diff --git a/fixtures/ci-teleport-rbac/README.md b/fixtures/ci-teleport-rbac/README.md
new file mode 100644
index 0000000000000..3ca1c294e800b
--- /dev/null
+++ b/fixtures/ci-teleport-rbac/README.md
@@ -0,0 +1,25 @@
+## Generating a ServiceAccount to use for Teleport integration tests
+
+This should be done on a 'clean' k8s cluster i.e. one that doesn't already have Teleport installed for
+Kubernetes forwarding (and doesn't require it), as we delete the default Teleport `ClusterRole` and
+`ClusterRoleBinding` for security.
+
+```
+# Check out the Teleport repo and change dir to it
+git clone https://github.com/gravitational/teleport
+cd teleport
+
+# generate a ServiceAccount using the get-kubeconfig script
+TELEPORT_NAMESPACE="ci-teleport" examples/k8s-auth/get-kubeconfig.sh
+
+# copy the generated kubeconfig, then add it to CI as a secret (out of band)
+mv kubeconfig INTEGRATION_CI_KUBECONFIG
+
+# add the additional required RBAC fixtures
+kubectl create -f fixtures/ci-teleport-rbac/ci-teleport.yaml
+
+# remove the additional teleport permissions that were added by the get-kubeconfig script
+# (as these are not needed for CI, we can remove them for greater security)
+kubectl delete clusterrole/teleport-role
+kubectl delete clusterrolebinding/teleport-crb
+```
\ No newline at end of file
diff --git a/fixtures/ci-teleport-rbac/ci-teleport.yaml b/fixtures/ci-teleport-rbac/ci-teleport.yaml
index 25311d978079f..6d0825c5f46ff 100644
--- a/fixtures/ci-teleport-rbac/ci-teleport.yaml
+++ b/fixtures/ci-teleport-rbac/ci-teleport.yaml
@@ -1,4 +1,10 @@
 # defines the permissions needed for Teleport k8s integration tests to run in a cluster
+# namespace for teleport tests
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: teletest
+---
 # clusterrole granting overarching privileges
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole