diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go
index 91d3988c87..0a2cd5e547 100644
--- a/security/v1beta1/peer_authentication.pb.go
+++ b/security/v1beta1/peer_authentication.pb.go
@@ -49,6 +49,8 @@
 // ```
 // For mesh level, put the policy in root-namespace according to your Istio installation.
 //
+// Note: PeerAuthentication policies with workload selectors are ignored when deployed in the root namespace.
+//
 // Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
 // require mTLS for workload `finance`.
 // ```yaml
diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html
index aef474863c..c7f2abc85f 100644
--- a/security/v1beta1/peer_authentication.pb.html
+++ b/security/v1beta1/peer_authentication.pb.html
@@ -27,6 +27,7 @@
     mode: STRICT
 </code></pre>
 <p>For mesh level, put the policy in root-namespace according to your Istio installation.</p>
+<p>Note: PeerAuthentication policies with workload selectors are ignored when deployed in the root namespace.</p>
 <p>Policies to allow both mTLS and plaintext traffic for all workloads under namespace <code>foo</code>, but
 require mTLS for workload <code>finance</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto
index 92a33a097b..142b460f31 100644
--- a/security/v1beta1/peer_authentication.proto
+++ b/security/v1beta1/peer_authentication.proto
@@ -44,6 +44,8 @@ syntax = "proto3";
 // ```
 // For mesh level, put the policy in root-namespace according to your Istio installation.
 //
+// Note: PeerAuthentication policies with workload selectors are ignored when deployed in the root namespace.
+//
 // Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
 // require mTLS for workload `finance`.
 // ```yaml