diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md
index d858cc4143a..28d5f11e16e 100644
--- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md
+++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md
@@ -52,6 +52,8 @@ From this section you can choose:
 
     >**Note:** If your cloud provider is not listed as an option, you will need to use the [config file option](#config-file) to use that cloud provider. Please reference the [RKE's cloud provider documentation]({{< baseurl >}}/rke/v0.1.x/en/config-options/cloud-providers/) on how to configure these other cloud providers.
 
+- Whether or not to allow the cluster to act as an _authorized cluster endpoint_. Enabling will allow users to directly access a Kubernetes API server in the cluster without requiring communication through Rancher server. Providing an FQDN and certificate will generate kubeconfig files which use those values for accessing the cluster behind a load balancer, otherwise node IP addresses and kubernetes API certs will be used. See the [kubeconfig documentation]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/kubeconfig/) for more information.
+
 - Whether or not to use a [pod security policy]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies). You must have an existing pod security policy configured before you can use this option.
 
 ## Config File
diff --git a/content/rancher/v2.x/en/k8s-in-rancher/kubeconfig/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/kubeconfig/_index.md
index 98bd87d241e..5aed2f84d7e 100644
--- a/content/rancher/v2.x/en/k8s-in-rancher/kubeconfig/_index.md
+++ b/content/rancher/v2.x/en/k8s-in-rancher/kubeconfig/_index.md
@@ -19,3 +19,20 @@ For more information, see [Using kubectl to Access a Cluster]({{< baseurl >}}/ra
 >```
 kubectl --kubeconfig /custom/path/kube.config get pods
 ```
+
+Rancher generates kubeconfig files that by default proxy through Rancher server to connect to the Kubernetes API server on a cluster.
+
+For RKE clusters which are configured as _authorized cluster endpoints_ we will generate extra contexts in the kubeconfig file for connecting directly to a cluster.
+If an FQDN is defined for the cluster then a single extra context will be created, otherwise an extra context which points to the IP address of each node in the control plane will be created.
+Please examine the kubeconfig file for a complete list of available contexts.
+
+>Example of using the FQDN context for an RKE cluster:
+>```
+kubectl --context rke-fqdn api-resources
+```
+>or node context without FQDN defined:
+>```
+kubectl --context rke-node1 api-resources
+```
+
+See [Cluster Options for Provisioning RKE in Rancher]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/) and [RKE Config Options]({{< baseurl >}}/rke/v0.1.x/en/config-options/authentication/) for more information on user authentication in a cluster.
diff --git a/content/rancher/v2.x/en/k8s-in-rancher/kubectl/_index.md b/content/rancher/v2.x/en/k8s-in-rancher/kubectl/_index.md
index 9064c89c7df..f7d097fe1e4 100644
--- a/content/rancher/v2.x/en/k8s-in-rancher/kubectl/_index.md
+++ b/content/rancher/v2.x/en/k8s-in-rancher/kubectl/_index.md
@@ -47,4 +47,6 @@ Alternatively, you can access your clusters by installing kubectl on your workst
         ```
 4. From your workstation, launch kubectl. Use it to interact with your kubernetes cluster.
 
+     For information on using cluster contexts, see [Kubeconfig Files]({{< baseurl >}}/rancher/v2.x/en//k8s-in-rancher/kubeconfig).
+
      For more information on using kubectl, see [Kubernetes Documentation: Overview of kubectl](https://kubernetes.io/docs/reference/kubectl/overview/).
diff --git a/content/rke/v0.1.x/en/config-options/authentication/_index.md b/content/rke/v0.1.x/en/config-options/authentication/_index.md
index dd9bedff5ef..cf98a5e4cb9 100644
--- a/content/rke/v0.1.x/en/config-options/authentication/_index.md
+++ b/content/rke/v0.1.x/en/config-options/authentication/_index.md
@@ -12,3 +12,12 @@ authentication:
       - "10.18.160.10"
       - "my-loadbalancer-1234567890.us-west-2.elb.amazonaws.com"
 ```
+
+RKE also supports the webhook authentication strategy. You can enable both x509 and webhook strategies by using a `|` separator in the configuration. Contents of the webhook config file should be provided, see [Kubernetes webhook documentation](https://kubernetes.io/docs/reference/access-authn-authz/webhook/) for information on the file format. Additionally, a cache timeout for webhook authentication responses can be set.
+```yaml
+authentication:
+    strategy: x509|webhook
+    webhook:
+      config_file: "...."
+      cache_timeout: 5s
+```