Merge pull request #5302 from hashicorp/docs/k8s-acl

Update k8s ACL documentation

website/source/docs/platform/k8s/service-sync.html.md

@@ -67,17 +67,20 @@ sync to understand how the syncing works.
 The sync process must authenticate to both Kubernetes and Consul to read
 and write services.
 
-For Consul, the process accepts both the standard CLI flag `-token` and
-the environment variable `CONSUL_HTTP_TOKEN`. This should be set to an
-Consul [ACL token](/docs/guides/acl.html) if ACLs are enabled. This
-can also be configured using the Helm chart to read from a Kubernetes
-secret.
-
 For Kubernetes, a valid kubeconfig file must be provided with cluster
-and auth information. The sync process will look into the default locations
+and authentication information. The sync process will look into the default locations
 for both in-cluster and out-of-cluster authentication. If `kubectl` works,
 then the sync program should work.
 
+For Consul, if ACLs are configured on the cluster, a Consul
+[ACL token](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide)
+will need to be provided. Review the [ACL rules](/docs/agent/acl-rules.html)
+when creating this token so that it only allows the necessary privileges. The catalog
+sync process accepts this token by using the [`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token)
+environment variable. This token should be set as a
+[Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets)
+and referenced in the Helm chart.
+
 ## Kubernetes to Consul
 
 This sync registers Kubernetes services to the Consul catalog automatically.