{% endraw %}

{% endhighlight %}

For production environments you should create a service account and/or role for Codefresh access.

The minimum permissions Codefresh needs to work with the cluster are the following:

{% highlight yaml %}

{% raw %}

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

name: codefresh-role

rules:

- apiGroups:[“”]

resources:[“*”]

verbs:[“list”, “watch”, “get”]

{% endraw %}

{% endhighlight %}

Note that these permissions will only allow Codefresh to read the cluster resources and populate the respective dashboards. You need to give more privileges for actual deployments. For more information see the[Kubernetes RBAC documentation page](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

Here is an example with role + service account + binding.

{% highlight yaml %}

{% raw %}

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

name: codefresh-role

rules:

- apiGroups:[ “*”]

resources:[“*”]

verbs:[“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”]

—

apiVersion: v1

kind: ServiceAccount

metadata:

name: codefresh-user

namespace: kube-system

—

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

name: codefresh-user

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: codefresh-role

subjects:

- kind: ServiceAccount

name: codefresh-user

namespace: kube-system

—

apiVersion: v1

kind: Secret

type: kubernetes.io/service-account-token

metadata:

name: codefresh-user-token

namespace: kube-system

annotations:

kubernetes.io/service-account.name: “codefresh-user”

{% endraw %}

{% endhighlight %}

Select the appropriate cluster if you have more than one:

{% highlight shell %}

{% raw %}

kubectl config use-context <my-cluster-name>

{% endraw %}

{% endhighlight %}

Create the Codefresh user/role:

{% highlight shell %}

{% raw %}

kubectl apply -f codefresh-role-sa-bind.yml

{% endraw %}

{% endhighlight %}

Finally run the following commands and copy-paste the result to each Codefresh field in the UI:

{% highlight shell %}

{% raw %}

export CURRENT_CONTEXT=$(kubectl config current-context) && export CURRENT_CLUSTER=$(kubectl config view -o go-template=“{{\$curr_context := \”$CURRENT_CONTEXT\” }}{{range .contexts}}{{if eq .name\$curr_context}}{{.context.cluster}}{{end}}{{end}}”) && echo $(kubectl config view -o go-template=“{{\$cluster_context := \”$CURRENT_CLUSTER\”}}{{range .clusters}}{{if eq .name\$cluster_context}}{{.cluster.server}}{{end}}{{end}}”)

{% endraw %}

{% endhighlight %}

{% highlight shell %}

{% raw %}

echo $(kubectl get secret -n kube-system -o go-template=‘{{index .data “ca.crt” }}’ codefresh-user-token)

{% endraw %}

{% endhighlight %}

{% highlight shell %}

{% raw %}

echo $(kubectl get secret -n kube-system -o go-template=‘{{index .data “token” }}’ codefresh-user-token)

{% endraw %}

{% endhighlight %}

In most cases, you want to allow Codefresh to access all namespaces inside the cluster. This is the most convenient option as it will make