docs: add note on SGPP + max pods

website/content/en/docs/troubleshooting.md

@@ -328,7 +328,11 @@ time=2023-06-12T19:18:15Z type=Warning reason=FailedCreatePodSandBox from=kubele
 
 By default, the number of pods on a node is limited by both the number of networking interfaces (ENIs) that may be attached to an instance type and the number of IP addresses that can be assigned to each ENI.  See [IP addresses per network interface per instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI) for a more detailed information on these instance types' limits.
 
-If the max-pods (configured through your Provisioner [`kubeletConfiguration`]({{<ref "./concepts/nodepools#speckubeletconfiguration" >}})) is greater than the number of supported IPs for a given instance type, the CNI will fail to assign an IP to the pod and your pod will be left in a `ContainerCreating` state.
+If the max-pods (configured through your NodePool [`kubeletConfiguration`]({{<ref "./concepts/nodepools#speckubeletconfiguration" >}})) is greater than the number of supported IPs for a given instance type, the CNI will fail to assign an IP to the pod and your pod will be left in a `ContainerCreating` state.
+
+{{% alert title="Note" color="primary" %}}
+If you've enabled `SecurityGroupsForPods`, one ENI on the instance is used as the trunk ENI. Karpenter still considers all ENIs when computing max-pods, but when no `SecurityGroupPolicies` have been defined this overshoots reality. This can result in max-pods being higher than the number of IPs available from non-trunk ENIs. For more information on `Security Groups Per Pod` and the impact on max-pods, please reference the [EKS Best Practices Guide](https://aws.github.io/aws-eks-best-practices/networking/sgpp/).
+{{% /alert %}}
 
 ##### Solutions