diff --git a/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml b/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml
index fd9fa73b..199021ef 100644
--- a/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml
+++ b/operator/e2e/testdata/random-yaml-nonroot/manifests.yaml
@@ -1,3 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-pulumi-operator-workspace-fetch
+  namespace: flux-system
+spec:
+  podSelector:
+    matchLabels:
+      app: source-controller
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: http
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: random-yaml-nonroot
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: workspace
+  policyTypes:
+    - Ingress
 ---
 apiVersion: v1
 kind: Namespace
@@ -28,6 +50,26 @@ spec:
   timeout: 60s
   url: https://github.com/pulumi/examples
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: random-yaml-nonroot
+  namespace: random-yaml-nonroot
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: random-yaml-nonroot:system:auth-delegator
+  namespace: random-yaml-nonroot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: random-yaml-nonroot
+  namespace: random-yaml-nonroot
+---
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:
@@ -59,6 +101,7 @@ spec:
         value: "test"
   workspaceTemplate:
     spec:
+      serviceAccountName: random-yaml-nonroot
       image: pulumi/pulumi:3.134.1-nonroot
       podTemplate:
         spec: