ISTIO supports soft-multi-tenancy, with multiple Istio control planes, one control plane and one mesh per tenant. The cluster administrator gets control and visibility across all the Istio control planes, while the tenant administrator only gets control of a specific Istio instances. Separation between the tenants is provided bu kubernetes namespaces and RBAC.
Deployment example
Generate SDS config:
helm template install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml > istio-auth-sds.yaml
Add command line option to the citadel
--listened-namespaces=istio-system,foo
Add command line option for pilot discovery
--appNamespace=foo
Deploy ISTIO and application in foo namespace. Apps running in different namespace will not be under this contol plane.