fix review

Signed-off-by: Karol Szwaj <[email protected]>

Author: cnvergence

site/content/en/latest/tasks/operations/deployment-mode.md

@@ -1079,6 +1079,6 @@ curl --header "Host: www.merged3.com" http://$GATEWAY_HOST:8082/example3
 [EnvoyProxy]: ../../api/extension_types#envoyproxy
 [GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/
 [Namespaced deployment mode]: ../../api/extension_types#kuberneteswatchmode
-[Gateway Namespace Mode]: gateway-namespace-mode.md
+[Gateway Namespace Mode]: ./gateway-namespace-mode.md
 [issue1231]: https://github.com/envoyproxy/gateway/issues/1231
 [issue2629]: https://github.com/envoyproxy/gateway/issues/2629

site/content/en/latest/tasks/operations/gateway-namespace-mode.md

@@ -16,8 +16,6 @@ In standard deployment mode, Envoy Gateway creates all data plane resources in t
 
 Gateway Namespace Mode changes this behavior by placing Envoy Proxy data plane resources like Deployments, Services and ServiceAccounts in each Gateway's namespace, providing stronger isolation and multi-tenancy.
 
-# Design
-
 Traditional deployment mode uses mTLS where both the client and server authenticate each other. However, in Gateway Namespace Mode, we've shifted to server-side TLS and JWT token validation between infra and control-plane.
 
 * Only the CA certificate is available in pods running in Gateway namespaces
@@ -28,8 +26,12 @@ Gateway Namespace Mode uses projected service account JWT tokens for authenticat
 * Use short-lived, audience-specific JWT tokens. These tokens are automatically mounted into pods via the projected volume mechanism
 * JWT validation ensures that only authorized proxies can connect to the xDS server
 
+{{% alert title="Note" color="warning" %}}
+
 Currently it is not supported to run Gateway Namespace Mode with Merged Gateways deployments.
 
+{{% /alert %}}
+
 # Configuration
 
 To enable Gateway Namespace Mode, configure the `provider.kubernetes.deploy.type` field in your Envoy Gateway ConfigMap: