diff --git a/k8s/init/genconfig.sh b/k8s/init/genconfig.sh
new file mode 100644
index 00000000..59525a03
--- /dev/null
+++ b/k8s/init/genconfig.sh
@@ -0,0 +1,46 @@
+# The script returns a kubeconfig for the ServiceAccount given
+# you need to have kubectl on PATH with the context set to the cluster you want to create the config for
+
+# Cosmetics for the created config
+clusterName='kubernetes'
+# your server address goes here get it via `kubectl cluster-info`
+server='https://192.168.0.119:6443'
+# the Namespace and ServiceAccount name that is used for the config
+namespace='coal'
+serviceAccount='ci'
+
+# The following automation does not work from Kubernetes 1.24 and up.
+# You might need to
+# define a Secret, reference the ServiceAccount there and set the secretName by hand!
+# See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount for details
+secretName=ci
+
+######################
+# actual script starts
+set -o errexit
+
+
+ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.ca\.crt}')
+token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)
+
+echo "
+---
+apiVersion: v1
+kind: Config
+clusters:
+  - name: ${clusterName}
+    cluster:
+      certificate-authority-data: ${ca}
+      server: ${server}
+contexts:
+  - name: ${serviceAccount}@${clusterName}
+    context:
+      cluster: ${clusterName}
+      namespace: ${namespace}
+      user: ${serviceAccount}
+users:
+  - name: ${serviceAccount}
+    user:
+      token: ${token}
+current-context: ${serviceAccount}@${clusterName}
+"
\ No newline at end of file
diff --git a/k8s/init/sa.yaml b/k8s/init/sa.yaml
new file mode 100644
index 00000000..347f5d11
--- /dev/null
+++ b/k8s/init/sa.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: coal
+  name: ci
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: coal
+  name: ci
+  annotations:
+    kubernetes.io/service-account.name: ci
+type: kubernetes.io/service-account-token
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ci-rb
+
+subjects:
+  - kind: ServiceAccount
+    name: ci
+    namespace: coal
+roleRef:
+  kind: ClusterRole
+  name: edit
+  apiGroup: rbac.authorization.k8s.io
+