Istio includes several features for scoping service mesh resources within a service mesh that can be used to isolate areas of a mesh, implementing a form of soft multi-tenancy within a single service mesh.

Note that Discovery Selectors are used to scope the namespaces that a mesh watches, but the features below assume a single mesh with a boundary that has already been defined with discovery selectors (or includes the entire cluster). This story is about dividing that mesh into different zones.

Features:

• Sidecar resource
• exportTO
• Authorization Policies 

The Istio Zones project attempts to automate these features: https://github.com/openshift-service-mesh/istio-zones. This doc issue is simply to document the features and how they can be used together.

This Kubecon talk also discusses such concepts as single tenant multi-tenancy: https://www.youtube.com/watch?v=w3d8gxGpaNQ&t=128s