diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index d0b45f4..4c5255d 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -174,6 +174,7 @@ spec:
         app: guacd
     spec:
       containers:
+        serviceAccountName: guacd-exec
         - name: guacd
           image: guacamole/guacd:latest
           ports:
@@ -388,3 +389,38 @@ metadata:
   namespace: guacamole
 spec:
   itemPath: vaults/IAmWorkin/items/Guacamole
+---
+# RBAC for guacd K8s exec protocol
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: guacd-exec
+  namespace: guacamole
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: guacd-pod-exec
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: guacd-pod-exec
+subjects:
+  - kind: ServiceAccount
+    name: guacd-exec
+    namespace: guacamole
+roleRef:
+  kind: ClusterRole
+  name: guacd-pod-exec
+  apiGroup: rbac.authorization.k8s.io