We need a Central Gateway feature for the Gateway Controller, because the current approach of having a central istiod instance that deploys gateways into user namespaces could break tenant boundaries in OpenShift. The reason for that is that istiod has no notion of tenants, and will share its complete service registry with any workload that joins the mesh, possibly sharing information about services and endpoints of other tenants.

AC:

• document why a central gateway feature is needed for multi-tenant clusters
• capture all changes across relevant components (CIO, OSSM, ...?) required to implement the feature