What ClusterRole permissions does Guacamole need to "exec" in Kubernetes?

[David Dean <ju...@yahoo.co.uk.INVALID>]

Hi -
I'm using Apache Guacamole in a Kubernetes cluster to give users "console" access to a container via a web browser.
This avoids having to give kubectl access to my users to "exec" onto the container.
It works great, but I don't like having to use my personal client certificate and client key in the connection settings as anyone could retrieve them from the Guacamole UI.
Instead I want to create a dedicated service account, but I don't know what permissions are needed.
Does anyone know what ClusterRoles are needed for Guacamole to "exec" onto a container?
Also has anyone managed to automate the process so the client certificate and key are automatically added to connection settings without having to add them manually?
I'm using Helm to install Guacamole.
Thanks, Dave