Large xDS configuration updates cause CPU spikes

When istiod pushes xDS configuration updates, every affected sidecar parses and applies the configuration. Large configurations with many services and routes cause significant CPU consumption during updates and increase baseline CPU for route matching evaluations.

Use Sidecar resource to limit egress configuration scope to only necessary namespaces and services. Set spec.egress.hosts to ['./*', 'istio-system/*'] to receive only configuration for services in the same namespace and istio-system. Reduces config processing CPU and route evaluation overhead.