From 82df8d2247ef0b2b6debe76b3c809732e0e83f2f Mon Sep 17 00:00:00 2001
From: Doug Hellmann <dhellmann@redhat.com>
Date: Thu, 21 Jan 2021 10:16:00 -0500
Subject: [PATCH] clarify wording about cluster machine approver for
 single-node

Incorporate feedback from https://github.com/openshift/enhancements/pull/560#discussion_r560109872

Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
---
 .../single-node-production-deployment-approach.md         | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/enhancements/single-node-production-deployment-approach.md b/enhancements/single-node-production-deployment-approach.md
index 89c207013a..1c0ff752d6 100644
--- a/enhancements/single-node-production-deployment-approach.md
+++ b/enhancements/single-node-production-deployment-approach.md
@@ -343,9 +343,11 @@ provides adequate warning.
 Auto-approval of certificate signing requests requires 2 sources of
 truth to avoid security attacks like
 [kubeletmein](https://github.com/openshift/machine-config-operator/issues/731). In
-single-node deployments we do not have a second source of truth, and
-need to disable the machine-approver-operator. An outside tool can be
-used to approve any certificate signing requests instead.
+single-node deployments we do not have a second source of truth (there
+is no Machine and no other way to confirm the Node), so certificate
+signing requests cannot be automatically approved from within the
+cluster. We can disable the machine-approver-operator. An outside tool
+must be used to approve any certificate signing requests instead.
 
 #### Lack of high-availability