diff --git a/releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml b/releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml
new file mode 100644
index 0000000000..0b75b58131
--- /dev/null
+++ b/releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml
@@ -0,0 +1,20 @@
+---
+features:
+  - |
+    k8s_fedora_atomic clusters are deployed with RBAC support. Along with RBAC
+    Node authorization is added so the appropriate certificates are generated.
+upgrade:
+  - |
+    Using the queens (>=2.9.0) python-magnumclient, when a user executes
+    openstack coe cluster config, the client certificate has admin as Common
+    Name (CN) and system:masters for Organization which are required for
+    authorization with RBAC enabled clusters. This change in the client is
+    backwards compatible, so old clusters (without RBAC enabled) can be
+    reached with certificates generated by the new client. However, old
+    magnum clients will generate certificates that will not be able to contact
+    RBAC enabled clusters. This issue affects only k8s_fedora_atomic clusters
+    and clients <=2.8.0, note that 2.8.0 is still a queens release but only
+    2.9.0 includes the relevant patch. Finally, users can always generate and
+    sign the certificates using this [0] procedure even with old clients since
+    only the cluster config command is affected.
+    [0] https://docs.openstack.org/magnum/latest/user/index.html#interfacing-with-a-secure-cluster