# ask-the-community

Lukas Bommes

03/13/2023, 9:58 AM
Hi, 🙂 I am trying to configure a private container registry. What worked for me was to add the imagePullSecret to the service account as described here: It works when I add the imagePullSecret to the project-specific service account. However, I want to use a global (flyte-wide) service account instead so that I do not have to patch the service account on the cluster for every new Flyte project. I tried using the --k8sServiceAccount parameter with flytectl register. However, it always preprends the project-specific service account. E.g. if I set '--k8sServiceAccount flyte-backend-flyte-binary', then Flyte reports ''[1/1] currentAttempt done. Last Error: USER::pods "apqwf5zfxrj8sbpnlhtv-n0-0" is forbidden: error looking up service account flyte-poc-development/flyte-backend-flyte-binary: serviceaccount "flyte-backend-flyte-binary" not found" i.e., Flyte preprends the project-specific service account to my custom servicer account and, consequently, cannot find it. Is there a way to get this done with --k8sServiceAccount? Or will I have to use custom pod templates?

Samhita Alla

03/14/2023, 4:52 AM
Hi @Lukas Bommes! As per my understanding, service account is namespaced. So a project-domain namespace has to have a service account. For that reason, when you send a service account to
flytectl register
, it checks if the service account exists in the given project-domain.