cloud.adoc

@@ -41,5 +41,15 @@ config from network where source.network = '0.0.0.0/0' and address.match.criteri
 +
 image::administration/cna-4.png[]
 
+//CWP-61079 related to PCSUP-23569 > CNA permissions for cloning policies
+//CNA policies have a different behavior than config policies, regarding cloning.
+
+//Aside from Policy-CRUD permission, cloning CNA policies also requires Investigate-Network_View permission. 
+//In contrast, cloning Config policies does not require Investigate-Config_View. This is because the CNA suggest API (called during cloning) requires Investigate-Network_View, while Config suggest only requires Policy_Read.
+
+//The issue does not happen with IAM or Config policies. 
+//Custom role user with permission to create, delete policies is unable to clone any “Network” Policies.
+//Error below is seen.
+//The Service Account Key Uploaded is not valid. Please update to continue
 
 Learn how to xref:../../governance/create-a-network-policy.adoc[create a network exposure policy].