The Cluster Ingress Operator can't deploy a cluster-wide SMCP, because it doesn't have cluster-admin privileges.
The OSSM operator currently performs a SubjectAccessReview with the following resourceAttributes:
We should change this to only include the privileges that a cluster-wide istiod requires.
However, even after this change, the Cluster Ingress Operator may still not have all the required privileges, so we should first check what privileges it does have
(https://github.com/openshift/cluster-ingress-operator/blob/master/assets/router/cluster-role.yaml). https://github.com/openshift/cluster-ingress-operator/blob/8eb2c667fd31a67d52c4d0ea6c5f014a9fe2ce0d/manifests/00-cluster-role.yaml and https://github.com/openshift/cluster-ingress-operator/blob/8eb2c667fd31a67d52c4d0ea6c5f014a9fe2ce0d/manifests/01-role.yaml