diff --git a/api/v1beta1/kustomization_types.go b/api/v1beta1/kustomization_types.go
index f5adb3f10..2ce7f2b14 100644
--- a/api/v1beta1/kustomization_types.go
+++ b/api/v1beta1/kustomization_types.go
@@ -50,6 +50,7 @@ type KustomizationSpec struct {
 	Interval metav1.Duration `json:"interval"`
 
 	// The KubeConfig for reconciling the Kustomization on a remote cluster.
+	// Apply, Prune, HealthCheck, and Delete are all functional.
 	// +optional
 	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
 
@@ -125,9 +126,19 @@ type Decryption struct {
 // KubeConfig references a Kubernetes secret generated by CAPI.
 // that contains a kubeconfig file.
 type KubeConfig struct {
-	// The secret name containing a 'value' key
-	// with the kubeconfig file as the value.
-	// Ref: https://github.com/kubernetes-sigs/cluster-api/blob/release-0.3/util/secret/consts.go#L24
+	// The secret name containing a 'value' key with the kubeconfig file as the value.
+	// This secret must be in the same Namespace as the Kustomization.
+	// KubeConfig secrets maintained by Cluster API bootstrap providers can be used here.
+	// (ex: If your CAPI Cluster's name is `stage-env`, set this to `stage-env-kubeconfig`.
+	// Ensure the Kustomization is in the same Namespace as the Cluster object.
+	// Ref: https://github.com/kubernetes-sigs/cluster-api/blob/release-0.3/util/secret/consts.go#L24)
+	// The reconciliation clients are regularly refreshed from the Secret, so
+	// rotating kubeconfigs for KaaS control-planes from cloud-providers are supported.
+	// These kubeconfigs follow the same design constraints as Cluster API.
+	// It is recommended that kubeconfigs be self-contained, and the Secret be
+	// regularly updated if credentials such as a cloud-access-token expire.
+	// Cloud-specific `cmd-path` auth helpers will not function without adding
+	// binaries and credentials to the kustomize-controller Pod.
 	// +required
 	SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
 }