docs: Clarify this applies only if using Dyn Adm Con

viccuad · viccuad · commit 6c7e95faac1c · 2026-03-06T10:49:01.000+01:00
Signed-off-by: Víctor Cuadrado Juan &lt;vcuadradojuan@suse.de&gt;
diff --git a/Standards/scs-0217-v1-cluster-hardening.md b/Standards/scs-0217-v1-cluster-hardening.md
@@ -316,8 +316,9 @@ via spoofing"_, NetworkPolicies and policy engine configuration doesn't suffice.
 
 These threats involve intercepting traffic between the Kubernetes API server
 and the dynamic admission controller webhooks of the Policy Engine. To mitigate
-this, the Kubernetes API server MUST be configured with mutual TLS
-authentication for the Validating and Mutating Webhooks (see [Kubernetes
+this, if using a Dynamic Admission Controller such as a Policy Engine, the
+Kubernetes API server MUST be configured with mutual TLS authentication for the
+Validating and Mutating Webhooks (see [Kubernetes
 docs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers))
 . The Policy Engine MUST be able to authenticate the API server and MUST be
 configured with mutual TLS authentication for the
