Create a service account and generate a kubeconfig file for it - this will also set the default namespace for the service account, and RBAC

kubernetes_add_service_account_kubeconfig.sh

#!/bin/bash -e

# NOTE: CHANGE THE S3_PREFIX!!!
# Add user to k8s 1.6+ using service account, RBAC for jobs and extensions only
if [[ -z "$1" ]] || [[ -z "$2" ]];then
 echo "usage: $0 <service-account> <namespace (stg|prod)>"
 exit 1
fi

SERVICE_ACCOUNT_NAME=$1
NAMESPACE=$2
KUBECFG_FILE_NAME="/tmp/k8s-${SERVICE_ACCOUNT_NAME}-conf"
CA_FILE_LOCATION="/tmp/ca.crt"

S3_PREFIX="s3://EXAMPLE_BUCKET/certs-and-keys/k8s-cluster"

echo "Creating a service account: ${SERVICE_ACCOUNT_NAME}"
kubectl create sa "${SERVICE_ACCOUNT_NAME}" -n ${NAMESPACE}


echo "Adding RBAC for Jobs for service account ${SERVICE_ACCOUNT_NAME}"
cat <<EOF | kubectl create -f -
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ${SERVICE_ACCOUNT_NAME}-role
  namespace: ${NAMESPACE}
rules:
- apiGroups: ["", "extensions", "jobs"]
  resources: ["*"]
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ${SERVICE_ACCOUNT_NAME}-binding
  namespace: ${NAMESPACE}
subjects:
- kind: ServiceAccount
  name: ${SERVICE_ACCOUNT_NAME}
  namespace: ${NAMESPACE}
roleRef:
  kind: Role
  name: ${SERVICE_ACCOUNT_NAME}-role
  apiGroup: rbac.authorization.k8s.io
EOF

echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME}"
SECRET=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" -n ${NAMESPACE} -o json | jq -r .secrets[].name)
echo "secret = ${SECRET}"

echo -e "\\nExtracting ca.crt from secret"
kubectl get secret \
"${SECRET}" -n ${NAMESPACE} -o json | jq -r '.data["ca.crt"]' | base64 -D > "${CA_FILE_LOCATION}"

echo -e "\\nGetting user token"
USER_TOKEN=$(kubectl get secret "${SECRET}" -n ${NAMESPACE} -o json | jq -r '.data["token"]' | base64 -D)

CONTEXT_NAME=$(kubectl config current-context)
echo -e "\\nSetting current context to: $CONTEXT_NAME"

CLUSTER_NAME=$(kubectl config view -o jsonpath="{.contexts[?(@.name==\"${CONTEXT_NAME}\")].context.cluster}")
echo "cluster_name: ${CLUSTER_NAME}"

ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
echo "endpoint: ${ENDPOINT}"

# Set up the config
echo -e "\\nPreparing ${KUBECFG_FILE_NAME}"
echo "Setting a cluster entry in kubeconfig"

# $KUBECONFIG environment variable sets the config in file path
KUBECONFIG="${KUBECFG_FILE_NAME}" kubectl config set-cluster "${CLUSTER_NAME}" \
--embed-certs=true \
--server="${ENDPOINT}" \
--certificate-authority="${CA_FILE_LOCATION}"

echo "Setting a user entry in kubeconfig"
KUBECONFIG="${KUBECFG_FILE_NAME}" kubectl config \
set-credentials "${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" \
--token="${USER_TOKEN}"

echo "Setting a context entry in kubeconfig"
KUBECONFIG="${KUBECFG_FILE_NAME}" kubectl config \
set-context "${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" \
--cluster="${CLUSTER_NAME}" \
--user="${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}" \
--namespace="${NAMESPACE}"

echo "Setting the current-context in the kubeconfig file"
KUBECONFIG=${KUBECFG_FILE_NAME} kubectl config \
use-context "${SERVICE_ACCOUNT_NAME}"-"${CLUSTER_NAME#cluster-}"


S3_LOCATION="${S3_PREFIX}/${CLUSTER_NAME}-${SERVICE_ACCOUNT_NAME}-service-account-kubecfg"
echo "Uploading ${KUBECFG_FILE_NAME} to ${S3_LOCATION}"
aws s3 cp "${KUBECFG_FILE_NAME}" "${S3_LOCATION}"

echo "done! Test with: "
echo "aws s3 cp \"${S3_LOCATION}\" \"${KUBECFG_FILE_NAME}\""
echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get jobs"

Ref for original so0k/8fad3b1639b3d70cd841703fda67f16b/revisions

We use these service accounts for automated external (to kubernetes) job triggers.

I updated the script
https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708