diff --git a/operator/config/default/kustomization.yaml b/operator/config/default/kustomization.yaml
index 07b62e83..2f4c21b9 100644
--- a/operator/config/default/kustomization.yaml
+++ b/operator/config/default/kustomization.yaml
@@ -3,3 +3,5 @@ resources:
   - ../crd
   - ../rbac
   - ../manager
+  - ./service_account.yaml
+  - ./rbac.yaml
\ No newline at end of file
diff --git a/operator/config/default/rbac.yaml b/operator/config/default/rbac.yaml
new file mode 100644
index 00000000..7d5816d1
--- /dev/null
+++ b/operator/config/default/rbac.yaml
@@ -0,0 +1,14 @@
+# Grant `system:auth-delegator` to the `default/pulumi` service account,
+# to enable Kubernetes RBAC for the Pulumi workspace.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: default:pulumi:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator # permissions: TokenReview, SubjectAccessReview
+subjects:
+- kind: ServiceAccount
+  namespace: default
+  name: pulumi
diff --git a/operator/config/default/service_account.yaml b/operator/config/default/service_account.yaml
new file mode 100644
index 00000000..bfe777f5
--- /dev/null
+++ b/operator/config/default/service_account.yaml
@@ -0,0 +1,8 @@
+# A service account named `default/pulumi` for the Pulumi workspace (execution environment).
+# If your Pulumi program uses the Kubernetes resource provider, this service account will be used to 
+# authenticate with the Kubernetes cluster.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: default
+  name: pulumi
\ No newline at end of file
diff --git a/operator/config/flux/network_policy.yaml b/operator/config/flux/network_policy.yaml
new file mode 100644
index 00000000..2c5d5143
--- /dev/null
+++ b/operator/config/flux/network_policy.yaml
@@ -0,0 +1,26 @@
+# A network policy to allow Pulumi workspaces in the `default` namespace to
+# fetch Flux artifacts from the source-controller in the `flux-system` namespace.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-pulumi-fetch-flux-artifacts
+  namespace: flux-system
+spec:
+  podSelector:
+    matchLabels:
+      app: source-controller
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: http
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: default
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/managed-by: pulumi-kubernetes-operator
+              app.kubernetes.io/name: pulumi
+              app.kubernetes.io/component: workspace
+  policyTypes:
+    - Ingress
\ No newline at end of file
diff --git a/operator/e2e/testdata/git-auth-nonroot/manifests.yaml b/operator/e2e/testdata/git-auth-nonroot/manifests.yaml
index 848417f7..41448708 100644
--- a/operator/e2e/testdata/git-auth-nonroot/manifests.yaml
+++ b/operator/e2e/testdata/git-auth-nonroot/manifests.yaml
@@ -5,6 +5,25 @@ metadata:
   name: git-auth-nonroot
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: git-auth-nonroot
+  namespace: git-auth-nonroot
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: git-auth-nonroot:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: git-auth-nonroot
+  namespace: git-auth-nonroot
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: state
@@ -24,26 +43,6 @@ metadata:
 stringData:
   accessToken: $PULUMI_BOT_TOKEN
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: git-auth-nonroot
-  namespace: git-auth-nonroot
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: git-auth-nonroot:system:auth-delegator
-  namespace: git-auth-nonroot
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: git-auth-nonroot
-  namespace: git-auth-nonroot
----
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:
diff --git a/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml b/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml
index 8c79d0ba..0b0db66f 100644
--- a/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml
+++ b/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -17,6 +18,8 @@ spec:
               kubernetes.io/metadata.name: random-yaml-nonroot
         - podSelector:
             matchLabels:
+              app.kubernetes.io/managed-by: pulumi-kubernetes-operator
+              app.kubernetes.io/name: pulumi
               app.kubernetes.io/component: workspace
   policyTypes:
     - Ingress
@@ -27,6 +30,25 @@ metadata:
   name: random-yaml-nonroot
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: random-yaml-nonroot
+  namespace: random-yaml-nonroot
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: random-yaml-nonroot:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: random-yaml-nonroot
+  namespace: random-yaml-nonroot
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: state
@@ -50,26 +72,6 @@ spec:
   timeout: 60s
   url: https://github.com/pulumi/examples
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: random-yaml-nonroot
-  namespace: random-yaml-nonroot
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: random-yaml-nonroot:system:auth-delegator
-  namespace: random-yaml-nonroot
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: random-yaml-nonroot
-  namespace: random-yaml-nonroot
----
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:
diff --git a/operator/examples/random-yaml/stack.yaml b/operator/examples/random-yaml/stack.yaml
index b4a15399..b3e1d2ad 100644
--- a/operator/examples/random-yaml/stack.yaml
+++ b/operator/examples/random-yaml/stack.yaml
@@ -1,7 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: random-yaml
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: random-yaml:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: random-yaml
+  namespace: default
+---
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:
   name: random-yaml
+  namespace: default
 spec:
   fluxSource:
     sourceRef:
@@ -24,5 +44,6 @@ spec:
         key: accessToken
   workspaceTemplate:
     spec:
+      serviceAccountName: random-yaml
       image: pulumi/pulumi:3.134.1-nonroot