RDS access in a multitenant env

Dear istio community,

In my day job, I’m running mutli tenant cluster with OpenShift.
The isolation if these tenants is happening at the namespace level.

We plan to roll the capacity for these teams to self serve RDS instances (3 to 4 months timeline).
At first the security will rely on the password that will be available only to the requesting namespace.
But in a second iteration, we’ll be looking at network isolation.
To be clearer, imagine we have 2 namespaces, nsA and nsB for teamA and teamB.
TeamA orders an RDS instance, and we want to make sure that even from a network standpoint, teamB can’t access teamA RDS instance (except if explicitly requested.)
From my current understanding, Network policy can’t give me such granularity of control.
For that granularity, I think I’ll need istio.
I just read this doc and it looks like the beginning of my answer.

Do you have any documents to help me to get smarter to solve this specific issue?
(YouTube, podcast, doc, blog)

Thanks a lot for your time, and to help me getting started!