DIAGRAMS-528: Added tenant isolation diagram to UDN docs

Author: dfitzmau

images/528-OpenShift-multitenant-0225.png

@@ -15,7 +15,7 @@ UDN improves the flexibility and segmentation capabilities of the default Layer
 
 The following diagram shows four cluster namespaces, where each namespace has a single assigned UDN, and each UDN has an assigned custom subnet for its pod IP allocations. The OVN-Kubernetes handles any overlapping UDN subnets. Without using the Kubernetes network policy, a pod attached to a UDN can communicate with other pods in that UDN. By default, these pods are isolated from communicating with pods that exist in other UDNs. For microsegmentation, you can apply the Kubernetes network policy within a UDN. You can assign one or more UDNs to a namespace, with a limitation of only one primary UDN to a namespace, and one or more namespaces to a UDN.
 
-image::527-OpenShift-UDN-isolation-012025.png[Namespace isolation concept in a user-defined network (UDN)]
+image::527-OpenShift-UDN-isolation-012025.png[The namespace isolation concept in a user-defined network (UDN)]
 
 [NOTE]
 ====
@@ -24,6 +24,10 @@ Support for the Localnet topology on both primary and secondary networks will be
 
 Unlike a network attachment definition (NAD), which is only namespaced scope, a cluster administrator can use a UDN to create and define additional networks that span multiple namespaces at the cluster level by leveraging the `ClusterUserDefinedNetwork` custom resource (CR). Additionally, a cluster administrator or a cluster user can use a UDN to define additional networks at the namespace level with the `UserDefinedNetwork` CR. 
 
+The following diagram shows tenant isolation that a cluster administrator created by defining a `ClusterUserDefinedNetwork` (CR) for each tenant. This network configuration allows a network to span across many namespaces. In the diagram, the `udn-1` disconnected network selects `namespace-1` and `namespace-2`, while the `udn-2` disconnected network selects `namespace-3` and `namespace-4`. A tenant acts as a disconnected network that is isolated from other tenants' networks. Pods from a namespace can communicate with pods in another namespace only if those namespaces exist in the same tenant network.
+
+image::528-OpenShift-multitenant-0225.png[The tenant isolation concept in a user-defined network (UDN)]
+
 The following sections further emphasize the benefits and limitations of user-defined networks, the best practices when creating a `ClusterUserDefinedNetwork` or `UserDefinedNetwork` custom resource, how to create the custom resource, and additional configuration details that might be relevant to your deployment.
 
 // Looks like this may be out for 4.17, but in for 4.18 as of 8/19/24