gravitational
diff --git a/‎docs/pages/admin-guides/access-controls/guides/headless.mdx
-4 b/‎docs/pages/admin-guides/access-controls/guides/headless.mdx
-4
diff --git a/‎docs/pages/admin-guides/deploy-a-cluster/helm-deployments/digitalocean.mdx
+14-21 b/‎docs/pages/admin-guides/deploy-a-cluster/helm-deployments/digitalocean.mdx
+14-21
diff --git a/‎docs/pages/admin-guides/deploy-a-cluster/helm-deployments/gcp.mdx
+31-62 b/‎docs/pages/admin-guides/deploy-a-cluster/helm-deployments/gcp.mdx
+31-62
diff --git a/‎docs/pages/admin-guides/deploy-a-cluster/linux-demo.mdx
-2 b/‎docs/pages/admin-guides/deploy-a-cluster/linux-demo.mdx
-2
diff --git a/‎docs/pages/admin-guides/management/export-audit-events/fluentd.mdx
-2 b/‎docs/pages/admin-guides/management/export-audit-events/fluentd.mdx
-2
diff --git a/‎docs/pages/admin-guides/management/guides/ec2-tags.mdx
+2-7 b/‎docs/pages/admin-guides/management/guides/ec2-tags.mdx
+2-7
diff --git a/‎docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx
-8 b/‎docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx
-8
diff --git a/‎docs/pages/admin-guides/teleport-policy/policy-connections.mdx
+1-1 b/‎docs/pages/admin-guides/teleport-policy/policy-connections.mdx
+1-1
@@ -181,15 +181,11 @@ Teleport Connect v13.3.1+ can also be used to approve Headless WebAuthn logins.
 Teleport Connect will automatically detect the Headless WebAuthn login attempt
 and allow you to approve or cancel the request.
 
-<Figure width="700">
 ![Headless Confirmation](../../../../img/headless/confirmation.png)
-</Figure>
 
 You will be prompted to tap your MFA key to complete the approval process.
 
-<Figure width="700">
 ![Headless WebAuthn Approval](../../../../img/headless/approval.png)
-</Figure>
 
 <Admonition type="note">
   This also requires a v13.3.1+ Teleport Auth Service.
 
@@ -21,15 +21,13 @@ cluster to Teleport.
 ## Step 1/4. Create a DigitalOcean Kubernetes cluster
 
 Create a new [DigitalOcean Kubernetes Cluster](https://cloud.digitalocean.com/kubernetes/clusters/)
-<Figure align="left" bordered caption="Create DigitalOcean Kubernetes cluster">
-  ![Create DigitalOcean Kubernetes cluster](../../../../img/helm/digitalocean/create-k8s.png)
-</Figure>
+
+![Create DigitalOcean Kubernetes cluster](../../../../img/helm/digitalocean/create-k8s.png)
 
 <br />
 While the Kubernetes cluster is being provisioned, follow the "Getting Started" guide as shown below:
-<Figure align="left" bordered caption="Set up DigitalOcean Kubernetes client">
-  ![Set up DigitalOcean Kubernetes client](../../../../img/helm/digitalocean/setup-k8s.png)
-</Figure>
+
+![Set up DigitalOcean Kubernetes client](../../../../img/helm/digitalocean/setup-k8s.png)
 
 ## Step 2/4. Install Teleport
 
@@ -116,9 +114,8 @@ teleport-cluster-auth   ClusterIP      10.245.164.28   <none>            3025/TC
 ```
 
 Once you get the value for the external IP (it may take a few minutes for this field to be populated), update your DNS record such that the clusterName's A record points to this IP address. For example `192.168.200.200` is the external IP in the above case.
-<Figure align="left" bordered caption="Configure DNS">
-  ![Configure DNS](../../../../img/helm/digitalocean/fqdn.png)
-</Figure>
+
+![Configure DNS](../../../../img/helm/digitalocean/fqdn.png)
 
 ## Step 3/4. Create and set up Teleport user
 Now we create a Teleport user by executing the `tctl` command with `kubectl`.
@@ -148,9 +145,8 @@ NOTE: Make sure tele.example.com:443 points at a Teleport proxy which users can
 </Tabs>
 
 Copy the link shown after executing the above command and open the link in a web browser to complete the user registration process (the link is `https://tele.example.com:443/web/invite/<invite-token>` in the above case).
-<Figure align="left" bordered caption="Set up user">
-  ![Set up user](../../../../img/helm/digitalocean/setup-user.png)
-</Figure>
+
+![Set up user](../../../../img/helm/digitalocean/setup-user.png)
 
 After you complete the registration process by setting up a password and enrolling in multi-factor authentication, you will be logged in to Teleport Web UI. 
 
@@ -179,14 +175,12 @@ $ kubectl --namespace=teleport-cluster exec -i deployment/teleport-cluster-auth
 
 Now we will assign Teleport user **tadmin** with this role. The example below shows a process using Teleport Web UI:
 First, lets select user edit menu:
-<Figure align="left" bordered caption="Edit user">
-  ![Edit user](../../../../img/helm/digitalocean/edit-user.png)
-</Figure>
+
+![Edit user](../../../../img/helm/digitalocean/edit-user.png)
 
 Second, update the **tadmin** user role to assign the **member** role:
-<Figure align="left" bordered caption="Update role">
-  ![Update role](../../../../img/helm/digitalocean/update-role.png)
-</Figure>
+
+![Update role](../../../../img/helm/digitalocean/update-role.png)
 
 We've updated the user **tadmin** to have the **member** role, which is allowed to access a Kubernetes cluster with privilege `system:master`.
 
@@ -263,9 +257,8 @@ teleport-cluster-6cc679b6f6-7xr5h   1/1     Running   0          14h
 Voila! User **tadmin** was able to list the pods in their DigitalOcean Kubernetes cluster.
 
 Teleport keeps an audit log of access to a Kubernetes cluster. In the screenshot below, the Teleport audit log shows that the user **tadmin** has logged into the cluster.
-<Figure align="left" bordered caption="View audit log">
-  ![View audit log](../../../../img/helm/digitalocean/view-activity.png)
-</Figure>
+
+![View audit log](../../../../img/helm/digitalocean/view-activity.png)
 
 ## Next steps
 
 
@@ -39,81 +39,62 @@ Go to the "Roles" section of Google Cloud IAM & Admin.
 
 1. Click the "Create Role" button at the top.
 
-<Figure align="left" bordered caption="Roles section">
-  ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png)
-</Figure>
+   ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png)
 
 2. Fill in the details of a "Storage Bucket Creator" role (we suggest using the name `storage-bucket-creator-role`)
 
-<Figure align="left" bordered caption="Create role">
-  ![Create role](../../../../img/helm/gcp/2-createrole@1.5x.png)
-</Figure>
+   ![Create role](../../../../img/helm/gcp/2-createrole@1.5x.png)
 
 3. Click the "Add Permissions" button.
 
-<Figure align="left" bordered caption="Storage bucket creator role">
-  ![Storage bucket creator role](../../../../img/helm/gcp/3-addpermissions@1.5x.png)
-</Figure>
+   ![Storage bucket creator role](../../../../img/helm/gcp/3-addpermissions@1.5x.png)
 
 4. Use the "Filter" box to enter `storage.buckets.create` and select it in the list.
 
-<Figure align="left" bordered caption="Filter the list">
-  ![Filter the list](../../../../img/helm/gcp/4-storagebucketscreate@1.5x.png)
-</Figure>
+   ![Filter the list](../../../../img/helm/gcp/4-storagebucketscreate@1.5x.png)
 
 5. Check the `storage.buckets.create` permission in the list and click the "Add" button to add it to the role.
 
-<Figure align="left" bordered caption="Select storage.buckets.create">
-  ![Select storage.buckets.create](../../../../img/helm/gcp/5-select@1.5x.png)
-</Figure>
+   ![Select storage.buckets.create](../../../../img/helm/gcp/5-select@1.5x.png)
 
 6. Once all these settings are entered successfully, click the "Create" button.
 
-<Figure align="left" bordered caption="Create role">
-  ![Create role](../../../../img/helm/gcp/6-createrole@1.5x.png)
-</Figure>
+   ![Create role](../../../../img/helm/gcp/6-createrole@1.5x.png)
 
 ### Create an IAM role granting Cloud DNS permissions
 
 Go to the "Roles" section of Google Cloud IAM & Admin.
 
 1. Click the "Create Role" button at the top.
 
-<Figure align="left" bordered caption="Roles section">
-  ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png)
-</Figure>
+   ![Roles section](../../../../img/helm/gcp/1-roles@1.5x.png)
 
 2. Fill in the details of a "DNS Updater" role (we suggest using the name `dns-updater-role`)
 
-<Figure align="left" bordered caption="Create role">
-  ![Create role](../../../../img/helm/gcp/13-dns-createrole@1.5x.png)
-</Figure>
+   ![Create role](../../../../img/helm/gcp/13-dns-createrole@1.5x.png)
 
 3. Click the "Add Permissions" button.
 
-<Figure align="left" bordered caption="DNS updater role">
-  ![DNS updater role](../../../../img/helm/gcp/3-addpermissions@1.5x.png)
-</Figure>
-
-4. Use the "Filter" box to find each of the following permissions in the list and add it.
-You can type things like `dns.resourceRecordSets.*` to quickly filter the list.
-
-```console
-dns.resourceRecordSets.create
-dns.resourceRecordSets.delete
-dns.resourceRecordSets.list
-dns.resourceRecordSets.update
-dns.changes.create
-dns.changes.get
-dns.changes.list
-dns.managedZones.list
-```
+   ![DNS updater role](../../../../img/helm/gcp/3-addpermissions@1.5x.png)
+
+4. Use the "Filter" box to find each of the following permissions in the list
+   and add it.  You can type things like `dns.resourceRecordSets.*` to quickly
+   filter the list.
+
+   ```console
+   dns.resourceRecordSets.create
+   dns.resourceRecordSets.delete
+   dns.resourceRecordSets.list
+   dns.resourceRecordSets.update
+   dns.changes.create
+   dns.changes.get
+   dns.changes.list
+   dns.managedZones.list
+   ```
 
 5. Once all these settings are entered successfully, click the "Create" button.
 
-<Figure align="left" bordered caption="Add DNS permissions">
-  ![Add DNS permissions](../../../../img/helm/gcp/14-dns-permissions-create@1.5x.png)
-</Figure>
+   ![Add DNS permissions](../../../../img/helm/gcp/14-dns-permissions-create@1.5x.png)
 
 ### Create a service account for the Teleport Helm chart
 
@@ -127,15 +108,11 @@ Go to the "Service Accounts" section of Google Cloud IAM & Admin.
 
 1. Click the "Create Service Account" button at the top.
 
-<Figure align="left" bordered caption="Create service account">
-  ![Create service account](../../../../img/helm/gcp/7-serviceaccounts@1.5x.png)
-</Figure>
+   ![Create service account](../../../../img/helm/gcp/7-serviceaccounts@1.5x.png)
 
 2. Enter details for the service account (we recommend using the name `teleport-helm`) and click the "Create" button.
 
-<Figure align="left" bordered caption="Enter service account details">
-  ![Enter service account details](../../../../img/helm/gcp/8-createserviceaccount@1.5x.png)
-</Figure>
+   ![Enter service account details](../../../../img/helm/gcp/8-createserviceaccount@1.5x.png)
 
 3. In the "Grant this service account access to project" section, add these four roles:
 
@@ -146,9 +123,7 @@ Go to the "Service Accounts" section of Google Cloud IAM & Admin.
 | Cloud Datastore Owner | Grants permissions to create Cloud Datastore collections |
 | Storage Object Admin | Allows read/write/delete of Google Cloud storage objects |
 
-<Figure align="left" bordered caption="Add roles">
-  ![Add roles](../../../../img/helm/gcp/9-addroles@1.5x.png)
-</Figure>
+![Add roles](../../../../img/helm/gcp/9-addroles@1.5x.png)
 
 4. Click the "continue" button to save these settings, then click the "create" button to create the service account.
 
@@ -158,22 +133,16 @@ Go back to the "Service Accounts" view in Google Cloud IAM & Admin.
 
 1. Click on the `teleport-helm` service account that you just created.
 
-<Figure align="left" bordered caption="Click on the service account">
-  ![Click on the service account](../../../../img/helm/gcp/10-serviceaccountdetails@1.5x.png)
-</Figure>
+   ![Click on the service account](../../../../img/helm/gcp/10-serviceaccountdetails@1.5x.png)
 
 2. Click the "Keys" tab at the top and click "Add Key". Choose "JSON" and click "Create".
 
-<Figure align="left" bordered caption="Create JSON key">
-  ![Create JSON key](../../../../img/helm/gcp/11-createkey.png)
-</Figure>
+   ![Create JSON key](../../../../img/helm/gcp/11-createkey.png)
 
 3. The JSON private key will be downloaded to your computer. Take note of the filename (`bens-demos-24150b1a0a7f.json` in this example)
    as you will need it shortly.
 
-<Figure align="left" bordered caption="Private key saved">
-  ![Private key saved](../../../../img/helm/gcp/12-privatekey@1.5x.png)
-</Figure>
+   ![Private key saved](../../../../img/helm/gcp/12-privatekey@1.5x.png)
 
 #### Create the Kubernetes secret containing the JSON private key for the service account
 
 
@@ -15,10 +15,8 @@ You can also get started right away with a production-ready Teleport cluster by
 signing up for a [free trial of Teleport Enterprise
 Cloud](https://goteleport.com/signup/).
 
-<Figure width="700">
 ![Architecture of the setup you will complete in this
 guide](../../../img/linux-server-diagram.png)
-</Figure>
 
 We will run the following Teleport services:
 
 
@@ -14,9 +14,7 @@ This guide also serves as an explanation for the Teleport Event Handler plugin,
 using Fluentd as the target service. We'll create a local Docker container as a
 destination for the Event Handler:
 
-<Figure width="600">
 ![The Teleport Fluentd plugin](../../../../img/enterprise/plugins/fluentd-diagram.png)
-</Figure>
 
 You can follow the instructions below for a local proof-of-concept demo, or use any
 of the additional installation instructions to configure the Teleport Event Handler
 
@@ -50,22 +50,17 @@ To launch a new instance with instance metadata tags enabled:
 1. Ensure that `Metadata accessible` is not disabled.
 1. Enable `Allow tags in metadata`.
 
-<Figure align="left" bordered caption="Advanced Options">
   ![Advanced Options](../../../../img/aws/launch-instance-advanced-options.png)
-</Figure>
 
 To modify an existing instance to enable instance metadata tags:
 
 1. From the instance summary, go to `Actions > Instance Settings > Allow tags in instance metadata`.
-1. Enable `Allow`.
 
-<Figure align="left" bordered caption="Instance Settings">
   ![Instance Settings](../../../../img/aws/instance-settings.png)
-</Figure>
 
-<Figure align="left" bordered caption="Allow Tags">
+1. Enable `Allow`.
+
   ![Allow Tags](../../../../img/aws/allow-tags.png)
-</Figure>
 
 ### AWS CLI
 
 
@@ -55,24 +55,18 @@ navigate to the "Access Management" tab, and choose "Enroll New Integration", th
 
 In the onboarding wizard, choose a Teleport user that will be assigned as the default owner of Access Lists that are created for your Entra groups, and click "Next".
 
-<Figure width="600">
 ![First step of the Entra ID integration onboarding](../../../../img/access-graph/entra-id/integration-wizard-step-1.png)
-</Figure>
 
 ## Step 2/3. Grant permissions in Azure and finish onboarding
 
 The wizard will now provide you with a script that will set up the necessary permissions in Azure.
 
-<Figure width="600">
 ![Second step of the Entra ID integration onboarding](../../../../img/access-graph/entra-id/integration-wizard-step-2.png)
-</Figure>
 
 Open Azure Cloud Shell by navigating to <a href="https://shell.azure.com">shell.azure.com</a>,
 or by clicking the Cloud Shell icon in the Azure Portal.
 
-<Figure width="600">
 ![Location of the Cloud Shell button in the Azure Portal](../../../../img/access-graph/entra-id/azure-cloud-shell-button.png)
-</Figure>
 
 Make sure to use the Bash version of Cloud Shell.
 Once a Cloud Shell instance opens, paste the generated command.
@@ -86,9 +80,7 @@ it prints out the data required to finish the integration onboarding.
 
 Back in the Teleport Web UI, fill out the required data and click "Finish".
 
-<Figure width="600">
 ![Second step of the Entra ID integration onboarding with required fields filled in](../../../../img/access-graph/entra-id/integration-wizard-step-2-filled.png)
-</Figure>
 
 ## Step 3/3. Analyze Entra ID directory in Teleport Access Graph
 
 
@@ -76,4 +76,4 @@ Resource Groups are created from Teleport roles.
 Resources are created from Teleport resources like nodes, databases, and Kubernetes clusters.
 
 ## Next steps
-- Uncover [privileges, permissions, and construct SQL queries](./policy-how-to-use.mdx) in Access Graph.
+- Uncover [privileges, permissions, and construct SQL queries](./policy-how-to-use.mdx) in Access Graph.