Runner serviceaccount in order to use AD workload identity

[cmergenthaler]

Hi all,

I am trying to switch from AAD pod identity to AD workload identity to enable authentication for specific azure resources on runner level without the need to store auth informations inside actions.
In order to make that work, runner pods need a custom serviceaccount that's linked with a federated identity. But when I try to add one to my RunnerDeployment, I get an error in the controller:
serviceaccount "basic-arc" not found

Seems like the controller has no access to the serviceaccount in other namespaces. Is there any way to solve this?

Here is my RunnerDeployment setup:

apiVersion: actions.summerwind.dev/v1alpha1
kind: RunnerDeployment
metadata:
  name: rd-debug-runner
  namespace: runner-ghec
spec:
  template:
    metadata:
      labels:
        azure.workload.identity/use: "true"
    spec:
      image: mycustomimage
      labels:
        - debug
      organization: my-org
      serviceAccountName: basic-arc

Thanks in advance

[cmergenthaler]

mistake was on my side