PR #3167 introduced a TAP APIService, authorized via RBAC. Aside from cluster-admins, tapping resources now requires new explicit RBAC privileges. Consider introducing a ClusterRole to give users tap privileges. Context: https://github.com/linkerd/linkerd2/pull/3167#pullrequestreview-269306856