Currently the plugin relies on legacy auth with client certs which requires users to give their service account the container.admin role. Ideally we should be using access tokens for auth which would remove this pre-req for the service account.