Clarify request authentication root namespace scope. (#2086)

* Clarify request authentication root namespace scope.

* typo fix.

* make gen.

* make gen.

* clarified all workloads instead.

* update with authz example.

* Update security/v1beta1/request_authentication.proto

Co-authored-by: Sven Mawson <[email protected]>

* Update security/v1beta1/request_authentication.proto

Co-authored-by: Sven Mawson <[email protected]>

* update the doc gen.

Co-authored-by: Lin Sun <[email protected]>
Co-authored-by: Sven Mawson <[email protected]>

security/v1beta1/request_authentication.proto

@@ -64,6 +64,33 @@ option go_package="istio.io/api/security/v1beta1";
 //         requestPrincipals: ["*"]
 // ```
 //
+// - A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
+// in a mesh. The following policy makes all workloads only accept requests that contain a
+// valid JWT token.
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: RequestAuthentication
+// metadata:
+//   name: req-authn-for-all
+//   namespace: istio-system
+// spec:
+//   jwtRules:
+//   - issuer: "issuer-foo"
+//     jwksUri: https://example.com/.well-known/jwks.json
+// ---
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   name: require-jwt-for-all
+//   namespace: istio-system
+// spec:
+//   rules:
+//   - from:
+//     - source:
+//         requestPrincipals: ["*"]
+// ```
+//
 // - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
 // declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
 // set from the OpenID Connect spec).