Restrict IngressGateway inbound and outbound (upstream) that it knows about using service discovery


Similar to “Sidecar” which can be used to restrict outbound communications for workloads within a namespace, is there way to configure an ingress-gateway to have a similar configuration?

I am asking since, if I execute “istioctl pc cluster myapp-istio-ingressgateway-6d889f7589-bjdc5.myappnamspace”, I can see it has all the upstreams it has discovered using service discovery. I just want to control what is valid for a particular ingress gateway resource, since mine will be a multiple ingress gateway in a cluster deployment strategy.

Thanks !