# Permit assignement for the api

<span style="font-weight: 400;">The following describes the steps to be followed to create a user with enough permissions to obtain the monitoring data. </span>

1. <span style="font-weight: 400;"> Create a read "</span>*<span style="font-weight: 400;">Cluster role</span>*<span style="font-weight: 400;">" called "</span>*<span style="font-weight: 400;">api-read-only</span>*<span style="font-weight: 400;">": Create a role that grants the "</span>*<span style="font-weight: 400;">get</span>*<span style="font-weight: 400;">", "</span>*<span style="font-weight: 400;">list</span>*<span style="font-weight: 400;">" and "</span>*<span style="font-weight: 400;">watch</span>*<span style="font-weight: 400;">" permissions of all Kubernetes resources. </span>

```
cat <<EOF | kubectl apply -f - 
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
annotations: 
rbac.authorization.kubernetes.io/autoupdate: "true" 
labels: 
name: api-read-only 
rules: 
- apiGroups: 
- '*' 
resources: 
- '*' 
verbs: 
- get 
- list 
- watch 
- nonResourceURLs: 
- '*' 
verbs: 
- get 
- list 
- watch 
EOF

```

  
<span style="font-weight: 400;">2. Create a "</span>*<span style="font-weight: 400;">Cluster role binding</span>*<span style="font-weight: 400;">" called "</span>*<span style="font-weight: 400;">bind-api-read-only</span>*<span style="font-weight: 400;">": The previously created role will be binded to an existing "</span>*<span style="font-weight: 400;">service account.</span>*<span style="font-weight: 400;">" </span>

```
kubectl create clusterrolebinding bind-api-read-only \ 
--clusterrole=api-read-only \ 
--serviceaccount=namespace:user
```