update jan 16 a

Author: David Curwin

articles/defender-for-cloud/defender-for-containers-architecture.md

@@ -77,7 +77,7 @@ When you enable the agentless discovery for Kubernetes extension, the following
    Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
 
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
-- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
+- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role *Microsoft.Security/pricings/microsoft-defender-operator*. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
 
 ## [**On-premises / IaaS (Arc)**](#tab/defender-for-container-arch-arc)
 
@@ -119,7 +119,7 @@ The discovery process is based on snapshots taken at intervals:
 When you enable the agentless discovery for Kubernetes extension, the following process occurs:
 
 - **Create**:
-  - The Defender for Cloud role *MDCContainersAgentlessDiscoveryK8sRole* is created to the *aws-auth ConfigMap* of the EKS clusters by default, and can be customized.
+  - The Defender for Cloud role *MDCContainersAgentlessDiscoveryK8sRole* must be added to the *aws-auth ConfigMap* of the EKS clusters. The name can be customized.
 
 - **Assign**: Defender for Cloud assigns the *MDCContainersAgentlessDiscoveryK8sRole* role the following permissions: