Describe the feature request
After issue #26679 resolved, istiod can be configured to watch a subset of namespaces in a k8s cluster by using
meshConfig.discoverySelectors. But for deploying multi-istio in a k8s cluster, there are still some gaps:
PR #29802 implemented a DiscoveryNamespacesFilter, which can be reused by namespace controller and secrets controller, but looks like a different set of namespace selectors should be defined, because "discovery - namespaces watched by Istio" and "namespaces in a mesh" are different concept.
Per my understanding, another namespace selector("meshNamespaceSelectors"?) in MeshConfig should be defined and items listed above should be modified accordingly. Please correct me if I misunderstand anything.
Describe alternatives you've considered
[ ] Docs [ ] Installation [X] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure
 Multi Cluster [ ] Virtual Machine [X] Multi Control Plane
I think you would also need to filter out Istio CRs to avoid cross-contamination. i.e. If I create a service entry with
exportTo: ['*'] in a namespace not managed by a given mesh, it shouldn't appear in Envoys for that mesh. Having spoken to @harveyxia, #29802 doesn't ignore Istio resources created in a given namespace.