Out of curiousity. Does the Pulumi k8s.v1.Service query the endpoints from the Kubernetes API? I have a CI deployment user which does not have rights for endpoints (so no get or create endpoints) and pulumi up fails saying "could not create watcher for endpoint". Using kubectl it works fine although Endpoints are printed as <none> but at least no error.... Could it be that pulumi receives a 401 Unauthorized from the k8s api and then interprets it as an error? Although in this case it is not really an error as the service does get created properly but pulumi does not have it in its stack and tries to create it every time because it got interrupted by the error. Can I disable the querying of endpoints in this case somehow?

See https://www.pulumi.com/blog/improving-kubernetes-management-with-pulumis-await-logic/ for some details on the logic Pulumi uses to wait for resources to become ready after creation/update in Kubernetes. That post also describes a feature that can be used to disable the wait logic on an individual resource, which might be what you need here.

@white-balloon-205 Thanks It gave me a lot of insight on the logic. I found the Watch implementation in the go code but I am fairly new to go and struggling to actually find where the error is coming from . I will try increasing the timeout and disabling it. I wounder though of how to distinguish why exactly it failed... Is it a permissions issue, which it seems to be I got get and list ep permissions for the k8s cluster in question but still the watcher fails immediately. The only thing which works is disabling the watcher alltogether.