[v10] Document new pin_source_ip role option

docs/pages/access-controls/reference.mdx

@@ -213,8 +213,8 @@ RBAC lets teams limit what resources are available to Teleport users. This can b
 you don't want regular users editing SSO (`auth_connector`) or creating and editing new roles
 (`role`).
 
-Below is an example `allow` section that illustrates commonly used `rules`. 
-Each rule includes a list of Teleport resources and the CRUD 
+Below is an example `allow` section that illustrates commonly used `rules`.
+Each rule includes a list of Teleport resources and the CRUD
 operations that a user is allowed to execute on them:
 
 ```yaml
@@ -347,5 +347,5 @@ Here is an explanation of the fields used in the `where` and `filter` conditions
 | `ssh_session.participants` | The list of participants from an SSH session       |
 | `user.metadata.name`       | The user's name                                     |
 
-Check out our [predicate language](../setup/reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources) 
+Check out our [predicate language](../setup/reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources)
 guide for a more in depth explanation of the language.

docs/pages/includes/role-spec.mdx

@@ -58,6 +58,10 @@ spec:
     # if unspecified. If one or more of the user's roles has disabled
     # the clipboard, then it will be disabled.
     desktop_clipboard: true
+    # When enabled, the source IP that was used to log in is embedded in the SSH
+    # certificate, preventing a compromised certificate from being used on other
+    # devices. The default is false.
+    pin_source_ip: true
     # Specify a list of names and associated values to be included in user SSH keys.
     # The key type can only be "ssh" and the mode can only be "extension".
     # The name and value fields can be arbitrary strings and the value field