Short answer: The log is coming from the Kubernetes observer that the Prefect Kubernetes worker uses (via Kopf). It tries a cluster-scoped list on Jobs at startup; if your ServiceAccount is namespace-scoped, the cluster-wide GET returns 403 and Kopf falls back to a namespaced watch. It’s noisy but harmless. Can we make it namespaced-only to avoid the error? Today, I don’t see a documented Prefect setting that forces the observer to start in namespaced mode without attempting the cluster-wide list first. I looked for explicit settings/env vars in Prefect 3.x and the prefect-kubernetes package but didn’t find a public knob for this yet. Your options right now: - Keep namespace-scoped RBAC and ignore the one-time startup error. The worker will still function and watch Jobs in its namespace. - Grant the worker’s ServiceAccount a ClusterRole with list/watch on batch/jobs to silence the error (but this widens permissions). - If you’re using the Helm chart, ensure the worker runs with a namespace-scoped Role/RoleBinding; you’ll still see the initial 403 but the worker will operate correctly afterward. Links: - Kubernetes worker guide (Prefect 3.x) - prefect-kubernetes integration overview If you want me to dig deeper or file an enhancement request, can you share: - Your Prefect version and prefect-kubernetes version - How you’re running the worker (Helm vs. custom manifest) - The namespace and RBAC shape you’re targeting (Role vs. ClusterRole) With that, I can confirm whether a version-specific setting exists (or propose a concrete RBAC/Helm config) to avoid the startup error entirely.