Kubernetes RBAC required for istioctl commands

Istioctl has a lot of useful features to end-users of istio, like being able to run “istioctl dashboard kiali” or “istioctl analyze”. I would like to be able to developers running their services on a shared Kubernetes cluster to be able to run some of those commands.

However, those commands require some permissions beyond the “viewer” role, since they have to exec into some pods, port-forward, etc.

Does anyone know if there are documented RBAC permissions required to execute those commands? Ideally there would be a ClusterRole like istioctl-config-viewer which would specify the permissions needed to run commands like “analyze”, but not commands like “istioctl operator remove”.

Or if they’re not documented, has anyone figured out what permissions are needed and hacked up something themselves?