diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md
index 38341dc35b..ef5e5e8583 100644
--- a/docs/admin/authentication.md
+++ b/docs/admin/authentication.md
@@ -335,13 +335,14 @@ The first option is to use the `oidc` authenticator.  This authenticator takes y
 
 ```bash
 kubectl config set-credentials USER_NAME \
-   --auth-provider=oidc
+   --auth-provider=oidc \
    --auth-provider-arg=idp-issuer-url=( issuer url ) \
    --auth-provider-arg=client-id=( your client id ) \
    --auth-provider-arg=client-secret=( your client secret ) \
    --auth-provider-arg=refresh-token=( your refresh token ) \
    --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
-   --auth-provider-arg=id-token=( your id_token )
+   --auth-provider-arg=id-token=( your id_token ) \
+   --auth-provider-arg=extra-scopes=( comma separated list of scopes to add to "openid email profile", optional )
 ```
 
 As an example, running the below command after authenticating to your identity provider:
@@ -354,6 +355,7 @@ kubectl config set-credentials mmosley  \
         --auth-provider-arg=client-secret=1db158f6-177d-4d9c-8a8b-d36869918ec5  \
         --auth-provider-arg=refresh-token=q1bKLFOyUiosTfawzA93TzZIDzH2TNa2SMm0zEiPKTUwME6BkEo6Sql5yUWVBSWpKUGphaWpxSVAfekBOZbBhaEW+VlFUeVRGcluyVF5JT4+haZmPsluFoFu5XkpXk5BXqHega4GAXlF+ma+vmYpFcHe5eZR+slBFpZKtQA= \
         --auth-provider-arg=idp-certificate-authority=/root/ca.pem \
+        --auth-provider-arg=extra-scopes=groups \
         --auth-provider-arg=id-token=eyJraWQiOiJDTj1vaWRjaWRwLnRyZW1vbG8ubGFuLCBPVT1EZW1vLCBPPVRybWVvbG8gU2VjdXJpdHksIEw9QXJsaW5ndG9uLCBTVD1WaXJnaW5pYSwgQz1VUy1DTj1rdWJlLWNhLTEyMDIxNDc5MjEwMzYwNzMyMTUyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL29pZGNpZHAudHJlbW9sby5sYW46ODQ0My9hdXRoL2lkcC9PaWRjSWRQIiwiYXVkIjoia3ViZXJuZXRlcyIsImV4cCI6MTQ4MzU0OTUxMSwianRpIjoiMm96US15TXdFcHV4WDlHZUhQdy1hZyIsImlhdCI6MTQ4MzU0OTQ1MSwibmJmIjoxNDgzNTQ5MzMxLCJzdWIiOiI0YWViMzdiYS1iNjQ1LTQ4ZmQtYWIzMC0xYTAxZWU0MWUyMTgifQ.w6p4J_6qQ1HzTG9nrEOrubxIMb9K5hzcMPxc9IxPx2K4xO9l-oFiUw93daH3m5pluP6K7eOE6txBuRVfEcpJSwlelsOsW8gb8VJcnzMS9EnZpeA0tW_p-mnkFc3VcfyXuhe5R3G7aa5d8uHv70yJ9Y3-UhjiN9EhpMdfPAoEB9fYKKkJRzF7utTTIPGrSaSU6d2pcpfYKaxIwePzEkT4DfcQthoZdy9ucNvvLoi1DIC-UocFD8HLs8LYKEqSxQvOcvnThbObJ9af71EwmuE21fO5KzMW20KtAeget1gnldOosPtz1G5EwvaQ401-RPQzPGMVBld0_zMCAwZttJ4knw
 ```
 
@@ -367,6 +369,7 @@ users:
       config:
         client-id: kubernetes
         client-secret: 1db158f6-177d-4d9c-8a8b-d36869918ec5
+        extra-scopes: groups
         id-token: eyJraWQiOiJDTj1vaWRjaWRwLnRyZW1vbG8ubGFuLCBPVT1EZW1vLCBPPVRybWVvbG8gU2VjdXJpdHksIEw9QXJsaW5ndG9uLCBTVD1WaXJnaW5pYSwgQz1VUy1DTj1rdWJlLWNhLTEyMDIxNDc5MjEwMzYwNzMyMTUyIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL29pZGNpZHAudHJlbW9sby5sYW46ODQ0My9hdXRoL2lkcC9PaWRjSWRQIiwiYXVkIjoia3ViZXJuZXRlcyIsImV4cCI6MTQ4MzU0OTUxMSwianRpIjoiMm96US15TXdFcHV4WDlHZUhQdy1hZyIsImlhdCI6MTQ4MzU0OTQ1MSwibmJmIjoxNDgzNTQ5MzMxLCJzdWIiOiI0YWViMzdiYS1iNjQ1LTQ4ZmQtYWIzMC0xYTAxZWU0MWUyMTgifQ.w6p4J_6qQ1HzTG9nrEOrubxIMb9K5hzcMPxc9IxPx2K4xO9l-oFiUw93daH3m5pluP6K7eOE6txBuRVfEcpJSwlelsOsW8gb8VJcnzMS9EnZpeA0tW_p-mnkFc3VcfyXuhe5R3G7aa5d8uHv70yJ9Y3-UhjiN9EhpMdfPAoEB9fYKKkJRzF7utTTIPGrSaSU6d2pcpfYKaxIwePzEkT4DfcQthoZdy9ucNvvLoi1DIC-UocFD8HLs8LYKEqSxQvOcvnThbObJ9af71EwmuE21fO5KzMW20KtAeget1gnldOosPtz1G5EwvaQ401-RPQzPGMVBld0_zMCAwZttJ4knw
         idp-certificate-authority: /root/ca.pem
         idp-issuer-url: https://oidcidp.tremolo.lan:8443/auth/idp/OidcIdP
diff --git a/docs/admin/authorization/index.md b/docs/admin/authorization/index.md
index 5605730f2f..8511eddb94 100644
--- a/docs/admin/authorization/index.md
+++ b/docs/admin/authorization/index.md
@@ -94,10 +94,10 @@ properties:
     - Resource-matching properties:
       - `apiGroup`, type string; an API group.
         - Ex: `extensions`
-        - Wildard: `*` matches all API groups.
+        - Wildcard: `*` matches all API groups.
       - `namespace`, type string; a namespace.
         - Ex: `kube-system`
-        - Wildard: `*` matches all resource requests.
+        - Wildcard: `*` matches all resource requests.
       - `resource`, type string; a resource type
         - Ex: `pods`
         - Wildcard: `*` matches all resource requests.
diff --git a/docs/admin/kubelet.md b/docs/admin/kubelet.md
index 96373e056b..b3fbece893 100644
--- a/docs/admin/kubelet.md
+++ b/docs/admin/kubelet.md
@@ -16,8 +16,8 @@ various mechanisms (primarily through the apiserver) and ensures that the contai
 described in those PodSpecs are running and healthy. The kubelet doesn't manage
 containers which were not created by Kubernetes.
 
-Other than from an PodSpec from the apiserver, there are three ways that a container
-manifest can be provided to the Kubelet.
+Other than from a PodSpec, there are three ways that a container
+manifest can be provided to the Kubelet from the apiserver.
 
 File: Path passed as a flag on the command line. This file is rechecked every 20
 seconds (configurable with a flag).
diff --git a/docs/concepts/index.md b/docs/concepts/index.md
index 8c28d98b59..a14a889e55 100644
--- a/docs/concepts/index.md
+++ b/docs/concepts/index.md
@@ -10,7 +10,7 @@ To work with Kubernetes, you use *Kubernetes API objects* to describe your clust
 
 Once you've set your desired state, the *Kubernetes Control Plane* works to make the cluster's current state match the desired state. To do so, Kubernetes performs a variety of tasks automatically--such as starting or restarting containers, scaling the number of replicas of a given application, and more. The Kubernetes Control Plane consists of a collection of processes running on your cluster: 
 
-* The **Kubernetes Master** is a collection of four processes that run on a single node in your cluster, which is designated as the master node.
+* The **Kubernetes Master** is a collection of three processes that run on a single node in your cluster, which is designated as the master node. Those processes are: kube-apiserver, kube-controller-manager and kube-scheduler.
 * Each individual non-master node in your cluster runs two processes:
   * **kubelet**, which communicates with the Kubernetes Master.
   * **kube-proxy**, a network proxy which reflects Kubernetes networking services on each node.
diff --git a/docs/user-guide/pod-security-policy/index.md b/docs/user-guide/pod-security-policy/index.md
index 6806a103fa..5744c1d849 100644
--- a/docs/user-guide/pod-security-policy/index.md
+++ b/docs/user-guide/pod-security-policy/index.md
@@ -4,7 +4,7 @@ assignees:
 title: Pod Security Policies
 ---
 
-Objects of type `podsecuritypolicy` govern the ability 
+Objects of type `PodSecurityPolicy` govern the ability
 to make requests on a pod that affect the `SecurityContext` that will be 
 applied to a pod and container.
 
@@ -84,6 +84,7 @@ volumes field of the PSP. The allowable values of this field correspond
 to the volume sources that are defined when creating a volume:
 
 1. azureFile
+1. azureDisk
 1. flocker
 1. flexVolume
 1. hostPath
@@ -104,9 +105,10 @@ to the volume sources that are defined when creating a volume:
 1. configMap
 1. vsphereVolume
 1. quobyte
-1. azureDisk
 1. photonPersistentDisk
+1. projected
 1. portworxVolume
+1. scaleIO
 1. \* (allow all volumes)
 
 The recommended minimum set of allowed volumes for new PSPs are 
@@ -117,8 +119,8 @@ configMap, downwardAPI, emptyDir, persistentVolumeClaim, and secret.
  
 ## Admission
 
-_Admission control_ with `PodSecurityPolicy` allows for control over the creation of resources
-based on the capabilities allowed in the cluster.
+_Admission control_ with `PodSecurityPolicy` allows for control over the
+creation and modification of resources based on the capabilities allowed in the cluster.
 
 Admission uses the following approach to create the final security context for
 the pod:
@@ -147,6 +149,28 @@ $ kubectl create -f ./psp.yaml
 podsecuritypolicy "permissive" created
 ```
 
+## Getting a list of Pod Security Policies
+
+To get a list of existing policies, use `kubectl get`:
+
+```shell
+$ kubectl get psp
+NAME        PRIV   CAPS  SELINUX   RUNASUSER         FSGROUP   SUPGROUP  READONLYROOTFS  VOLUMES
+permissive  false  []    RunAsAny  RunAsAny          RunAsAny  RunAsAny  false           [*]
+privileged  true   []    RunAsAny  RunAsAny          RunAsAny  RunAsAny  false           [*]
+restricted  false  []    RunAsAny  MustRunAsNonRoot  RunAsAny  RunAsAny  false           [emptyDir secret downwardAPI configMap persistentVolumeClaim]
+```
+
+## Editing a Pod Security Policy
+
+To modify policy interactively, use `kubectl edit`:
+
+```shell
+$ kubectl edit psp permissive
+```
+
+This command will open a default text editor where you will be ably to modify policy.
+
 ## Deleting a Pod Security Policy
 
 Once you don't need a policy anymore, simply delete it with `kubectl`:
diff --git a/docs/user-guide/pod-security-policy/psp.yaml b/docs/user-guide/pod-security-policy/psp.yaml
index b2cdded9e4..9f037f67d0 100644
--- a/docs/user-guide/pod-security-policy/psp.yaml
+++ b/docs/user-guide/pod-security-policy/psp.yaml
@@ -1,28 +1,18 @@
-{
-  "kind": "PodSecurityPolicy",
-  "apiVersion":"extensions/v1beta1",
-  "metadata": {
-    "name": "permissive"
-  },
-  "spec": {
-      "seLinux": {
-          "rule": "RunAsAny"
-      },
-      "supplementalGroups": {
-          "rule": "RunAsAny"
-      },
-      "runAsUser": {
-          "rule": "RunAsAny"
-      },
-      "fsGroup": {
-          "rule": "RunAsAny"
-      },
-      "HostPorts": [
-          {
-          "min": 8000,
-          "max": 8080
-          }
-      ],
-      "volumes": ["*"]
-  }
-}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: permissive
+spec:
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  hostPorts:
+  - min: 8000
+    max: 8080
+  volumes:
+  - '*'