gravitational · stevenGravy · May 11, 2023 · Nov 4, 2022 · Nov 4, 2022 · Nov 29, 2022
diff --git a/docs/pages/access-controls/guides/moderated-sessions.mdx b/docs/pages/access-controls/guides/moderated-sessions.mdx
@@ -70,21 +70,39 @@ The policy below specifies that the `prod-access` role must have a minimum of
 two users with the role `auditor` and the mode `moderator` present in the
 session to start it. The policy applies to SSH and Kubernetes sessions only.
 
-When a user with this require policy starts a session, it will be pending until
-the policy is fulfilled. 
+This policy requires that at least one user with the `auditor` role is present
+as a moderator for SSH or Kubernetes sessions to start. That is applied for
+servers and Kubernetes resources labeled `env: prod`. The session will not start
+until the policy is fulfilled.
 
 ```yaml
 kind: role
 metadata:
   name: prod-access
+version: v6
 spec:
   allow:
     require_session_join:
       - name: Auditor oversight
         filter: 'contains(user.spec.roles, "auditor")'
         kinds: ['k8s', 'ssh']
         modes: ['moderator']
-        count: 2
+        count: 1
+    logins:
+    - ubuntu
+    - debian
+    node_labels:
+      env: prod
+    kubernetes_labels:
+      env: prod
+    kubernetes_groups:
+    - prod-access
+    kubernetes_users:
+    - USER
+    kubernetes_resources:
+    - kind: pod
+      name: '*'
+      namespace: '*'
 ```
 
 #### Combining Policies
@@ -104,7 +122,12 @@ The following are required options for `join_sessions`:
 |`kinds`|`[]`[Session kind](#session-kinds)|The kind of session that the policy applies to|
 |`modes`|`[]`[Participant mode](#participant-modes)|The participant mode that applies to the user joining the session under this policy|
 
-#### Example
+<Admonition type="note">
+Joining from the UI is available for SSH sessions.  Kubernetes sessions can only be joined from the CLI.
+</Admonition>
+
+
+#### Example Moderator Role
 
 The following allow policy attaches to the role `auditor` and allows one to
 join SSH and Kubernetes sessions started by a user with the role `prod-access`
@@ -114,6 +137,7 @@ as a moderator or observer.
 kind: role
 metadata:
   name: auditor
+version: v6
 spec:
   allow:
     join_sessions:
@@ -123,6 +147,44 @@ spec:
         modes: ['moderator', 'observer']
 ```
 
+#### Joining sessions example
+
+Here is an example of Jeff with role `prod-access` connecting to
+a SSH server in the production environment.
+
+```code
+$ tsh ssh ubuntu@prod.teleport.example.com
+Teleport > Creating session with ID: 46e2af03-62d6-4e07-a886-43fe741ca044...
+Teleport > Controls
+  - CTRL-C: Leave the session
+  - t: Forcefully terminate the session (moderators only)
+Teleport > User jeff joined the session.
+Teleport > Waiting for required participants...
+```
+
+Jeff's session is paused, waiting for the required observers.
+
+Now Alice with the `auditor` role joins as a moderator and
+the session can begin. 
+
+```code
+$ tsh join --mode=moderator 46e2af03-62d6-4e07-a886-43fe741ca044
+Teleport > Creating session with ID: 46e2af03-62d6-4e07-a886-43fe741ca044...
+Teleport > Controls
+  - CTRL-C: Leave the session
+  - t: Forcefully terminate the session (moderators only)
+Teleport > User jeff joined the session.
+Teleport > Waiting for required participants...
+Teleport > User alice joined the session.
+Teleport > Connecting to prod.teleport.example.com over SSH
+
+ubuntu@prod.teleport.example.com % 
+```
+
+Here is an example of joining from the UI that is available for server sessions.
+
+![Join Server Session from UI](../../../img/webui-active-session.png)
+
 ### Filters
 
 Filter expressions allow for more detailed control over the scope of an allow