The sidecar injector can't create the MutatingWebhookConfiguration:

sidecar-injector.istio.io mutatingwebhookconfiguration update failed: mutatingwebhookconfigurations.admissionregistration.k8s.io "sidecar-injector.istio.io" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>

We have a RoleBinding that allows updating deployment/finalizers only in istio-system namespace, but we need a ClusterRoleBinding, so that it can set finalizers at the cluster scope (this is required because MutatingWebhookConfigurations aren't namespaced)