diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
index ee99c53f8b88..6eb4f8900b59 100644
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@@ -134,7 +134,8 @@ entities attempting to login.
   namespaces allowed to acces this role. Accepts either a JSON or YAML object. The value
   should be of type
   [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
-  If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
+  If this parameter is used, the Vault requires permissions to read namespaces on the Kubernetes
+  cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
 - `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
 - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
   Valid choices are: `serviceaccount_uid`, `serviceaccount_name`