Improve air-gapped containers visibility in docs (#19990)

* Improve visibility of air-gapped containers feature.

The air-gapped container feature is currently under the settings-management
section. This hides it from users.  Instead, move it up one level by creating a
dedicated sub-section for it under Hardended Desktop section.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* nit: remove quotes from links in hardened desktop section.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Add air-gapped containers to security section grid.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fix broken link from release notes to air-gapped containers.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* A few improvements in the air-gapped containers docs.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fix capitalization of air-gapped container references.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Make air-gapped containers a single page rather than subsection.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fixes to air-gapped containers section per review feedback.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

---------

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

content/desktop/hardened-desktop/_index.md

@@ -8,19 +8,23 @@ grid:
   - title: "Settings Management"
     description: Learn how Settings Management can secure your developers' workflows.
     icon: shield_locked
-    link: "/desktop/hardened-desktop/settings-management/"
+    link: /desktop/hardened-desktop/settings-management/
   - title: "Enhanced Container Isolation"
     description: Understand how Enhanced Container Isolation can prevent container attacks.
     icon: "security"
-    link: "/desktop/hardened-desktop/enhanced-container-isolation/"
+    link: /desktop/hardened-desktop/enhanced-container-isolation/
   - title: "Registry Access Management"
     description: Control the registries developers can access while using Docker Desktop.
     icon: "home_storage"
-    link: "/security/for-admins/registry-access-management/"
+    link: /security/for-admins/registry-access-management/
   - title: "Image Access Management"
     description: Control the images developers can pull from Docker Hub.
     icon: "photo_library"
-    link: "/security/for-admins/image-access-management/"
+    link: /security/for-admins/image-access-management/
+  - title: "Air-Gapped Containers"
+    description: Restrict containers from accessing unwanted network resources.
+    icon: "vpn_lock"
+    link: /desktop/hardened-desktop/air-gapped-containers/
 ---
 
 > **Note**
@@ -45,17 +49,20 @@ It is for security conscious organizations who:
 ### What does Hardened Docker Desktop include?
 
 It includes:
+
 - Settings Management, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
 - Enhanced Container Isolation (ECI), a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that any configurations set using Settings Management cannot be bypassed or modified by containers.
 - Registry Access Management (RAM), which allows admins to control the registries developers can access.
 - Image Access Management (IAM), which gives admins control over which images developers can pull from Docker Hub.
+- Air-gapped containers, which restricts containers from accessing unwanted network resources.
 
 ### How does it help my organisation?
 
 Hardened Desktop features work independently but collectively to create a defense-in-depth strategy, safeguarding developer workstations against potential attacks across various functional layers, such as configuring Docker Desktop, pulling container images, and running container images. This multi-layered defense approach ensures comprehensive security.
 
 It helps mitigate against threats such as:
- - Malware and supply chain attacks. RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
- - Insider threats. Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally.
+ - **Malware and supply chain attacks:** RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
+ - **Lateral movement:** Air gapped containers allows admins to configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network.
+ - **Insider threats:** Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally.
 
 {{< grid >}}

content/desktop/hardened-desktop/air-gapped-containers.md

@@ -1,12 +1,12 @@
 ---
-description: Learn how to create air-gapped containers with Settings Management
-title: Configure air-gapped containers with Settings Management
-keywords: settings management, air gapped, security, Docker Desktop, configuration, proxy, network
+title: Air-gapped containers
+description: Air-gapped containers - What it is, benefits, and how to configure it.
+keywords: air gapped, security, Docker Desktop, configuration, proxy, network
 ---
 
 > **Beta feature**
 >
-> This feature is in [Beta](../../../release-lifecycle.md/#beta).
+> This feature is in [Beta](../../release-lifecycle.md/#beta).
 > It's available with Docker Desktop version 4.29 and later.
 { .experimental }
 
@@ -25,7 +25,7 @@ You can choose:
 
 ## Configuration
 
-Assuming [enforced sign-in](../../../security/for-admins/configure-sign-in.md) and Settings Management are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
+Assuming [enforced sign-in](../../security/for-admins/configure-sign-in.md) and [Settings Management](settings-management/_index.md) are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
 
 ```json
 {
@@ -86,4 +86,4 @@ The `FindProxyForURL` can return the following values:
 
 In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked.
 
-To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).
+To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).

content/desktop/hardened-desktop/settings-management/configure.md

@@ -183,7 +183,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
 | `proxy` |   |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
 |        `windowsDockerdPort`  | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. |
-| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Configure air-gapped containers with Settings Management](air-gapped-containers.md).|
+| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-gapped containers](../air-gapped-containers.md).|
 | `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).|
 |        `dockerSocketMount` |  | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. |
 |               `imageList` |  | Indicates which container images are allowed to bind-mount the Docker Engine socket. |

content/desktop/release-notes.md

@@ -122,7 +122,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
 - Compose supports [Synchronized file shares (experimental)](synchronized-file-sharing.md).
 - New [interactive Compose CLI (experimental)](../compose/environment-variables/envvars.md#compose_menu).
 - Beta release of:
-  - Air-gapped containers with [Settings Management](hardened-desktop/settings-management/air-gapped-containers.md).
+  - Air-gapped containers with [Settings Management](hardened-desktop/air-gapped-containers/_index.md).
   - [Host networking](../network/drivers/host.md#docker-desktop) in Docker Desktop.
   - [Docker Debug](use-desktop/container.md#integrated-terminal) for running containers.
   - [Volumes Backup & Share extension](use-desktop/volumes.md) functionality available in the **Volumes** tab.

content/security/_index.md

@@ -19,6 +19,10 @@ grid_admins:
   description: Control the images developers can pull from Docker Hub.
   icon: photo_library
   link: /security/for-admins/image-access-management/
+- title: "Air-Gapped Containers"
+  description: Restrict containers from accessing unwanted network resources.
+  icon: "vpn_lock"
+  link: /desktop/hardened-desktop/air-gapped-containers/
 - title: Enforce sign-in
   description: Configure sign-in for members of your teams and organizations.
   link: /security/for-admins/configure-sign-in/

data/toc.yaml

@@ -1168,8 +1168,6 @@ Manuals:
             title: What is Settings Management?
           - path: /desktop/hardened-desktop/settings-management/configure/
             title: Configure Settings Management
-          - path: /desktop/hardened-desktop/settings-management/air-gapped-containers/
-            title: Air-gapped containers (Beta)
         - sectiontitle: Enhanced Container Isolation
           section:
           - path: /desktop/hardened-desktop/enhanced-container-isolation/
@@ -1184,6 +1182,8 @@ Manuals:
             title: Limitations
           - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
             title: FAQ
+        - path: /desktop/hardened-desktop/air-gapped-containers/
+          title: Air-Gapped Containers
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/