diff --git a/website/content/docs/v0.10/Guides/deploy-metrics-server.md b/website/content/docs/v0.10/Guides/deploy-metrics-server.md
index 0385ba279..0471cdbfc 100644
--- a/website/content/docs/v0.10/Guides/deploy-metrics-server.md
+++ b/website/content/docs/v0.10/Guides/deploy-metrics-server.md
@@ -37,7 +37,7 @@ cluster:
 
 If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
 
-```shell
+```sh
 kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
 kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
 ```
diff --git a/website/content/docs/v0.11/Guides/customizing-the-kernel.md b/website/content/docs/v0.11/Guides/customizing-the-kernel.md
index 553e281d1..22b76a959 100644
--- a/website/content/docs/v0.11/Guides/customizing-the-kernel.md
+++ b/website/content/docs/v0.11/Guides/customizing-the-kernel.md
@@ -15,7 +15,7 @@ When used as a base image, the installer will perform the above steps automatica
 
 Build and push your own kernel:
 
- ```shell
+ ```sh
  git clone https://github.com/talos-systems/pkgs.git
  cd pkgs
  make kernel-menuconfig USERNAME=_your_github_user_name_
diff --git a/website/content/docs/v0.11/Guides/deploy-metrics-server.md b/website/content/docs/v0.11/Guides/deploy-metrics-server.md
index 0385ba279..0471cdbfc 100644
--- a/website/content/docs/v0.11/Guides/deploy-metrics-server.md
+++ b/website/content/docs/v0.11/Guides/deploy-metrics-server.md
@@ -37,7 +37,7 @@ cluster:
 
 If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`:
 
-```shell
+```sh
 kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
 kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
 ```
diff --git a/website/content/docs/v0.11/Guides/rbac.md b/website/content/docs/v0.11/Guides/rbac.md
new file mode 100644
index 000000000..a3a48f2d5
--- /dev/null
+++ b/website/content/docs/v0.11/Guides/rbac.md
@@ -0,0 +1,50 @@
+---
+title: Role-based access control (RBAC)
+---
+
+Talos v0.11 introduced initial support for role-based access control (RBAC).
+This guide will explain what that is and how to enable it without losing access to the cluster.
+
+## RBAC in Talos
+
+Talos uses certificates to authorize users.
+The certificate subject's organization field is used to encode user roles.
+There is a set of predefined roles that allow access to different [API methods](../../reference/api/):
+
+* `os:admin` grants access to all methods;
+* `os:reader` grants access to "safe" methods (for example, that includes the ability to list files, but does not include the ability to read files content);
+* `os:etcd:backup` grants access to [`/machine.MachineService/EtcdSnapshot`](../../reference/api/#machine.EtcdSnapshotRequest) method.
+
+Roles in the current `talosconfig` can be checked with the following command (using [`yq` v4](https://github.com/mikefarah/yq)):
+
+```sh
+$ yq eval '.contexts[.context].crt' talosconfig | base64 -d | openssl x509 -noout -text
+
+Certificate:
+    Data:
+        [...]
+        Subject: O = os:reader
+        [...]
+```
+
+RBAC is enabled by default in new clusters created with `talosctl` v0.11 and disabled otherwise.
+
+## Enabling RBAC
+
+First, both the Talos cluster and `talosctl` tool should be [upgraded](../upgrading-talos/) to v0.11.
+Then the `talosctl config new` command should be used to generate a new client configuration with the `os:admin` role.
+Additional configurations and certificates for different roles can be generated by passing `--roles` flag:
+
+```sh
+talosctl config new --roles=os:reader reader
+```
+
+That command will create a new client configuration file `reader` with a new certificate with `os:reader` role.
+
+After that, RBAC should be enabled in the machine configuration:
+
+```yaml
+machine:
+  features:
+    rbac: true
+```
diff --git a/website/content/docs/v0.11/Guides/upgrading-talos.md b/website/content/docs/v0.11/Guides/upgrading-talos.md
index 9dfff29b4..9380383b7 100644
--- a/website/content/docs/v0.11/Guides/upgrading-talos.md
+++ b/website/content/docs/v0.11/Guides/upgrading-talos.md
@@ -20,6 +20,10 @@ TBD
 
 TBD
 
+### After Upgrade to 0.11
+
+TBD
+
 ## `talosctl` Upgrade
 
 To manually upgrade a Talos node, you will specify the node's IP address and the