[Vault] Clarify that 1.21 did not make audience required

content/vault/v1.20.x/content/api-docs/auth/kubernetes.mdx

@@ -146,7 +146,12 @@ entities attempting to login.
   [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). Currently, label selectors with `matchExpressions` are not supported.
   To use label selectors, **Vault must have permission to read namespaces** on the Kubernetes
   cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
-- `audience` `(string: "")` - Audience claim to verify in the JWT.
+- `audience` `(string: "")` - Audience claim to verify in the JWT. If you leave
+  `audience` unset, Vault logs a warning about setting an explicit audience
+  configuration to encourage better security practices. Note: the log entry for
+  early versions of Vault 1.20.x falsely indicates that `audience` becomes a
+  required field in Vault 1.21.x. You can safely ignore that portion of the
+  warning.
 - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
   Valid choices are: `serviceaccount_uid` and `serviceaccount_name`.
 

content/vault/v1.20.x/content/docs/updates/important-changes.mdx

@@ -204,6 +204,13 @@ to the official [Snowflake documentation](https://docs.snowflake.com/en/user-gui
 Vault logs a warning when you create or update a Kubernetes auth role without an
 audience.
 
+<Note title="Note about warning text">
+  We have no plans to require audience definition in future Vault versions.
+  Log messages in earlier versions of 1.20.x incorrectly mention that Vault
+  1.21.x requires audience configuration. You can safely ignore that portion of
+  the log message.
+</Note>
+
 #### Recommendation
 
 There are cases where configuring audience details can interfere with your