Create service account, role, and bind it all together

rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: configurator-role
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  verbs:
  - '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-account
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: configurator-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: configurator-role
subjects:
- kind: ServiceAccount
  name: my-account
  namespace: default

run.sh

# Creates and  account with a binding that allows the manipulation of configmaps and secrets on the "default" namespace
kubectl apply -f rbac.yaml

# Generate kubeconfig file
server=$(kubectl config view --minify -ojsonpath='{.clusters[0].cluster.server}')
name=$(kubectl get sa my-account -ojsonpath='{.secrets[0].name}' --namespace=default)
ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}' --namespace=default)
token=$(kubectl get secret/$name -o jsonpath='{.data.token}' --namespace=default | base64 --decode)
namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' --namespace=default | base64 --decode)

echo "
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: default-context
  context:
    cluster: default-cluster
    namespace: default
    user: default-user
current-context: default-context
users:
- name: default-user
  user:
    token: ${token}
" > sa.kubeconfig

# Test it
export KUBECONFIG=sa.kubeconfig
echo 'a=1\nb=2' > test.properties

kubectl create configmap test --from-env-file=test.properties
kubectl get configmap test -oyaml
kubectl delete configmap test

# should fail
kubectl get deployments