Document the safe-to-evict annotation on the webhook deployment

The annotation is set by default because by default we assume Tekton
will be installed in a small cluster with only one replica of the
webhook deployment, and that replica should not be disturbed.

If an operator configures multiple replicas they can remove the
annotation to give a Cluster Autoscaler more freedom to scale down
nodes.

docs/enabling-ha.md

@@ -88,6 +88,10 @@ spec:
   minReplicas: 1
 ```
 
+By default, the Webhook deployment is configured to block a [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) from scaling down the node that's running the only replica of the deployment using the `cluster-autoscaler.kubernetes.io/safe-to-evict` annotation.
+This is configured because, while the only replica of the Webhook is unavailable, Tekton resources can't be created, updated or deleted.
+If you configure more than one replica, you can remove the annotation to allow the Cluster Autoscaler more freedom to scale down nodes, without disrupting the Webhook service.
+
 ### Avoiding Disruptions
 
 To avoid the Webhook Service becoming unavailable during node unavailability (e.g., during node upgrades), you can ensure that a minimum number of Webhook replicas are available at time by defining a [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) which sets a `minAvailable` greater than zero: