diff --git a/app/_data/series.yml b/app/_data/series.yml
index f926772d6c..9e18c98eba 100644
--- a/app/_data/series.yml
+++ b/app/_data/series.yml
@@ -41,3 +41,6 @@ mcp-acls:
 mesh-get-started-universal:
   title: Get started with {{site.mesh_product_name}} on Universal
   url: /mesh/get-started/universal/install/
+operator-multi-tenancy:
+  title: Deploy multiple isolated gateways on the same cluster
+  url: /operator/dataplanes/how-to/multi-tenancy/setup/
diff --git a/app/_how-tos/operator/operator-multi-tenancy-1-setup.md b/app/_how-tos/operator/operator-multi-tenancy-1-setup.md
new file mode 100644
index 0000000000..3892ef6406
--- /dev/null
+++ b/app/_how-tos/operator/operator-multi-tenancy-1-setup.md
@@ -0,0 +1,147 @@
+---
+title: Install {{ site.operator_product_name }} for multi-tenancy
+description: "Create tenant namespaces, install {{ site.operator_product_name }} scoped to those namespaces, and apply a KongLicense."
+content_type: how_to
+
+permalink: /operator/dataplanes/how-to/multi-tenancy/setup/
+series:
+  id: operator-multi-tenancy
+  position: 1
+
+breadcrumbs:
+  - /operator/
+  - index: operator
+    group: Gateway Deployment
+  - index: operator
+    group: Gateway Deployment
+    section: "How-To"
+
+products:
+  - operator
+
+works_on:
+  - on-prem
+
+min_version:
+  operator: '2.0'
+
+related_resources:
+  - text: "Multi-tenancy reference"
+    url: /operator/reference/multi-tenancy/
+  - text: "Limiting namespaces watched by ControlPlane"
+    url: /operator/reference/control-plane-watch-namespaces/
+
+tldr:
+  q: How do I set up {{ site.operator_product_name }} for multi-tenancy?
+  a: |
+    Install {{ site.operator_product_name }} with `env.watch_namespace` scoped to your
+    tenant namespaces, then apply a single `KongLicense` in `kong-system`.
+
+prereqs:
+  skip_product: true
+  inline:
+    - title: "{{site.ee_product_name}} license"
+      icon_url: /assets/icons/key.svg
+      content: |
+        Save your {{site.ee_product_name}} license as `license.json` in your current working directory. If you don't have a license, contact your Kong representative.
+---
+
+This series deploys two independent {{ site.base_gateway }} instances — one public-facing, one private — on the same cluster using a single {{ site.operator_product_name }} installation. Each gateway is scoped to its own namespace so that its in-memory {{ site.kic_product_name_short }} only processes routes from that namespace.
+
+The following diagram shows the end state you'll build across this series:
+
+<!--vale off-->
+{% mermaid %}
+flowchart TB
+  subgraph cluster["Kubernetes Cluster"]
+    subgraph sys["kong-system"]
+      KO["{{ site.operator_product_name }}\n(KongLicense)"]
+    end
+
+    subgraph pub["kong-gw-public"]
+      ConfigPub["GatewayConfiguration\nwatchNamespaces: own"]
+      GWPub["Gateway: gw-public"]
+      DPPub["Data plane Pod"]
+      SvcPub["echo service\nHTTPRoute /echo"]
+    end
+
+    subgraph priv["kong-gw-private"]
+      ConfigPriv["GatewayConfiguration\nwatchNamespaces: own"]
+      GWPriv["Gateway: gw-private"]
+      DPPriv["Data plane Pod"]
+      SvcPriv["echo service\nHTTPRoute /echo"]
+    end
+
+    KO -->|manages| GWPub
+    KO -->|manages| GWPriv
+    ConfigPub -.->|configures| GWPub
+    ConfigPriv -.->|configures| GWPriv
+    GWPub -->|provisions| DPPub
+    GWPriv -->|provisions| DPPriv
+    DPPub -->|routes traffic to| SvcPub
+    DPPriv -->|routes traffic to| SvcPriv
+  end
+{% endmermaid %}
+<!--vale on-->
+
+## Create namespaces
+
+Create the system namespace and the two tenant namespaces:
+
+```bash
+kubectl create namespace kong-system
+kubectl create namespace kong-gw-public
+kubectl create namespace kong-gw-private
+```
+
+## Install {{ site.operator_product_name }}
+
+1. Add the Kong Helm chart repository:
+
+   ```bash
+   helm repo add kong https://charts.konghq.com
+   helm repo update
+   ```
+
+1. Install {{ site.operator_product_name }} scoped to the two tenant namespaces. The `watch_namespace` value prevents the operator from reconciling resources in any other namespace.
+
+   ```bash
+   helm upgrade --install kong-operator kong/kong-operator \
+     -n kong-system \
+     --create-namespace \
+     --set image.tag={{ site.data.operator_latest.release }} \
+     --values - <<EOF
+   env:
+     watch_namespace: kong-gw-public,kong-gw-private
+   EOF
+   ```
+
+1. Wait for {{ site.operator_product_name }} to be ready:
+
+{% capture validate %}
+{% include prereqs/products/operator-validate-deployment.md %}
+{% endcapture %}
+
+{{validate | indent}}
+
+## Apply a KongLicense
+
+Apply the license once in `kong-system`. It's shared by all gateways managed by this operator installation.
+
+1. Apply the `KongLicense`:
+
+   ```bash
+   echo "
+   apiVersion: configuration.konghq.com/v1alpha1
+   kind: KongLicense
+   metadata:
+     name: kong-license
+   rawLicenseString: '$(cat ./license.json)'
+   " | kubectl -n kong-system apply -f -
+   ```
+
+1. Wait for {{ site.operator_product_name }} to pick up the license:
+
+   ```bash
+   kubectl wait --for=condition=Programmed=True konglicense/kong-license --timeout=60s
+   ```
diff --git a/app/_how-tos/operator/operator-multi-tenancy-2-public-gateway.md b/app/_how-tos/operator/operator-multi-tenancy-2-public-gateway.md
new file mode 100644
index 0000000000..4af2956a1e
--- /dev/null
+++ b/app/_how-tos/operator/operator-multi-tenancy-2-public-gateway.md
@@ -0,0 +1,131 @@
+---
+title: Deploy the public gateway
+description: "Create a {{ site.base_gateway }} instance scoped to the public tenant namespace."
+content_type: how_to
+
+permalink: /operator/dataplanes/how-to/multi-tenancy/public-gateway/
+series:
+  id: operator-multi-tenancy
+  position: 2
+
+breadcrumbs:
+  - /operator/
+  - index: operator
+    group: Gateway Deployment
+  - index: operator
+    group: Gateway Deployment
+    section: "How-To"
+
+products:
+  - operator
+
+works_on:
+  - on-prem
+
+min_version:
+  operator: '2.0'
+
+related_resources:
+  - text: "Multi-tenancy reference"
+    url: /operator/reference/multi-tenancy/
+  - text: "Managed Gateways"
+    url: /operator/dataplanes/managed-gateways/
+  - text: "Gateway configuration"
+    url: /operator/dataplanes/gateway-configuration/
+
+tldr:
+  q: How do I deploy an isolated gateway for a single tenant?
+  a: |
+    Create a `GatewayConfiguration` with `controlPlaneOptions.watchNamespaces.type: own`,
+    then create the matching `GatewayClass` and `Gateway` in the tenant namespace.
+
+prereqs:
+  skip_product: true
+---
+
+## Create a GatewayConfiguration
+
+The `controlPlaneOptions.watchNamespaces.type: own` field restricts the in-memory {{ site.kic_product_name_short }} for this gateway to watch only the `kong-gw-public` namespace. Without this, it would watch all namespaces and process routes belonging to other tenants.
+
+```bash
+echo '
+kind: GatewayConfiguration
+apiVersion: gateway-operator.konghq.com/{{ site.operator_gatewayconfiguration_api_version }}
+metadata:
+  name: gw-public
+  namespace: kong-gw-public
+spec:
+  dataPlaneOptions:
+    deployment:
+      podTemplateSpec:
+        spec:
+          containers:
+          - name: proxy
+            image: kong/kong-gateway:{{ site.data.gateway_latest.release }}
+  controlPlaneOptions:
+    watchNamespaces:
+      type: own
+' | kubectl apply -f -
+```
+
+## Create a GatewayClass
+
+1. Create a `GatewayClass` that references the `GatewayConfiguration` above:
+
+   ```bash
+   echo '
+   kind: GatewayClass
+   apiVersion: gateway.networking.k8s.io/v1
+   metadata:
+     name: gw-public
+   spec:
+     controllerName: konghq.com/gateway-operator
+     parametersRef:
+       group: gateway-operator.konghq.com
+       kind: GatewayConfiguration
+       name: gw-public
+       namespace: kong-gw-public
+   ' | kubectl apply -f -
+   ```
+
+1. Wait for {{ site.operator_product_name }} to accept the `GatewayClass`:
+
+   ```bash
+   kubectl wait --for=condition=Accepted=True gatewayclass/gw-public --timeout=60s
+   ```
+
+## Create a Gateway
+
+1. Create the `Gateway` resource in the `kong-gw-public` namespace, referencing the `GatewayClass` above:
+
+   ```bash
+   echo '
+   kind: Gateway
+   apiVersion: gateway.networking.k8s.io/v1
+   metadata:
+     name: gw-public
+     namespace: kong-gw-public
+   spec:
+     gatewayClassName: gw-public
+     listeners:
+     - name: http
+       protocol: HTTP
+       port: 80
+   ' | kubectl apply -f -
+   ```
+
+1. Wait for the gateway to be programmed:
+
+   ```bash
+   kubectl wait --for=condition=Programmed=True gateway/gw-public -n kong-gw-public --timeout=120s
+   ```
+
+## Validate
+
+Verify the public gateway was reconciled successfully:
+
+{% validation kubernetes-resource %}
+kind: Gateway
+name: gw-public
+namespace: kong-gw-public
+{% endvalidation %}
diff --git a/app/_how-tos/operator/operator-multi-tenancy-3-private-gateway.md b/app/_how-tos/operator/operator-multi-tenancy-3-private-gateway.md
new file mode 100644
index 0000000000..dd6c157745
--- /dev/null
+++ b/app/_how-tos/operator/operator-multi-tenancy-3-private-gateway.md
@@ -0,0 +1,131 @@
+---
+title: Deploy the private gateway
+description: "Create a {{ site.base_gateway }} instance scoped to the private tenant namespace."
+content_type: how_to
+
+permalink: /operator/dataplanes/how-to/multi-tenancy/private-gateway/
+series:
+  id: operator-multi-tenancy
+  position: 3
+
+breadcrumbs:
+  - /operator/
+  - index: operator
+    group: Gateway Deployment
+  - index: operator
+    group: Gateway Deployment
+    section: "How-To"
+
+products:
+  - operator
+
+works_on:
+  - on-prem
+
+min_version:
+  operator: '2.0'
+
+related_resources:
+  - text: "Multi-tenancy reference"
+    url: /operator/reference/multi-tenancy/
+  - text: "Managed Gateways"
+    url: /operator/dataplanes/managed-gateways/
+  - text: "Gateway configuration"
+    url: /operator/dataplanes/gateway-configuration/
+
+tldr:
+  q: How do I add a second isolated gateway to the same cluster?
+  a: |
+    Repeat the `GatewayConfiguration` / `GatewayClass` / `Gateway` triptych in the
+    second tenant namespace with its own `watchNamespaces.type: own` setting.
+
+prereqs:
+  skip_product: true
+---
+
+## Create a GatewayConfiguration
+
+As with the public gateway, `controlPlaneOptions.watchNamespaces.type: own` restricts the in-memory {{ site.kic_product_name_short }} to watch only the `kong-gw-private` namespace.
+
+```bash
+echo '
+kind: GatewayConfiguration
+apiVersion: gateway-operator.konghq.com/{{ site.operator_gatewayconfiguration_api_version }}
+metadata:
+  name: gw-private
+  namespace: kong-gw-private
+spec:
+  dataPlaneOptions:
+    deployment:
+      podTemplateSpec:
+        spec:
+          containers:
+          - name: proxy
+            image: kong/kong-gateway:{{ site.data.gateway_latest.release }}
+  controlPlaneOptions:
+    watchNamespaces:
+      type: own
+' | kubectl apply -f -
+```
+
+## Create a GatewayClass
+
+1. Create a `GatewayClass` that references the `GatewayConfiguration` above:
+
+   ```bash
+   echo '
+   kind: GatewayClass
+   apiVersion: gateway.networking.k8s.io/v1
+   metadata:
+     name: gw-private
+   spec:
+     controllerName: konghq.com/gateway-operator
+     parametersRef:
+       group: gateway-operator.konghq.com
+       kind: GatewayConfiguration
+       name: gw-private
+       namespace: kong-gw-private
+   ' | kubectl apply -f -
+   ```
+
+1. Wait for {{ site.operator_product_name }} to accept the `GatewayClass`:
+
+   ```bash
+   kubectl wait --for=condition=Accepted=True gatewayclass/gw-private --timeout=60s
+   ```
+
+## Create a Gateway
+
+1. Create the `Gateway` resource in the `kong-gw-private` namespace. The private gateway uses port 8080 to avoid a host-port conflict with the public gateway on single-node clusters (such as OrbStack, k3s, or kind) where each LoadBalancer service binds a host port.
+
+   ```bash
+   echo '
+   kind: Gateway
+   apiVersion: gateway.networking.k8s.io/v1
+   metadata:
+     name: gw-private
+     namespace: kong-gw-private
+   spec:
+     gatewayClassName: gw-private
+     listeners:
+     - name: http
+       protocol: HTTP
+       port: 8080
+   ' | kubectl apply -f -
+   ```
+
+1. Wait for the gateway to be programmed:
+
+   ```bash
+   kubectl wait --for=condition=Programmed=True gateway/gw-private -n kong-gw-private --timeout=120s
+   ```
+
+## Validate
+
+Verify the private gateway was reconciled successfully:
+
+{% validation kubernetes-resource %}
+kind: Gateway
+name: gw-private
+namespace: kong-gw-private
+{% endvalidation %}
diff --git a/app/_how-tos/operator/operator-multi-tenancy-4-test-services.md b/app/_how-tos/operator/operator-multi-tenancy-4-test-services.md
new file mode 100644
index 0000000000..93819b9afb
--- /dev/null
+++ b/app/_how-tos/operator/operator-multi-tenancy-4-test-services.md
@@ -0,0 +1,199 @@
+---
+title: Deploy test services
+description: "Deploy a backend service and HTTPRoute in each tenant namespace, then confirm that each gateway only serves its own routes."
+content_type: how_to
+
+permalink: /operator/dataplanes/how-to/multi-tenancy/test-services/
+series:
+  id: operator-multi-tenancy
+  position: 4
+
+breadcrumbs:
+  - /operator/
+  - index: operator
+    group: Gateway Deployment
+  - index: operator
+    group: Gateway Deployment
+    section: "How-To"
+
+products:
+  - operator
+
+works_on:
+  - on-prem
+
+min_version:
+  operator: '2.0'
+
+related_resources:
+  - text: "Multi-tenancy reference"
+    url: /operator/reference/multi-tenancy/
+  - text: "{{site.operator_product_name}} architecture"
+    url: /operator/reference/architecture/
+
+next_steps:
+  - text: "Multi-tenancy reference"
+    url: /operator/reference/multi-tenancy/
+  - text: "Limiting namespaces watched by ControlPlane"
+    url: /operator/reference/control-plane-watch-namespaces/
+
+tldr:
+  q: How do I verify that two gateways are isolated from each other?
+  a: |
+    Deploy a backend service and `HTTPRoute` in each tenant namespace. Each in-memory {{ site.kic_product_name_short }}
+    is scoped to its own namespace via `watchNamespaces.type: own`, so routes in
+    `kong-gw-public` are invisible to the private gateway and vice versa.
+
+prereqs:
+  skip_product: true
+---
+
+## Deploy test services
+
+1. Deploy the echo service in both tenant namespaces:
+
+   ```bash
+   kubectl apply -f {{site.links.web}}/manifests/kic/echo-service.yaml -n kong-gw-public
+   kubectl apply -f {{site.links.web}}/manifests/kic/echo-service.yaml -n kong-gw-private
+   ```
+
+1. Wait for both deployments to be ready:
+
+   ```bash
+   kubectl rollout status deployment/echo -n kong-gw-public --timeout=60s
+   kubectl rollout status deployment/echo -n kong-gw-private --timeout=60s
+   ```
+
+## Create an HTTPRoute for the public gateway
+
+Create an `HTTPRoute` in the `kong-gw-public` namespace pointing to the echo service:
+
+```bash
+echo '
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: echo
+  namespace: kong-gw-public
+spec:
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: gw-public
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /echo
+    backendRefs:
+    - name: echo
+      port: 1027
+' | kubectl apply -f -
+```
+
+## Create two HTTPRoutes for the private gateway
+
+Create two `HTTPRoute` resources in the `kong-gw-private` namespace. One is equivalent to the one in the `kong-gw-public` namespace, and the other is a `/private` path in `kong-gw-private` only:
+
+```bash
+echo '
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: echo
+  namespace: kong-gw-private
+spec:
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: gw-private
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /echo
+    backendRefs:
+    - name: echo
+      port: 1027
+---
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: private-only
+  namespace: kong-gw-private
+spec:
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: gw-private
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /private
+    backendRefs:
+    - name: echo
+      port: 1027
+' | kubectl apply -f -
+```
+
+## Validate
+
+1. Get the external IP address for each gateway:
+
+   ```bash
+   export PUBLIC_GW_IP=$(kubectl get gateway gw-public -n kong-gw-public \
+     -o jsonpath='{.status.addresses[0].value}')
+   echo $PUBLIC_GW_IP
+   export PRIVATE_GW_IP=$(kubectl get gateway gw-private -n kong-gw-private \
+     -o jsonpath='{.status.addresses[0].value}')
+   echo $PRIVATE_GW_IP
+   ```
+
+{% capture check_1 %}
+{% validation request-check %}
+url: /echo
+status_code: 200
+on_prem_url: $PUBLIC_GW_IP
+konnect_url: $PUBLIC_GW_IP
+{% endvalidation %}
+{% endcapture %}
+
+{% capture check_2 %}
+{% validation request-check %}
+url: /echo
+status_code: 200
+on_prem_url: $PRIVATE_GW_IP:8080
+konnect_url: $PRIVATE_GW_IP:8080
+{% endvalidation %}
+{% endcapture %}
+
+{% capture check_3 %}
+{% validation request-check %}
+url: /private
+status_code: 200
+on_prem_url: $PRIVATE_GW_IP:8080
+konnect_url: $PRIVATE_GW_IP:8080
+{% endvalidation %}
+{% endcapture %}
+
+{% capture check_4 %}
+{% validation request-check %}
+url: /private
+status_code: 200
+on_prem_url: $PUBLIC_GW_IP
+konnect_url: $PUBLIC_GW_IP
+{% endvalidation %}
+{% endcapture %}
+
+1. The public gateway listens on port 80 and the private gateway on port 8080. Check that both return a `200` response on `/echo`:
+   
+   {{check_1 | indent}}
+   {{check_2 | indent}}
+
+1. Send a request to the Route that only exists in `kong-gw-private` to verify that the public gateway has no knowledge of it:
+
+   {{check_3 | indent}}
+   {{check_4 | indent}}
+
+The public gateway returns 404 because its in-memory {{ site.kic_product_name_short }} only watches `kong-gw-public`. The `private-only` HTTPRoute lives in `kong-gw-private`, so the public {{ site.kic_product_name_short }} never processes it and never programs it into the public data plane. No matter what routes are deployed in `kong-gw-private`, they are completely invisible to `gw-public` — and vice versa. This is namespace isolation working as intended.
diff --git a/app/_includes/how-tos/validations/kubernetes-resource/snippet.md b/app/_includes/how-tos/validations/kubernetes-resource/snippet.md
index f847053a28..6d37c4d92b 100644
--- a/app/_includes/how-tos/validations/kubernetes-resource/snippet.md
+++ b/app/_includes/how-tos/validations/kubernetes-resource/snippet.md
@@ -22,3 +22,4 @@ The output should look similar to this:
   "type": "{{ conditionType }}"
 }
 ```
+{:.no-copy-code}
diff --git a/app/_indices/operator.yaml b/app/_indices/operator.yaml
index 1e1d19837b..432d156d4d 100644
--- a/app/_indices/operator.yaml
+++ b/app/_indices/operator.yaml
@@ -21,6 +21,8 @@ groups:
   - title: Reference
     sections:
       - items:
+          - path: /operator/reference/architecture/
+          - path: /operator/reference/multi-tenancy/
           - path: /operator/reference/configuration-options/
           - path: /operator/reference/custom-resources/
           - path: /operator/reference/version-compatibility/
@@ -63,6 +65,7 @@ groups:
           - path: /operator/dataplanes/how-to/use-custom-ca-certificate/
           - path: /operator/dataplanes/how-to/deploy-custom-plugins/
           - path: /operator/dataplanes/how-to/handle-ingress/
+          - path: /operator/dataplanes/how-to/multi-tenancy/setup/
           - path: /operator/dataplanes/how-to/configure-plugins-for-httproute/
       - title: Observability
         items:
diff --git a/app/operator/dataplanes/faq/license.md b/app/operator/dataplanes/faq/license.md
index 02032533a1..dd9217edeb 100644
--- a/app/operator/dataplanes/faq/license.md
+++ b/app/operator/dataplanes/faq/license.md
@@ -19,6 +19,8 @@ breadcrumbs:
 
 ## KongLicense
 
+`KongLicense` is a cluster-scoped resource. A single `KongLicense` applied to the cluster is shared by all `Gateway` instances managed by that {{ site.operator_product_name }} installation, you don't need to create one per tenant or per namespace.
+
 1. Create a file named `license.json` containing your {{site.ee_product_name}} license.
 
 1. Create a `KongLicense` object with the `rawLicenseString` field set to your license:
@@ -73,7 +75,7 @@ breadcrumbs:
     kubectl create secret generic kong-enterprise-license --from-file=license=./license.json -n default
     ```
 
-1. Specify the `KONG_LICENSE_DATA` environment variable for your DataPlane pods. This can be provided on the `DataPlane` or `GatewayConfiguration`
+1. Specify the `KONG_LICENSE_DATA` environment variable for your DataPlane pods. This can be provided on the `DataPlane` or `GatewayConfiguration`.
 
 ### DataPlane
 
diff --git a/app/operator/reference/control-plane-watch-namespaces.md b/app/operator/reference/control-plane-watch-namespaces.md
index 8e9e122941..f4c964e32b 100644
--- a/app/operator/reference/control-plane-watch-namespaces.md
+++ b/app/operator/reference/control-plane-watch-namespaces.md
@@ -14,26 +14,33 @@ products:
 
 min_version:
   operator: '1.6'
+
+related_resources:
+  - text: "Multi-tenancy"
+    url: /operator/reference/multi-tenancy/
+  - text: "Deploy multiple isolated gateways"
+    url: /operator/dataplanes/how-to/multi-tenancy/setup/
+  - text: "{{site.operator_product_name}} architecture"
+    url: /operator/reference/architecture/
 ---
 
-By default, {{ site.operator_product_name }}'s `ControlPlane` watches all namespaces.
-This provides a convenient out-of-the-box experience but may not suit all production environments, especially those where multiple teams share the same cluster or in multi-tenant setups.
+By default, {{ site.operator_product_name }}'s `ControlPlane` watches all namespaces. This provides a convenient out-of-the-box experience but may not suit production environments where multiple teams share the same cluster.
+
+You can restrict namespace watching in two ways depending on how you manage your gateways:
 
-To limit the namespaces watched by `ControlPlane`, you can set the `watchNamespaces` field in the `ControlPlane`'s `spec`.
+* Managed Gateways (Gateway API flow): Set `watchNamespaces` via `GatewayConfiguration.spec.controlPlaneOptions`. You do not create a `ControlPlane` directly. See [Multi-tenancy](/operator/reference/multi-tenancy/) for the full use case.
+* Direct `ControlPlane` management: Set `watchNamespaces` directly in the `ControlPlane`'s `spec`.
 
-## ControlPlane's watchNamespaces field
+## `watchNamespaces` types
 
-The `spec.watchNamespaces.type` field accepts three values to control this behavior:
+The `watchNamespaces.type` field accepts three values:
 
-- `all` (default): Watches resources in all namespaces.
-- `own`: Watches resources only in the `ControlPlane`'s own namespace.
-- `list`: Watches resources in the `ControlPlane`'s own namespace and in the specified list of additional namespaces.
-  When using `list`, the `ControlPlane`'s own namespace is automatically added to the list of watched namespaces, because this behavior is required by {{ site.kic_product_name }}.  
-  By default, the publish service (the `Service` for the `DataPlane`, exposed by {{ site.base_gateway }}) is created in the same namespace as the `ControlPlane`.
+* `all` (default): Watches resources in all namespaces.
+* `own`: Watches resources only in the `ControlPlane`'s own namespace.
+* `list`: Watches resources in the `ControlPlane`'s own namespace and in a specified list of additional namespaces. The `ControlPlane`'s own namespace is automatically included, as required by {{ site.kic_product_name }}.
 
 {:.info}
-> **Note:** Setting this field in `ControlPlane` will configure the `CONTROLLER_WATCH_NAMESPACE` environment variable in the managed {{ site.kic_product_name }}.
-> If you manually set the `CONTROLLER_WATCH_NAMESPACE` environment variable through `podTemplateSpec`, it will **override** this configuration.
+> The `watchNamespaces` setting configures the `CONTROLLER_WATCH_NAMESPACE` environment variable in the managed {{ site.kic_product_name_short }}. If you set this variable manually through `podTemplateSpec`, it will override the `watchNamespaces` field.
 
 The `all` and `own` types don't require any further changes or additional resources. The `list` type requires further configuration.
 
@@ -41,17 +48,18 @@ The `all` and `own` types don't require any further changes or additional resour
 
 The `list` type requires two additional steps:
 
-1. Specify the namespaces to watch in the `spec.watchNamespaces.list` field.
+1. Specify the namespaces to watch in the `spec.watchNamespaces.list` field:
+
    ```yaml
    spec:
      watchNamespaces:
        type: list
-        list:
-        - namespace-a
-        - namespace-b
+       list:
+       - namespace-a
+       - namespace-b
    ```
 
-1. Create a `WatchNamespaceGrant` resource in each of the specified namespaces. This resource grants the `ControlPlane` permission to watch resources in the specified namespace. It can be defined as:
+1. Create a `WatchNamespaceGrant` resource in each of the specified namespaces. This resource grants the `ControlPlane` permission to watch resources in that namespace:
 
    ```yaml
    apiVersion: gateway-operator.konghq.com/v1alpha1
@@ -68,20 +76,18 @@ The `list` type requires two additional steps:
 
 For more information on the `WatchNamespaceGrant` CRD, see the [CRD reference](/operator/reference/custom-resources/#watchnamespacegrant).
 
-## Multi-tenancy using watch namespaces {% new_in 2.0 %}
+## Operator-level namespace scoping {% new_in 2.0 %}
 
-Multi-tenancy, in the context of {{ site.operator_product_name }}, is an approach that allows multiple instances of the {{ site.operator_product_name }} to share the same underlying infrastructure while keeping their data isolated and more specifically to watch disjoint namespaces.
-
-This allows you to configure {{ site.operator_product_name }} itself to watch namespaces instead of always specifying them in the `ControlPlane` resources.
+From v2.0, you can scope {{ site.operator_product_name }} itself to watch only specific namespaces. This is separate from the per-`ControlPlane` `watchNamespaces` configuration and is useful when running multiple {{ site.operator_product_name }} instances on the same cluster with strictly disjoint namespace assignments.
 
 {:.warning}
-> **Important:** If you configure watch namespaces on both {{ site.operator_product_name }} and `ControlPlane` resources, they must be configured so that they don't conflict. For example, if the {{ site.operator_product_name }} watches namespaces A and B, the `ControlPlane` resource can only define watch namespaces A and B. If you use other watch namespaces, such as namespace C, the `ControlPlane` object will receive an appropriate status condition and won't reconcile your configuration.
+> If you configure watch namespaces on both {{ site.operator_product_name }} and `ControlPlane` resources, they must not conflict. For example, if {{ site.operator_product_name }} watches namespaces A and B, the `ControlPlane` can only define watch namespaces A or B. Using namespace C would cause the `ControlPlane` to receive a failure status condition and stop reconciling.
 
 You can set watch namespaces for {{ site.operator_product_name }} using several methods:
 
 {% navtabs "multi-tenant-namespaces" %}
 {% navtab "Helm chart" %}
-When using the `kong-operator` Helm chart, you can use the `env` top level configuration in your `values.yaml`:
+When using the `kong-operator` Helm chart, use the `env` top-level configuration in your `values.yaml`:
 
 ```yaml
 env:
@@ -94,15 +100,10 @@ KONG_OPERATOR_WATCH_NAMESPACES='namespace-a,namespace-b'
 ```
 {% endnavtab %}
 {% navtab "CLI" %}
-To specify the comma separated list of namespaces to watch you can use the `--watch-namespaces` flag:
+Use the `--watch-namespaces` flag with a comma-separated list of namespaces:
 
 ```bash
 ... --watch-namespaces namespace-a,namespace-b ...
 ```
 {% endnavtab %}
 {% endnavtabs %}
-
-
-
-
-
diff --git a/app/operator/reference/multi-tenancy.md b/app/operator/reference/multi-tenancy.md
new file mode 100644
index 0000000000..8774022971
--- /dev/null
+++ b/app/operator/reference/multi-tenancy.md
@@ -0,0 +1,59 @@
+---
+title: "Multi-tenancy"
+description: "Understand how to run multiple isolated {{ site.base_gateway }} instances on the same Kubernetes cluster using {{ site.operator_product_name }}."
+content_type: reference
+layout: reference
+
+breadcrumbs:
+  - /operator/
+  - index: operator
+    group: Reference
+
+products:
+  - operator
+
+works_on:
+  - on-prem
+
+min_version:
+  operator: '1.6'
+
+related_resources:
+  - text: "Deploy multiple isolated gateways on the same cluster"
+    url: /operator/dataplanes/how-to/multi-tenancy/setup/
+  - text: "{{site.operator_product_name}} architecture"
+    url: /operator/reference/architecture/
+  - text: "Limiting namespaces watched by ControlPlane"
+    url: /operator/reference/control-plane-watch-namespaces/
+  - text: "Gateway configuration"
+    url: /operator/dataplanes/gateway-configuration/
+  - text: "Managed Gateways"
+    url: /operator/dataplanes/managed-gateways/
+  - text: "Custom Resources"
+    url: /operator/reference/custom-resources/
+---
+
+Multi-tenancy in {{ site.operator_product_name }} means running multiple isolated {{ site.base_gateway }} instances — each with their own routing configuration, data plane, and namespace scope — on the same Kubernetes cluster, managed by a single {{ site.operator_product_name }} installation.
+
+Common use cases include separating a public-facing API gateway from an internal one, or giving different teams independent gateway instances without requiring separate clusters. For a step-by-step walkthrough, see [Deploy multiple isolated gateways](/operator/dataplanes/how-to/multi-tenancy/setup/).
+
+## How it works
+
+Each tenant is represented by a `Gateway`, provisioned using three resources:
+
+* `GatewayConfiguration`: A Kong-specific resource that configures the control plane and data plane options for a gateway, such as the proxy image, environment variables, and namespace watch scope.
+* `GatewayClass`: A cluster-scoped Gateway API resource that registers {{ site.operator_product_name }} as the controller for gateways of this class. It references the `GatewayConfiguration` via `parametersRef`.
+* `Gateway`: A namespaced Gateway API resource that declares a gateway instance. It references the `GatewayClass` via `gatewayClassName`, which is how {{ site.operator_product_name }} associates it with the correct `GatewayConfiguration`.
+
+For each `Gateway`, {{ site.operator_product_name }} creates:
+
+* One in-memory {{ site.kic_product_name_short }} instance embedded inside the {{ site.operator_product_name }} Pod, which watches Gateway API resources and translates them into Kong configuration.
+* One data plane deployment running {{ site.base_gateway }} in DB-less mode.
+
+Multiple `Gateway` resources can coexist in the same cluster. The resulting in-memory {{ site.kic_product_name_short }} instances and data plane Pods are independent of each other. A single {{ site.operator_product_name }} installation manages them all.
+
+## Namespace isolation
+
+By default, each in-memory {{ site.kic_product_name_short }} instance watches all namespaces for Gateway API resources (`HTTPRoute`, `GRPCRoute`, etc.). Without additional configuration, one tenant's {{ site.kic_product_name_short }} would also process another tenant's routes, so namespace isolation is required for multi-tenancy.
+
+Set `watchNamespaces` on `GatewayConfiguration.spec.controlPlaneOptions` to restrict each gateway's in-memory {{ site.kic_product_name_short }} to its own namespace. For the full field reference, type options, `WatchNamespaceGrant` configuration, and operator-level scoping, see [Limiting namespaces watched by ControlPlane](/operator/reference/control-plane-watch-namespaces/).
\ No newline at end of file