fixup! RFC on authorisation model

rfcs/0001-authorisation/README.md

@@ -33,8 +33,8 @@ Flux controllers defer to [Kubernetes' native RBAC][k8s-rbac] and [namespace iso
 determine which operations are authorised, when processing the custom resources in the Flux API.
 
 In general, **Kubernetes API operations are constrained by the service account under which each
-controller pod runs** (the "Pod SA"). In the [default deployment of Flux][flux-rbac] each controller
-has its own service account, and each of these service accounts has the [`cluster-admin` cluster
+controller pod runs**. In the [default deployment of Flux][flux-rbac] each controller has its own
+service account, and each of these service accounts has the [`cluster-admin` cluster
 role][k8s-cluster-admin] bound to it.
 
 Both the Kustomize controller and the Helm controller create, update and delete arbitrary sets of
@@ -60,10 +60,10 @@ This table summarises how these operations are subject to RBAC and namespace iso
 
 | Type of operation                              | Accessed via | Namespace isolation        |
 |------------------------------------------------|--------|----------------------------------|
-| Reading and writing the object to be processed | Pod SA | N/A                              |
-| Dependencies of object to be processed         | Pod SA | Yes                              |
-| Access to related Flux API objects             | Pod SA | Some cross-namespace refs[1]     |
-| CRUD of Flux API objects                       | Pod SA | Created in same namespace        |
+| Reading and writing the object to be processed | Controller service account | N/A                              |
+| Dependencies of object to be processed         | Controller service account | Yes                              |
+| Access to related Flux API objects             | Controller service account | Some cross-namespace refs[1]     |
+| CRUD of Flux API objects                       | Controller service account | Created in same namespace        |
 | CRUD and healthcheck of sync configurations    | Impersonation[2] | As directed by spec[2] |
 
 [1] See "Cross-namespace references" below<br>
@@ -103,20 +103,20 @@ fields that are not restricted to the namespace of the containing object, listed
 
 | API kind | field | explanation |
 |----------|-------|-------------|
-| **`kustomizations.kustomize.toolkit.fluxcd.io/v1beta2`** | `.spec.dependsOn` | items are references that can include a namespace |
-|                                                          | `.spec.healthChecks` | items are references that can include a namespace (note: these are accessed using impersonation) |
-|                                                          | `.spec.sourceRef` | this is a reference that can include a namespace |
+| **`kustomizations.kustomize.toolkit.fluxcd.io/v1beta2`** | `.spec.dependsOn` | Items are references that can include a namespace |
+|                                                          | `.spec.healthChecks` | Items are references that can include a namespace (note: these are accessed using impersonation) |
+|                                                          | `.spec.sourceRef` | This is a reference that can include a namespace |
 |                                                          | `.spec.targetNamespace` | This sets or overrides the namespace given in the top-most `kustomization.yaml` |
-| **`helmreleases.helm.toolkit.fluxcd/v2beta1`** | `.spec.dependsOn` | items are references that can include a namespace |
-|                                                | `.spec.targetNamespace` | this gives the namespace into which a Helm chart is installed (note: using impersonation) |
-|                                                | `.spec.storageNamespace` | this gives the namespace in which the record of a Helm install is created (note: using impersonation) |
-|                                                | `.spec.chart.spec.sourceRef` | this is a reference (in the created `HelmChart` object) that can include a namespace |
-| **`alerts.notification.toolkit.fluxcd.io/v1beta1`** | `.spec.eventSources` | items are references that can include a namespace |
-| **`receivers.notification.toolkit.fluxcd.io/v1beta1`** | `.spec.resources` | items in this field are references that can include a namespace |
-| **`imagepolicies.image.toolkit.fluxcd.io/v1beta1`** | `.spec.imageRepositoryRef` | this reference can include a namespace[1] |
-
-[1] This cross-namespace reference is subject to additional access control; see "Access control for
-cross-namespace references" below.
+| **`helmreleases.helm.toolkit.fluxcd/v2beta1`** | `.spec.dependsOn` | Items are references that can include a namespace |
+|                                                | `.spec.targetNamespace` | This gives the namespace into which a Helm chart is installed (note: using impersonation) |
+|                                                | `.spec.storageNamespace` | This gives the namespace in which the record of a Helm install is created (note: using impersonation) |
+|                                                | `.spec.chart.spec.sourceRef` | This is a reference (in the created `HelmChart` object) that can include a namespace |
+| **`alerts.notification.toolkit.fluxcd.io/v1beta1`** | `.spec.eventSources` | Items are references that can include a namespace |
+| **`receivers.notification.toolkit.fluxcd.io/v1beta1`** | `.spec.resources` | Items in this field are references that can include a namespace |
+| **`imagepolicies.image.toolkit.fluxcd.io/v1beta1`** | `.spec.imageRepositoryRef` | This reference can include a namespace[1] |
+
+[1] This particular cross-namespace reference is subject to additional access control; see "Access
+control for cross-namespace references" below.
 
 Note that the field `.spec.sourceRef` of **`imageupdateautomation.image.toolkit.fluxcd.io`** does
 _not_ include a namespace.