From 27a392e2c615b49aea79aed9173156982713ce93 Mon Sep 17 00:00:00 2001
From: Hannah Hunter <hannahhunter@microsoft.com>
Date: Wed, 4 Sep 2024 15:14:29 -0400
Subject: [PATCH 1/2] add notes about namespacing

Signed-off-by: Hannah Hunter <hannahhunter@microsoft.com>
---
 .../resource-specs/component-schema.md        | 24 +++++++++++--------
 .../resource-specs/httpendpoints-schema.md    |  4 ++++
 .../resource-specs/resiliency-schema.md       |  4 ++++
 .../resource-specs/subscription-schema.md     |  8 ++++++-
 4 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/daprdocs/content/en/reference/resource-specs/component-schema.md b/daprdocs/content/en/reference/resource-specs/component-schema.md
index 349ff4923a3..0f59dbfb3a9 100644
--- a/daprdocs/content/en/reference/resource-specs/component-schema.md
+++ b/daprdocs/content/en/reference/resource-specs/component-schema.md
@@ -8,27 +8,31 @@ description: "The basic spec for a Dapr component"
 
 Dapr defines and registers components using a [resource specifications](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/). All components are defined as a resource and can be applied to any hosting environment where Dapr is running, not just Kubernetes.
 
+{{% alert title="Note" color="primary" %}}
+Any component can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications.
+{{% /alert %}}
+
 ## Format
 
 ```yaml
 apiVersion: dapr.io/v1alpha1
 kind: Component
 auth: 
- secretstore: [SECRET-STORE-NAME]
+ secretstore: <REPLACE-WITH-SECRET-STORE-NAME>
 metadata:
-  name: [COMPONENT-NAME]
-  namespace: [COMPONENT-NAMESPACE]
+  name: <REPLACE-WITH-COMPONENT-NAME>
+  namespace: <REPLACE-WITH-COMPONENT-NAMESPACE>
 spec:
-  type: [COMPONENT-TYPE]
+  type: <REPLACE-WITH-COMPONENT-TYPE>
   version: v1
-  initTimeout: [TIMEOUT-DURATION]
-  ignoreErrors: [BOOLEAN]
+  initTimeout: <REPLACE-WITH-TIMEOUT-DURATION>
+  ignoreErrors: <REPLACE-WITH-BOOLEAN>
   metadata:
-  - name: [METADATA-NAME]
-    value: [METADATA-VALUE]
+  - name: <REPLACE-WITH-METADATA-NAME>
+    value: <REPLACE-WITH-METADATA-VALUE>
 scopes:
-  - [APPID]
-  - [APPID]
+  - <REPLACE-WITH-APPID>
+  - <REPLACE-WITH-APPID>
 ```
 
 ## Spec fields
diff --git a/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md b/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md
index a85a253151c..5e2b8f45d24 100644
--- a/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md
+++ b/daprdocs/content/en/reference/resource-specs/httpendpoints-schema.md
@@ -10,6 +10,10 @@ aliases:
 
 The `HTTPEndpoint` is a Dapr resource that is used to enable the invocation of non-Dapr endpoints from a Dapr application.
 
+{{% alert title="Note" color="primary" %}}
+Any HTTPEndpoint resource can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications.
+{{% /alert %}}
+
 ## Format
 
 ```yaml
diff --git a/daprdocs/content/en/reference/resource-specs/resiliency-schema.md b/daprdocs/content/en/reference/resource-specs/resiliency-schema.md
index 32888adc753..06733d1d827 100644
--- a/daprdocs/content/en/reference/resource-specs/resiliency-schema.md
+++ b/daprdocs/content/en/reference/resource-specs/resiliency-schema.md
@@ -8,6 +8,10 @@ description: "The basic spec for a Dapr resiliency resource"
 
 The `Resiliency` Dapr resource allows you to define and apply fault tolerance resiliency policies. Resiliency specs are applied when the Dapr sidecar starts. 
 
+{{% alert title="Note" color="primary" %}}
+Any resiliency resource can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications.
+{{% /alert %}}
+
 ## Format
 
 ```yml
diff --git a/daprdocs/content/en/reference/resource-specs/subscription-schema.md b/daprdocs/content/en/reference/resource-specs/subscription-schema.md
index e1eb8ecc59f..c047fd40f87 100644
--- a/daprdocs/content/en/reference/resource-specs/subscription-schema.md
+++ b/daprdocs/content/en/reference/resource-specs/subscription-schema.md
@@ -6,7 +6,13 @@ weight: 2000
 description: "The basic spec for a Dapr subscription"
 ---
 
-The `Subscription` Dapr resource allows you to subscribe declaratively to a topic using an external component YAML file. This guide demonstrates two subscription API versions:
+The `Subscription` Dapr resource allows you to subscribe declaratively to a topic using an external component YAML file. 
+
+{{% alert title="Note" color="primary" %}}
+Any subscription can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications.
+{{% /alert %}}
+
+This guide demonstrates two subscription API versions:
 
 - `v2alpha` (default spec)
 - `v1alpha1` (deprecated)

From 8d2f64d10d9d01ec03cc5d1792771a97063ef12a Mon Sep 17 00:00:00 2001
From: Hannah Hunter <hannahhunter@microsoft.com>
Date: Wed, 11 Sep 2024 12:25:36 -0400
Subject: [PATCH 2/2] clarify per josh comment

Signed-off-by: Hannah Hunter <hannahhunter@microsoft.com>
---
 .../content/en/reference/resource-specs/component-schema.md   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/daprdocs/content/en/reference/resource-specs/component-schema.md b/daprdocs/content/en/reference/resource-specs/component-schema.md
index 0f59dbfb3a9..875744c2868 100644
--- a/daprdocs/content/en/reference/resource-specs/component-schema.md
+++ b/daprdocs/content/en/reference/resource-specs/component-schema.md
@@ -8,8 +8,10 @@ description: "The basic spec for a Dapr component"
 
 Dapr defines and registers components using a [resource specifications](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/). All components are defined as a resource and can be applied to any hosting environment where Dapr is running, not just Kubernetes.
 
+Typically, components are restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications. The namespace is either explicit on the component manifest itself, or set by the API server, which derives the namespace through context with applying to Kubernetes. 
+
 {{% alert title="Note" color="primary" %}}
-Any component can be restricted to a particular [namepsace]({{< ref isolation-concept.md >}}) and restricted access through scopes to any particular set of applications.
+The exception to this rule is in self-hosted mode, where daprd ingests component resources when the namespace field is omitted. However, the security profile is mute, as daprd has access to the manifest anyway, unlike in Kubernetes.
 {{% /alert %}}
 
 ## Format