In VCF 9.0 VKS clusters, network policy is a core Kubernetes networking control implemented by the cluster’s CNI (Antrea or Calico). The VCF documentation’s “VKS Cluster Networking” table describesNetwork policyas the feature that “controls what traffic is allowed to and from selected pods and network endpoints,” and identifies Antrea or Calico as the providers for this capability. That definition precisely matches optionB: it governs pod-to-pod and pod-to-external endpoint communication rules. This is different from ingress routing (which the same table describes separately as “Cluster ingress … routing for inbound pod traffic”), so option C is not correct for “network policy.” It is also different from NodePort behavior (external access via a port on each worker node through the Kubernetes network proxy), which is explicitly listed as “Service type: NodePort.” Finally, creating/operating clusters natively in Supervisor is a broader lifecycle function (Cluster API/VKS API), not the definition of network policy. Therefore,NetworkPolicyis the Kubernetes-layer mechanism to define and enforce allowed traffic flows.