Update cluster-wide proxy Risks and Mitigations for Windows nodes

modules/wmco-cluster-wide-proxy.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// windows_containers/enabling-windows-container-workloads.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="wmco-cluster-wide-proxy_{context}"]
+= Using Windows containers in a proxy-enabled cluster
+
+The Windows Machine Config Operator (WMCO) can consume and use a cluster-wide egress proxy configuration when making external requests outside the cluster’s internal network.
+
+This allows you to add Windows nodes and run workloads in a proxy-enabled cluster, allowing your Windows nodes to pull images from registries that are secured behind your proxy server or to make
+requests to off-cluster services and services that use a custom public key infrastructure.
+
+[NOTE]
+====
+The cluster-wide proxy affects system components only, not user workloads.
+====
+
+In proxy-enabled clusters, the WMCO is aware of the `NO_PROXY`, `HTTP_PROXY`, and `HTTPS_PROXY` values that are set for the cluster. The WMCO periodically checks whether the proxy environment variables have changed. If there is a discrepancy, the WMCO reconciles and updates the proxy environment variables on the Windows instances.
+
+Windows workloads created on Windows nodes in proxy-enabled clusters do not inherit proxy settings from the node by default, the same as with Linux nodes. Also, by default PowerShell sessions do not inherit proxy settings on Windows nodes in proxy-enabled clusters.

windows_containers/enabling-windows-container-workloads.adoc

@@ -46,6 +46,12 @@ include::modules/installing-wmco-using-cli.adoc[leveloffset=+2]
 
 include::modules/configuring-secret-for-wmco.adoc[leveloffset=+1]
 
+include::modules/wmco-cluster-wide-proxy.adoc[leveloffset=+1]
+
+.Additional references
+
+* xref:../networking/enable-cluster-wide-proxy.adoc#enable-cluster-wide-proxy[Configuring the cluster-wide proxy].
+
 
 [role="_additional-resources"]
 == Additional resources