Skip to content

[Feature Request/Question] Ability to configure a custom ServiceAccount for PrefectWorkPool worker pods #243

New issue
New issue
Open
#244
Open
[Feature Request/Question] Ability to configure a custom ServiceAccount for PrefectWorkPool worker pods#243
#244
Labels
prefect-operator
@dopic

Description

@dopic
dopic
opened on Jan 20, 2026

Description

I am using the Prefect Operator to manage my Prefect infrastructure on Kubernetes through a GitOps workflow (ArgoCD).

When applying a PrefectWorkPool resource, the operator successfully reconciles and creates a worker Deployment/Pod. However, the resulting pod is always assigned the default ServiceAccount of the namespace. Because the default ServiceAccount lacks the necessary RBAC permissions to list or manage pods and jobs at the cluster or namespace scope, the worker fails to operate correctly.

I have inspected the PrefectWorkPool CustomResourceDefinition (v1) and could not find a field (such as serviceAccountName or workerServiceAccountName) to specify a custom identity for the worker deployment.

Manually patching the deployment or granting broad administrative permissions to the namespace's default ServiceAccount is not a secure or scalable solution for automated environments.

Error Logs

The worker pod reports the following error:

19:49:43.462 | ERROR | kopf._cogs.clients.watching - Request attempt #8/9 failed; will retry: 
GET https://kubernetes.default.svc/api/v1/pods -> 
APIForbiddenError('pods is forbidden: User "system:serviceaccount:my-system:default" 
cannot list resource "pods" in API group "" at the cluster scope', ...)

Manifest Example

This is the manifest I am currently using:

apiVersion: prefect.io/v1
kind: PrefectWorkPool
metadata:
  name: workpool
  namespace: my-system
spec:
  type: kubernetes
  workers: 1
  image: <my-image>:latest
  server:
    name: prefect-server
    namespace: prefect-system
  settings:
    - name: PREFECT_API_URL
      value: http://prefect-server.prefect-system.svc.cluster.local:4200/api

Questions

  1. Is there an undocumented way to specify the serviceAccountName for the worker pods within the PrefectWorkPool spec?
  2. If not, is it the intended design for workers to rely exclusively on the default ServiceAccount?
  3. Are there plans to add a serviceAccountName field to the PrefectWorkPool spec to support the principle of least privilege?

Environment Info

  • Prefect Operator Version: 0.13.1
  • Kubernetes Version: 1.34
  • Deployment Method: ArgoCD / GitOps

Metadata

Metadata

Assignees

No one assigned

    Labels

    prefect-operator

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions