limit istio scope

Signed-off-by: Steve Han <stevehan2001@gmail.com>
Signed-off-by: Steve Han <stevehan@roblox.com>

Author: han-steve

common/istio-1-24/istio-install/base/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
 - gateway_authorizationpolicy.yaml
 - deny_all_authorizationpolicy.yaml
 - gateway.yaml
+- sidecar-prune-egress.yaml
 
 patches:
 - path: patches/service.yaml

common/istio-1-24/istio-install/base/sidecar-prune-egress.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: prune-egress
+spec:
+  egress:
+  - hosts:
+    - "./*" # use mTLS within the namespace
+    - "kubeflow/*" # use mTLS when communicating with kubeflow namespace