Great question. There are two places you may want to pull images from your Azure Container Registry (ACR): - the Prefect worker pod image itself - the images used for flow-run Kubernetes jobs launched by the worker (via your Kubernetes work pool) Below are the changes you can make to your

prefect-worker.yaml

for both. First, make sure AKS can pull from your ACR: - Recommended: attach ACR to AKS so no secrets are needed (grants AcrPull to the kubelet identity) - Or create a Kubernetes docker-registry secret in the

prefect

namespace and reference it Example to create a pull secret (if you’re not using AKS-ACR integration):

kubectl create secret docker-registry acr-cred \
  --namespace prefect \
  --docker-server=<your-registry-name>.<http://azurecr.io|azurecr.io> \
  --docker-username=<acr-username> \
  --docker-password=<acr-password> \
  --docker-email=<email>

1) Pull the worker image from ACR Update the image fields and reference the pull secret (if you created one):

image:
  # Your ACR image for the worker container
  repository: <your-registry-name>.<http://azurecr.io/prefect/prefect|azurecr.io/prefect/prefect>
  tag: 3-python3.11
  pullPolicy: IfNotPresent

# Only needed if you’re NOT using AKS-ACR integration
imagePullSecrets:
  - name: acr-cred

2) Ensure flow-run jobs also pull from ACR Kubernetes work pools use a “base job template” to define the pod spec for flow runs. You can set defaults for the job image and imagePullSecrets so all flow-run pods pull from ACR. Option A: Set via Helm values (if you want the worker to create/update your work pool) - Get the default template to start from:

prefect work-pool get-default-base-job-template --type kubernetes

- Paste it into your values and customize

image

and `pod.spec.imagePullSecrets`:

workPool:
  create: true
  name: my-k8s-pool
  type: kubernetes

  # Base job template used for flow-run pods
  baseJobTemplate:
    image: <your-registry-name>.<http://azurecr.io/your-team/flow-image:latest|azurecr.io/your-team/flow-image:latest>
    imagePullPolicy: IfNotPresent
    pod:
      spec:
        # Only needed if you’re NOT using AKS-ACR integration
        imagePullSecrets:
          - name: acr-cred
        # Optionally set a service account if you need specific RBAC
        # serviceAccountName: your-sa

Option B: Set per deployment (overrides the pool default) When deploying your flows in Prefect 3.x, pass

job_variables

that set the image and pull secrets for the Kubernetes job:

job_variables = {
  "image": "<your-registry-name>.<http://azurecr.io/your-team/flow-image:2025.10.12|azurecr.io/your-team/flow-image:2025.10.12>",
  "imagePullPolicy": "IfNotPresent",
  "pod": {
    "spec": {
      "imagePullSecrets": [{"name": "acr-cred"}]
    }
  }
}

Notes - If you use AKS “attach ACR” or otherwise grant AcrPull to your nodes/MI, you do not need to configure

imagePullSecrets

at all—just point to your ACR images. - If you’re pushing a custom worker image (for plugins/extras), publish that to ACR and set it under

image.repository

and

image.tag

in your values. Relevant docs - Deploy a worker on Kubernetes with Helm (Prefect 3.x): Prefect docs: Kubernetes worker via Helm - Get default Kubernetes work pool base job template: run

prefect work-pool get-default-base-job-template --type kubernetes

If you can share whether you want just the worker image pulled from ACR or also all flow-run job images, I can tailor the exact

prefect-worker.yaml

for your setup.