Document the endpoint admission controller

Author: danwinship

architecture/core_concepts/pods_and_services.adoc

@@ -270,3 +270,31 @@ A service or replication controller that is defined to use pods with the
 The
 https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/user-guide/labels.md[Kubernetes
 documentation] has more information on labels.
+
+[[endpoints]]
+
+== Endpoints
+
+The servers that back a service are called its endpoints, and are
+specified by an object of type *Endpoints* with the same name as the
+service. When a service is backed by pods, those pods are normally
+specified by a label selector in the service specification, and
+{product-title} automatically creates the Endpoints object pointing to
+those pods.
+
+In some cases, you may want to create a service but have it be backed
+by external hosts rather than by pods in the {product-title} cluster.
+In this case, you can leave out the `*selector*` field in the service,
+and
+xref:../../dev_guide/integrating_external_services.adoc#dev-guide-integrating-external-services[create
+the Endpoints object manually].
+
+Note that {product-title} will not let most users manually create an
+Endpoints object that points to an IP address in
+xref:../../install_config/configuring_sdn.adoc#configuring-the-pod-network-on-masters[the
+network blocks reserved for pod and service IPs]. Only
+xref:../additional_concepts/authorization.adoc#roles[cluster admins]
+or other users with
+xref:../additional_concepts/authorization.adoc#evaluating-authorization[permission
+to `create` resources under `endpoints/restricted`] can create such
+Endpoint objects.