Description of problem

Current docs say:

The administrator-level credential is required only during changes that require its elevated permissions, such as upgrades.

But that doesn't provide much detail about which kind of elevated permissions belong to the root credential. This can lead to confusion like "will my cluster still be able to autoscale up new machines, etc., with the root credential removed?". To address this, we should be more clear about the role of the root credential. Maybe something like:

The administrator-level credential is required only during changes that require reconciling new or altered CredentialsRequests, such as cluster upgrades.

Possibly with a link out to context like this that explains what CredentialsRequests management is about? Maybe that section could also be more specific about mentioning the CredentialsRequests type as the way credential requests are represented to whichever actor is filling the requests (e.g. the CCO in mint/passthrough, or the user for user-provided creds)?

Version-Release number of selected component

Seen in 4.16 docs. Likely applies to other releases, although I haven't checked.

How reproducible

Every time.

Steps to Reproduce

Read the docs explaining when mint-mode root creds can be removed.

Actual results

Get an answer that includes cluster updates, but does not exclude other cluster activity.

Expected results

Get an answer that includes cluster updates, and clearly excludes all activity that isn't "reconcile a CredentialsRequest whose Secret needs updating".