How to exclude namespaces from creation of configmap with root certificate?

The istiod-service-account is not allowed (and won’t be allowed) to modify a specific namespace (abc-system).
Because of that the pod istiod-... (under istio-systems) prints this log entry twice a second:

2021-01-29T13:18:10.686659Z     info    Work item handle failed (error when creating configmap istio-ca-root-cert: configmaps is forbidden: 
User "system:serviceaccount:istio-system:istiod-service-account" cannot create resource "configmaps" in API group "" in the namespace "abc-system": 
["You're not allowed to create/update/delete/exec on namespaced resources in kube-system and abc-system"]), retry after delay 1s

How can Istio be configured to avoid this issue?