Istio is installed in one namespace but is not necessarily working for all the cluster. Actually, Istio works only for those workloads that have the Istio sidecar injected.

For example, the following command will create some Deployments (and thus, pods) that will have the Istio Sidecar injected. Those pods will have enabled the whole Istio features.

kubectl apply -f <(./bin/istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml) -n bookinfo

However, the following command won't inject the Istio sidecar and as a consequence, Istio control plane won't modify their behavior.

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -n bookinfo

In order to manage the incoming/outgoing traffic to the istio service mesh, you can create Istio Gateways (edge of the mesh): https://istio.io/docs/reference/config/networking/v1alpha3/gateway/

Also related to traffic ingress, Istio has its own istio-ingressgateway (similar to K8S Ingress Resource but without any default traffic rule applied): https://istio.io/docs/tasks/traffic-management/ingress/

The rest of the traffic not going through these ways, won't be part of the traffic managed by Istio Service Mesh.

In order to test that, you can easily install the default Istio demo bookinfo without sidecars (second command above) and see that there is no telemetry registered and no tracing data. If you are using Kiali (www.kiali.io) you are going to see that the service graph shows empty and desconnected (meaning that there is no telemetry registered).

Also, you can expose any service of bookinfo and consume them without any Istio interacting: