From 46a640743edfdb69e0411a7f52d2e14a20709d95 Mon Sep 17 00:00:00 2001
From: Jacek Nykis <jacek@stellar.org>
Date: Thu, 18 Feb 2021 22:12:48 +0000
Subject: [PATCH] Make tenant isolation paragraph more explicit

In its current for the first paragraph in the tenant isolation
section might be misunderstood by some users less familiar with
k8s and flux2 security model.
This change makes wording more explicit to indicate that webhook
validation is a hard requirement for tenant isolation.

Signed-off-by: Jacek Nykis <jacek@stellar.org>
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9106abab..5e2fcd84 100644
--- a/README.md
+++ b/README.md
@@ -137,10 +137,10 @@ the dev-team repository must contain Kubernetes objects scoped to the `apps` nam
 
 ## Enforce tenant isolation
 
-To enforce tenant isolation, cluster admins should configure Flux to reconcile 
+To enforce tenant isolation, cluster admins must configure Flux to reconcile 
 the `Kustomization` and `HelmRelease` kinds by impersonating a service account
 from the namespace where these objects are created. In order to make the
-`spec.ServiceAccountName` field mandatory, you can use a validation webhook like
+`spec.ServiceAccountName` field mandatory, you should use a validation webhook, for example
 [Kyverno](https://github.com/kyverno/kyverno) or [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper).
 On cluster bootstrap, you need to configure Flux to deploy the validation webhook and its policies before 
 reconciling the tenants repositories.