diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go
index b3daf12357..b1de2f77b0 100644
--- a/networking/v1alpha3/destination_rule.pb.go
+++ b/networking/v1alpha3/destination_rule.pb.go
@@ -206,9 +206,23 @@ type DestinationRule struct {
 	// One or more named sets that represent individual versions of a
 	// service. Traffic policies can be overridden at subset level.
 	Subsets []*Subset `protobuf:"bytes,3,rep,name=subsets,proto3" json:"subsets,omitempty"`
-	// The resolution of a DestinationRule to apply to a service occurs in the
-	// context of a hierarchy of namespaces. This rule controls whether those
-	// namespaces are allowed to select this rule.
+	// A list of namespaces to which this destination rule is exported.
+	// The resolution of a destination rule to apply to a service occurs in the
+	// context of a hierarchy of namespaces. Exporting a destination rule allows
+	// it to be included in the resolution hierarchy for services in
+	// other namespaces. This feature provides a mechanism for service owners
+	// and mesh administrators to control the visibility of destination rules
+	// across namespace boundaries.
+	//
+	// If no namespaces are specified then the destination rule is exported to all
+	// namespaces by default.
+	//
+	// The value "." is reserved and defines an export to the same namespace that
+	// the destination rule is declared in. Similarly, the value "*" is reserved and
+	// defines an export to all namespaces.
+	//
+	// NOTE: in the current release, the `exportTo` value is restricted to
+	// "." or "*" (i.e., the current namespace or all namespaces).
 	ExportTo             []string `protobuf:"bytes,4,rep,name=export_to,json=exportTo,proto3" json:"export_to,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
diff --git a/networking/v1alpha3/destination_rule.pb.html b/networking/v1alpha3/destination_rule.pb.html
index 47bb4d3e92..badb8ec90b 100644
--- a/networking/v1alpha3/destination_rule.pb.html
+++ b/networking/v1alpha3/destination_rule.pb.html
@@ -321,9 +321,23 @@ <h2 id="DestinationRule">DestinationRule</h2>
 <td><code>exportTo</code></td>
 <td><code>string[]</code></td>
 <td>
-<p>The resolution of a DestinationRule to apply to a service occurs in the
-context of a hierarchy of namespaces. This rule controls whether those
-namespaces are allowed to select this rule.</p>
+<p>A list of namespaces to which this destination rule is exported.
+The resolution of a destination rule to apply to a service occurs in the
+context of a hierarchy of namespaces. Exporting a destination rule allows
+it to be included in the resolution hierarchy for services in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of destination rules
+across namespace boundaries.</p>
+
+<p>If no namespaces are specified then the destination rule is exported to all
+namespaces by default.</p>
+
+<p>The value &ldquo;.&rdquo; is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value &ldquo;*&rdquo; is reserved and
+defines an export to all namespaces.</p>
+
+<p>NOTE: in the current release, the <code>exportTo</code> value is restricted to
+&ldquo;.&rdquo; or &ldquo;*&rdquo; (i.e., the current namespace or all namespaces).</p>
 
 </td>
 </tr>
diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto
index 5759ff5095..6dfae5ce0f 100644
--- a/networking/v1alpha3/destination_rule.proto
+++ b/networking/v1alpha3/destination_rule.proto
@@ -122,9 +122,23 @@ message DestinationRule {
   // service. Traffic policies can be overridden at subset level.
   repeated Subset subsets = 3;
 
-  // The resolution of a DestinationRule to apply to a service occurs in the
-  // context of a hierarchy of namespaces. This rule controls whether those
-  // namespaces are allowed to select this rule.
+  // A list of namespaces to which this destination rule is exported.
+  // The resolution of a destination rule to apply to a service occurs in the
+  // context of a hierarchy of namespaces. Exporting a destination rule allows
+  // it to be included in the resolution hierarchy for services in
+  // other namespaces. This feature provides a mechanism for service owners
+  // and mesh administrators to control the visibility of destination rules
+  // across namespace boundaries.
+  //
+  // If no namespaces are specified then the destination rule is exported to all
+  // namespaces by default.
+  //
+  // The value "." is reserved and defines an export to the same namespace that
+  // the destination rule is declared in. Similarly, the value "*" is reserved and
+  // defines an export to all namespaces.
+  //
+  // NOTE: in the current release, the `exportTo` value is restricted to
+  // "." or "*" (i.e., the current namespace or all namespaces).
   repeated string export_to = 4;
 }
 
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index b692388413..12464c9513 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -116,7 +116,7 @@
 // The following example demonstrates the use of a dedicated egress gateway
 // through which all external service traffic is forwarded.
 // The 'exportTo' field allows for control over the visibility of a service
-// declaration to other namespaces in the mesh. By default a service is exported
+// declaration to other namespaces in the mesh. By default, a service is exported
 // to all namespaces. The following example restricts the visibility to the
 // current namespace, represented by ".", so that it cannot be used by other
 // namespaces.
@@ -177,7 +177,7 @@
 //   hosts:
 //   - httpbin.com
 //   exportTo:
-//   - *
+//   - "*"
 //   gateways:
 //   - mesh
 //   - istio-egressgateway
@@ -455,7 +455,7 @@ type ServiceEntry struct {
 	// One or more endpoints associated with the service.
 	Endpoints []*ServiceEntry_Endpoint `protobuf:"bytes,6,rep,name=endpoints,proto3" json:"endpoints,omitempty"`
 	// A list of namespaces to which this service is exported. Exporting a service
-	// allows it to used by sidecars, gateways and virtual services defined in
+	// allows it to be used by sidecars, gateways and virtual services defined in
 	// other namespaces. This feature provides a mechanism for service owners
 	// and mesh administrators to control the visibility of services across
 	// namespace boundaries.
@@ -464,12 +464,15 @@ type ServiceEntry struct {
 	// namespaces by default.
 	//
 	// The value "." is reserved and defines an export to the same namespace that
-	// the service is declared in, similarly the value "*" is reserved and
+	// the service is declared in. Similarly the value "*" is reserved and
 	// defines an export to all namespaces.
 	//
-	// For a Kubernetes Service the equivalent effect can be achieved by setting
+	// For a Kubernetes Service, the equivalent effect can be achieved by setting
 	// the annotation "networking.istio.io/exportTo" to a comma-separated list
 	// of namespace names.
+	//
+	// NOTE: in the current release, the `exportTo` value is restricted to
+	// "." or "*" (i.e., the current namespace or all namespaces).
 	ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo,proto3" json:"export_to,omitempty"`
 	// The list of subject alternate names allowed for workloads that
 	// implement this service. This information is used to enforce
diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html
index a53b377df8..3846c14e82 100644
--- a/networking/v1alpha3/service_entry.pb.html
+++ b/networking/v1alpha3/service_entry.pb.html
@@ -117,7 +117,7 @@
 <p>The following example demonstrates the use of a dedicated egress gateway
 through which all external service traffic is forwarded.
 The &lsquo;exportTo&rsquo; field allows for control over the visibility of a service
-declaration to other namespaces in the mesh. By default a service is exported
+declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
 current namespace, represented by &ldquo;.&rdquo;, so that it cannot be used by other
 namespaces.</p>
@@ -175,7 +175,7 @@
   hosts:
   - httpbin.com
   exportTo:
-  - *
+  - &quot;*&quot;
   gateways:
   - mesh
   - istio-egressgateway
@@ -389,7 +389,7 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
 <td><code>string[]</code></td>
 <td>
 <p>A list of namespaces to which this service is exported. Exporting a service
-allows it to used by sidecars, gateways and virtual services defined in
+allows it to be used by sidecars, gateways and virtual services defined in
 other namespaces. This feature provides a mechanism for service owners
 and mesh administrators to control the visibility of services across
 namespace boundaries.</p>
@@ -398,13 +398,16 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
 namespaces by default.</p>
 
 <p>The value &ldquo;.&rdquo; is reserved and defines an export to the same namespace that
-the service is declared in, similarly the value &ldquo;*&rdquo; is reserved and
+the service is declared in. Similarly the value &ldquo;*&rdquo; is reserved and
 defines an export to all namespaces.</p>
 
-<p>For a Kubernetes Service the equivalent effect can be achieved by setting
+<p>For a Kubernetes Service, the equivalent effect can be achieved by setting
 the annotation &ldquo;networking.istio.io/exportTo&rdquo; to a comma-separated list
 of namespace names.</p>
 
+<p>NOTE: in the current release, the <code>exportTo</code> value is restricted to
+&ldquo;.&rdquo; or &ldquo;*&rdquo; (i.e., the current namespace or all namespaces).</p>
+
 </td>
 </tr>
 <tr id="ServiceEntry-subject_alt_names">
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index 0964ead507..13510f3c3e 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -135,7 +135,7 @@ import "networking/v1alpha3/gateway.proto";
 // The following example demonstrates the use of a dedicated egress gateway
 // through which all external service traffic is forwarded.
 // The 'exportTo' field allows for control over the visibility of a service
-// declaration to other namespaces in the mesh. By default a service is exported
+// declaration to other namespaces in the mesh. By default, a service is exported
 // to all namespaces. The following example restricts the visibility to the
 // current namespace, represented by ".", so that it cannot be used by other
 // namespaces.
@@ -196,7 +196,7 @@ import "networking/v1alpha3/gateway.proto";
 //   hosts:
 //   - httpbin.com
 //   exportTo:
-//   - *
+//   - "*"
 //   gateways:
 //   - mesh
 //   - istio-egressgateway
@@ -475,7 +475,7 @@ message ServiceEntry {
   repeated Endpoint endpoints = 6;
 
   // A list of namespaces to which this service is exported. Exporting a service
-  // allows it to used by sidecars, gateways and virtual services defined in
+  // allows it to be used by sidecars, gateways and virtual services defined in
   // other namespaces. This feature provides a mechanism for service owners
   // and mesh administrators to control the visibility of services across
   // namespace boundaries.
@@ -484,12 +484,15 @@ message ServiceEntry {
   // namespaces by default.
   //
   // The value "." is reserved and defines an export to the same namespace that
-  // the service is declared in, similarly the value "*" is reserved and
+  // the service is declared in. Similarly the value "*" is reserved and
   // defines an export to all namespaces.
   //
-  // For a Kubernetes Service the equivalent effect can be achieved by setting
+  // For a Kubernetes Service, the equivalent effect can be achieved by setting
   // the annotation "networking.istio.io/exportTo" to a comma-separated list
   // of namespace names.
+  //
+  // NOTE: in the current release, the `exportTo` value is restricted to
+  // "." or "*" (i.e., the current namespace or all namespaces).
   repeated string export_to = 7;
 
   // The list of subject alternate names allowed for workloads that
diff --git a/networking/v1alpha3/virtual_service.pb.go b/networking/v1alpha3/virtual_service.pb.go
index 5426007e36..e8dbbba0fb 100644
--- a/networking/v1alpha3/virtual_service.pb.go
+++ b/networking/v1alpha3/virtual_service.pb.go
@@ -170,7 +170,7 @@ type VirtualService struct {
 	// matching an incoming request is used.
 	Tcp []*TCPRoute `protobuf:"bytes,4,rep,name=tcp,proto3" json:"tcp,omitempty"`
 	// A list of namespaces to which this virtual service is exported. Exporting a
-	// virtual service allows it to used by sidecars and gateways defined in
+	// virtual service allows it to be used by sidecars and gateways defined in
 	// other namespaces. This feature provides a mechanism for service owners
 	// and mesh administrators to control the visibility of virtual services
 	// across namespace boundaries.
@@ -179,8 +179,11 @@ type VirtualService struct {
 	// namespaces by default.
 	//
 	// The value "." is reserved and defines an export to the same namespace that
-	// the virtual service is declared in, similarly the value "*" is reserved and
+	// the virtual service is declared in. Similarly the value "*" is reserved and
 	// defines an export to all namespaces.
+	//
+	// NOTE: in the current release, the `exportTo` value is restricted to
+	// "." or "*" (i.e., the current namespace or all namespaces).
 	ExportTo             []string `protobuf:"bytes,6,rep,name=export_to,json=exportTo,proto3" json:"export_to,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
diff --git a/networking/v1alpha3/virtual_service.pb.html b/networking/v1alpha3/virtual_service.pb.html
index c70eea2f09..ccb2621298 100644
--- a/networking/v1alpha3/virtual_service.pb.html
+++ b/networking/v1alpha3/virtual_service.pb.html
@@ -1740,7 +1740,7 @@ <h2 id="VirtualService">VirtualService</h2>
 <td><code>string[]</code></td>
 <td>
 <p>A list of namespaces to which this virtual service is exported. Exporting a
-virtual service allows it to used by sidecars and gateways defined in
+virtual service allows it to be used by sidecars and gateways defined in
 other namespaces. This feature provides a mechanism for service owners
 and mesh administrators to control the visibility of virtual services
 across namespace boundaries.</p>
@@ -1749,9 +1749,12 @@ <h2 id="VirtualService">VirtualService</h2>
 namespaces by default.</p>
 
 <p>The value &ldquo;.&rdquo; is reserved and defines an export to the same namespace that
-the virtual service is declared in, similarly the value &ldquo;*&rdquo; is reserved and
+the virtual service is declared in. Similarly the value &ldquo;*&rdquo; is reserved and
 defines an export to all namespaces.</p>
 
+<p>NOTE: in the current release, the <code>exportTo</code> value is restricted to
+&ldquo;.&rdquo; or &ldquo;*&rdquo; (i.e., the current namespace or all namespaces).</p>
+
 </td>
 </tr>
 </tbody>
diff --git a/networking/v1alpha3/virtual_service.proto b/networking/v1alpha3/virtual_service.proto
index 823adc02ba..a05b190e76 100644
--- a/networking/v1alpha3/virtual_service.proto
+++ b/networking/v1alpha3/virtual_service.proto
@@ -176,7 +176,7 @@ message VirtualService {
   repeated TCPRoute tcp = 4;
 
   // A list of namespaces to which this virtual service is exported. Exporting a
-  // virtual service allows it to used by sidecars and gateways defined in
+  // virtual service allows it to be used by sidecars and gateways defined in
   // other namespaces. This feature provides a mechanism for service owners
   // and mesh administrators to control the visibility of virtual services
   // across namespace boundaries.
@@ -185,8 +185,11 @@ message VirtualService {
   // namespaces by default.
   //
   // The value "." is reserved and defines an export to the same namespace that
-  // the virtual service is declared in, similarly the value "*" is reserved and
+  // the virtual service is declared in. Similarly the value "*" is reserved and
   // defines an export to all namespaces.
+  //
+  // NOTE: in the current release, the `exportTo` value is restricted to
+  // "." or "*" (i.e., the current namespace or all namespaces).
   repeated string export_to = 6;
 }