notice api permissions about mirror pods (kubernetes#9010)

CaoShuFeng · k8s-ci-robot · commit f63149e3754d · 2018-06-15T11:48:29.000-07:00
* notice api permissions about mirror pods

* Copyedit
diff --git a/content/en/docs/tasks/administer-cluster/static-pod.md b/content/en/docs/tasks/administer-cluster/static-pod.md
@@ -8,7 +8,8 @@ title: Static Pods
 
 *Static pods* are managed directly by kubelet daemon on a specific node, without the API server observing it. It does not have an associated replication controller, and kubelet daemon itself watches it and restarts it when it crashes. There is no health check. Static pods are always bound to one kubelet daemon and always run on the same node with it.
 
-Kubelet automatically creates so-called *mirror pod* on the Kubernetes API server for each static pod, so the pods are visible there, but they cannot be controlled from the API server.
+Kubelet automatically tries to create a *mirror pod* on the Kubernetes API server for each static pod.
+This means that the pods are visible on the API server but cannot be controlled from there.
 
 ## Static pod creation
 
@@ -91,6 +92,12 @@ Labels from the static pod are propagated into the mirror-pod and can be used as
 
 Notice we cannot delete the pod with the API server (e.g. via [`kubectl`](/docs/user-guide/kubectl/) command), kubelet simply won't remove it.
 
+{{<note>}}
+**Note**: Make sure the kubelet has permission to create the mirror pod in the API server.
+If not, the creation request is rejected by the API server. See 
+PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/).
+{{</note>}}
+
 ```shell
 [joe@my-master ~] $ kubectl delete pod static-web-my-node1
 pod "static-web-my-node1" deleted
