As part of the multitenancy work, we need to solve the issue of Pilot currently requiring privileges to read nodes, which are a cluster-scoped resource.

Currently, Pilot requires this only to determine pod locality (it gets the node the pod is running on, then retrieves two of its labels (region and zone).

If it can't get the node for any reason, it only logs a warning, but continues operating.

See https://github.com/istio/istio/blob/ee61f6e815dd34d6e85a56c695e48b480ee2522e/pilot/pkg/serviceregistry/kube/controller.go#L307-L324