Tweak line wrappings for the node authorization page

Author: tengqm

content/en/docs/reference/access-authn-authz/node.md

@@ -9,7 +9,8 @@ weight: 90
 ---
 
 <!-- overview -->
-Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.
+Node authorization is a special-purpose authorization mode that specifically
+authorizes API requests made by kubelets.
 
 
 <!-- body -->
@@ -23,40 +24,58 @@ Read operations:
 * endpoints
 * nodes
 * pods
-* secrets, configmaps, persistent volume claims and persistent volumes related to pods bound to the kubelet's node
+* secrets, configmaps, persistent volume claims and persistent volumes related
+  to pods bound to the kubelet's node
 
 Write operations:
 
-* nodes and node status (enable the `NodeRestriction` admission plugin to limit a kubelet to modify its own node)
-* pods and pod status (enable the `NodeRestriction` admission plugin to limit a kubelet to modify pods bound to itself)
+* nodes and node status (enable the `NodeRestriction` admission plugin to limit
+  a kubelet to modify its own node)
+* pods and pod status (enable the `NodeRestriction` admission plugin to limit a
+  kubelet to modify pods bound to itself)
 * events
 
 Auth-related operations:
 
-* read/write access to the [CertificateSigningRequests API](/docs/reference/access-authn-authz/certificate-signing-requests/) for TLS bootstrapping
-* the ability to create TokenReviews and SubjectAccessReviews for delegated authentication/authorization checks
+* read/write access to the
+  [CertificateSigningRequests API](/docs/reference/access-authn-authz/certificate-signing-requests/)
+  for TLS bootstrapping
+* the ability to create TokenReviews and SubjectAccessReviews for delegated
+  authentication/authorization checks
 
-In future releases, the node authorizer may add or remove permissions to ensure kubelets
-have the minimal set of permissions required to operate correctly.
+In future releases, the node authorizer may add or remove permissions to ensure
+kubelets have the minimal set of permissions required to operate correctly.
 
-In order to be authorized by the Node authorizer, kubelets must use a credential that identifies them as 
-being in the `system:nodes` group, with a username of `system:node:<nodeName>`.
+In order to be authorized by the Node authorizer, kubelets must use a credential
+that identifies them as being in the `system:nodes` group, with a username of
+`system:node:<nodeName>`.
 This group and user name format match the identity created for each kubelet as part of 
 [kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/).
 
-The value of `<nodeName>` **must** match precisely the name of the node as registered by the kubelet. By default, this is the host name as provided by `hostname`, or overridden via the [kubelet option](/docs/reference/command-line-tools-reference/kubelet/) `--hostname-override`. However, when using the `--cloud-provider` kubelet option, the specific hostname may be determined by the cloud provider, ignoring the local `hostname` and the `--hostname-override` option. 
-For specifics about how the kubelet determines the hostname, see the [kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/).
+The value of `<nodeName>` **must** match precisely the name of the node as
+registered by the kubelet. By default, this is the host name as provided by
+`hostname`, or overridden via the
+[kubelet option](/docs/reference/command-line-tools-reference/kubelet/)
+`--hostname-override`. However, when using the `--cloud-provider` kubelet
+option, the specific hostname may be determined by the cloud provider, ignoring
+the local `hostname` and the `--hostname-override` option. 
+For specifics about how the kubelet determines the hostname, see the
+[kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/).
 
 To enable the Node authorizer, start the apiserver with `--authorization-mode=Node`.
 
-To limit the API objects kubelets are able to write, enable the [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers#noderestriction) admission plugin by starting the apiserver with `--enable-admission-plugins=...,NodeRestriction,...`
+To limit the API objects kubelets are able to write, enable the
+[NodeRestriction](/docs/reference/access-authn-authz/admission-controllers#noderestriction)
+admission plugin by starting the apiserver with
+`--enable-admission-plugins=...,NodeRestriction,...`
 
 ## Migration considerations
 
 ### Kubelets outside the `system:nodes` group
 
-Kubelets outside the `system:nodes` group would not be authorized by the `Node` authorization mode,
-and would need to continue to be authorized via whatever mechanism currently authorizes them.
+Kubelets outside the `system:nodes` group would not be authorized by the `Node`
+authorization mode, and would need to continue to be authorized via whatever
+mechanism currently authorizes them.
 The node admission plugin would not restrict requests from these kubelets.
 
 ### Kubelets with undifferentiated usernames