diff --git a/lib/validate/net.go b/lib/validate/net.go
index 022e8a5871..e60a1996e1 100644
--- a/lib/validate/net.go
+++ b/lib/validate/net.go
@@ -55,11 +55,11 @@ func KubernetesSubnetsFromStrings(podCIDR, serviceCIDR string) error {
 func KubernetesSubnets(podNet, serviceNet *net.IPNet) (err error) {
 	if podNet != nil {
 		// make sure the pod subnet is valid
-		// the pod network should be /16 minimum so k8s can allocate /24 to each node
+		// the pod network should be /22 minimum so k8s can allocate /24 to each node (minimum 3 nodes)
 		ones, _ := podNet.Mask.Size()
-		if ones > 16 {
+		if ones > 22 {
 			return trace.BadParameter(
-				"pod subnet should be a minimum of /16: %q", podNet.String())
+				"pod subnet should be a minimum of /22: %q", podNet.String())
 		}
 	}
 	if podNet != nil && serviceNet != nil {
diff --git a/lib/validate/net_test.go b/lib/validate/net_test.go
index aa21b322b4..c1d3b7d208 100644
--- a/lib/validate/net_test.go
+++ b/lib/validate/net_test.go
@@ -53,7 +53,7 @@ func (*S) TestValidateKubernetesSubnets(c *check.C) {
 			description: "service subnet is not a valid CIDR",
 		},
 		{
-			podCIDR:     "10.200.0.0/20",
+			podCIDR:     "10.200.0.0/24",
 			ok:          false,
 			description: "pod subnet is too small",
 		},