Fix docs for BinAuth Policy cluster_admission_rules (#2125)

<!-- This change is generated by MagicModules. -->
/cc @rileykarson

website/docs/r/binaryauthorization_policy.html.markdown

@@ -108,17 +108,21 @@ The `default_admission_rule` block supports:
 
 * `admission_whitelist_patterns` -
   (Optional)
-  Admission policy whitelisting. A matching admission request will
+  A whitelist of image patterns to exclude from admission rules. If an
-  always be permitted. This feature is typically used to exclude Google
+  image's name matches a whitelist pattern, the image's admission
-  or third-party infrastructure images from Binary Authorization
+  requests will always be permitted regardless of your admission rules.  Structure is documented below.
-  policies.  Structure is documented below.
 
 * `cluster_admission_rules` -
   (Optional)
-  Admission policy whitelisting. A matching admission request will
+  Per-cluster admission rules. An admission rule specifies either that
-  always be permitted. This feature is typically used to exclude Google
+  all container images used in a pod creation request must be attested
-  or third-party infrastructure images from Binary Authorization
+  to by one or more attestors, that all pod creations will be allowed,
-  policies.
+  or that all pod creations will be denied. There can be at most one
+  admission rule per cluster spec.
+
+  Identifier format: `{{location}}.{{clusterId}}`.
+  A location is either a compute zone (e.g. `us-central1-a`) or a region
+  (e.g. `us-central1`).  Structure is documented below.
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
@@ -134,6 +138,8 @@ The `admission_whitelist_patterns` block supports:
 
 The `cluster_admission_rules` block supports:
 
+* `cluster` - (Required) The identifier for this object. Format specified above.
+
 * `evaluation_mode` -
   (Optional)
   How this admission rule will be evaluated.