diff --git a/apps/system/grafana/templates/kubegraf-clusterrole.yaml b/apps/system/grafana/templates/kubegraf-clusterrole.yaml
new file mode 100644
index 0000000..3b0f508
--- /dev/null
+++ b/apps/system/grafana/templates/kubegraf-clusterrole.yaml
@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: grafana-kubegraf
+rules:
+  - apiGroups: [""]
+    resources:
+      - namespaces
+      - pods
+      - services
+      - componentstatuses
+      - nodes
+      - events
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources:
+      - deployments
+      - daemonsets
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources:
+      - statefulsets
+      - deployments
+      - daemonsets
+    verbs: ["get", "list", "watch"]
diff --git a/apps/system/grafana/templates/kubegraf-clusterrolebinding.yaml b/apps/system/grafana/templates/kubegraf-clusterrolebinding.yaml
new file mode 100644
index 0000000..965f694
--- /dev/null
+++ b/apps/system/grafana/templates/kubegraf-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grafana-kubegraf
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: grafana-kubegraf
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: grafana-kubegraf
+  - kind: ServiceAccount
+    name: grafana-kubegraf
+    namespace: grafana
diff --git a/apps/system/grafana/templates/kubegraf-secret.yaml b/apps/system/grafana/templates/kubegraf-secret.yaml
new file mode 100644
index 0000000..7f73e15
--- /dev/null
+++ b/apps/system/grafana/templates/kubegraf-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-kubegraf-secret
+  annotations:
+    kubernetes.io/service-account.name: grafana-kubegraf
+type: kubernetes.io/service-account-token
diff --git a/apps/system/grafana/templates/kubegraf-serviceaccount.yaml b/apps/system/grafana/templates/kubegraf-serviceaccount.yaml
new file mode 100644
index 0000000..3d54106
--- /dev/null
+++ b/apps/system/grafana/templates/kubegraf-serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-kubegraf
+secrets:
+  - name: grafana-kubegraf-secret
diff --git a/apps/system/grafana/values.yaml b/apps/system/grafana/values.yaml
index 11114ca..fe796fd 100644
--- a/apps/system/grafana/values.yaml
+++ b/apps/system/grafana/values.yaml
@@ -34,6 +34,9 @@ grafana:
     requests:
       cpu: 50m
       memory: 128Mi
+  plugins:
+  # see also https://github.com/devopsprodigy/kubegraf#installation
+  - devopsprodigy-kubegraf-app
   grafana.ini:
     server:
       root_url: https://grafana.gorilych.ru