ROX-24744: Update docs with namespace exclusions for admission controller

modules/namespace-exclusions.adoc

@@ -6,8 +6,26 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="namespace-exclusions_{context}"]
-= Namespace exclusions
+= Namespace exclusions from admission controller enforcement
 
-By default, {product-title-short} excludes certain administrative namespaces, such as the `stackrox`, `kube-system`, and `istio-system` namespaces, from enforcement blocking. The reason for this is that some items in these namespaces must be deployed for {product-title-short} to work correctly.
+[role="_abstract"]
+By default, {product-title-short} excludes certain administrative namespaces, such as the `stackrox`, `kube-system`, and `istio-system` namespaces, from admission controller enforcement blocking. The reason for this is that some items in these namespaces must be deployed for {product-title-short} to work correctly. 
 
-In addition, the {product-title-short} admission controller bypasses requests that originate from a `service` account in a `system` namespace. Consider this factor when deploying the CI/CD tool of your choice.
+These exclusions mean that API calls for these namespaces are not passed to {product-title-short} for review. Instead of rejecting the `CREATE` verb, the deployment is created and then scaled down using Sensor. 
+
+There are two places where excluded namespaces are defined:
+
+* The configuration of the `ValidatingWebhookConfiguration`
+* The {product-title-short} code that defines "system" namespaces
+
+The following namespaces are excluded:
+
+* `stackrox`
+* `kube.*`
+* `kube-system`
+* `kube-public`
+* `istio-system`
+* `openshift.*`
+* `redhat.*`
+
+In addition to excluding namespaces, the {product-title-short} admission controller bypasses requests that originate from a `service` account in a `system` namespace. Consider this factor when deploying the CI/CD tool of your choice.