From b880953ef7f6434804d6c57daf938de639748b3f Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardosarra96@gmail.com>
Date: Wed, 26 Nov 2025 12:51:38 +0000
Subject: [PATCH 1/2] doc: add note about PA config with selectors being
 ignored in rootNamespace

---
 security/v1beta1/peer_authentication.proto | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto
index 92a33a097b..142b460f31 100644
--- a/security/v1beta1/peer_authentication.proto
+++ b/security/v1beta1/peer_authentication.proto
@@ -44,6 +44,8 @@ syntax = "proto3";
 // ```
 // For mesh level, put the policy in root-namespace according to your Istio installation.
 //
+// Note: PeerAuthentication policies with workload selectors are ignored when deployed in the root namespace.
+//
 // Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
 // require mTLS for workload `finance`.
 // ```yaml

From 5562f4ecc4f68dc75d9018e2cb223cbfdea345af Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardosarra96@gmail.com>
Date: Wed, 26 Nov 2025 12:59:35 +0000
Subject: [PATCH 2/2] gen files

---
 security/v1beta1/peer_authentication.pb.go   | 2 ++
 security/v1beta1/peer_authentication.pb.html | 1 +
 2 files changed, 3 insertions(+)

diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go
index 91d3988c87..0a2cd5e547 100644
--- a/security/v1beta1/peer_authentication.pb.go
+++ b/security/v1beta1/peer_authentication.pb.go
@@ -49,6 +49,8 @@
 // ```
 // For mesh level, put the policy in root-namespace according to your Istio installation.
 //
+// Note: PeerAuthentication policies with workload selectors are ignored when deployed in the root namespace.
+//
 // Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
 // require mTLS for workload `finance`.
 // ```yaml
diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html
index aef474863c..c7f2abc85f 100644
--- a/security/v1beta1/peer_authentication.pb.html
+++ b/security/v1beta1/peer_authentication.pb.html
@@ -27,6 +27,7 @@
     mode: STRICT
 </code></pre>
 <p>For mesh level, put the policy in root-namespace according to your Istio installation.</p>
+<p>Note: PeerAuthentication policies with workload selectors are ignored when deployed in the root namespace.</p>
 <p>Policies to allow both mTLS and plaintext traffic for all workloads under namespace <code>foo</code>, but
 require mTLS for workload <code>finance</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1