tweaks to verbiage

Author: mlhoop

articles/aks/faq.md

@@ -93,9 +93,24 @@ AKS supports the following [admission controllers][admission-controllers]:
 
 Currently, you can't modify the list of admission controllers in AKS.
 
-## Do Kubernetes admission controllers impact kube-system?
+## Can I use admission controller webhooks on AKS?
 
-No, to help prevent issues, by default admission controllers use a namespace selector to ignore any actions from the MutatingAdmissionWebhook and ValidatingAdmissionWebhook to the kube-system namesapce. You can override this behavior by adding a label of "admissions.enforcer/disabled": "true" or an annotation of "admissions.enforcer/disabled": true.
+Yes, you may use admission controller webhooks on AKS. It is recommended you exclude internal AKS namespaces which are marked with the **control-plane label.** For example, by adding the below to the webhook configuration:
+
+```
+namespaceSelector:
+    matchExpressions:
+    - key: control-plane
+      operator: DoesNotExist
+```
+
+## Can admission controller webhooks impact kube-system and internal AKS namespaces?
+
+To protect the stability of the system and prevent custom admission controllers from impacting internal services in the kube-system, namespace AKS has an **Admissions Enforcer**, which automatically excludes kube-system and AKS internal namespaces. This service ensures the custom admission controllers don't affect the services running in kube-system.
+
+If you have a critical use case for having something deployed on kube-system (not recommended) which you require to be covered by your custom admission webhook, you may add the below label or annotation so that Admissions Enforcer ignores it.
+
+Label: ```"admissions.enforcer/disabled": "true"``` or Annotation: ```"admissions.enforcer/disabled": true```
 
 ## Is Azure Key Vault integrated with AKS?