Istioctl is failing due to insufficient privileges

We’re running istio on a self-managed k8s cluster and a user of a team wanted to try istioctl like that:

istioctl --context dev -i core-istio -n dev-aimistio authn tls-check service0-5866cd8599-5dh4p

but is facing:

Error: error execing into istio-pilot-6f4484bb6-2rsqs/core-istio discovery container: pods "istio-pilot-6f4484bb6-2rsqs" is forbidden: User "oidc:079e7f66-9ed2-435c-a048-147bf7ef1f68" cannot create resource "pods/exec" in API group "" in the namespace "core-istio"
  1. why is it required to have pods/exec for using istioctl?
  2. extending the ClusterRole like that would be a solution:
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

thx in advance