Setting a proper Kapacitor read user

I want to set up my Kapacitor user properly - as a user with minimal DB privileges to execute my alerts.
The following user creates a Kapacitor error:
InfluxDB commands:

> CREATE USER "reader" WITH PASSWORD '111111'
> GRANT READ ON some_db TO reader

Kapacitor error:
run: open server: open service *influxdb.Service: failed to link subscription on startup: error authorizing query: reader not authorized to execute statement 'SHOW RETENTION POLICIES ON _internal'

I tried granting read / all permissions on _internal to the reader user - Kapacitor still doesn’t start.

Kapacitor starts successfully with an admin role. I want the alert user to have minimal privileges though, and prefer to avoid using admin.

What is this minimal set of privileges?
Thank you!

Can anyone help with a proper user management?