diff --git a/site/content/docs/reference/supported-clusters.md b/site/content/docs/reference/supported-clusters.md
index e9838166..2811c093 100644
--- a/site/content/docs/reference/supported-clusters.md
+++ b/site/content/docs/reference/supported-clusters.md
@@ -37,3 +37,6 @@ token credential request API strategy by default.
 
 To choose the strategy to use with the concierge, use the `--concierge-mode` flag with `pinniped get kubeconfig`.
 Possible values are `ImpersonationProxy` and `TokenCredentialRequestAPI`.
+
+Do not use the command line option `--anonymous-auth=false` in the `kube-apiserver` CLI for a cluster that does not use `impersonation proxy`. This is because the `kube-apiserver` blocks unauthenticated access to `TokenCredentialRequest` API of the Concierge. 
+This does not matter while using `impersonation proxy`, which will allow these TokenCredentialRequests requests anyway.