clarify wording about cluster machine approver for single-node

Incorporate feedback from openshift#560 (comment) Signed-off-by: Doug Hellmann <[email protected]>
dhellmann · Jan 21, 2021 · 82df8d2 · 82df8d2
1 parent feed05c
commit 82df8d2
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/enhancements/single-node-production-deployment-approach.md b/enhancements/single-node-production-deployment-approach.md
@@ -343,9 +343,11 @@ provides adequate warning.
 Auto-approval of certificate signing requests requires 2 sources of
 truth to avoid security attacks like
 [kubeletmein](https://github.com/openshift/machine-config-operator/issues/731). In
-single-node deployments we do not have a second source of truth, and
-need to disable the machine-approver-operator. An outside tool can be
-used to approve any certificate signing requests instead.
+single-node deployments we do not have a second source of truth (there
+is no Machine and no other way to confirm the Node), so certificate
+signing requests cannot be automatically approved from within the
+cluster. We can disable the machine-approver-operator. An outside tool
+must be used to approve any certificate signing requests instead.
 
 #### Lack of high-availability