Comparing and Contrasting Network Modes

The Subnet mode allows you to create a flat network, in which all pods can communicate with each other across projects and tenants.

The Mutitenant mode implements segregation at the project level, which provides an extra layer of isolation for pods and services. When using this mode, each project receives a unique VLAN ID that identifies traffic from the pods that belong to the project. Pods are restricted to accessing those pods whose network packet tags use the same VNID. Pods cannot communicate with pods and services in a different project.

The NetworkPolicy mode provides an extra level of flexibility by allowing you to define network policies for your pods. By default, without any network policy resources defined, pods in a project can access any other pod.

To isolate one or more pods in a project, define a NetworkPolicy resource in that project to indicate the allowed ingress and egress connections.

One benefit of using network policies is the management of security between projects (tenants), which you cannot do with layer 2 technologies such as VLANs.

Network policies allow you to create tailored policies between projects to make sure applications and users can only access what they should