diff --git a/operator/cmd/main.go b/operator/cmd/main.go
index baa03ec0..cc101093 100644
--- a/operator/cmd/main.go
+++ b/operator/cmd/main.go
@@ -207,7 +207,7 @@ func main() {
 // startProgramFileServer starts a simple file server to serve Program objects as compressed tarballs. This allows
 // children pods with restricted permissions to access the Program objects, without needing read permissions granted.
 func startProgramFileServer(programHandler *pulumi.ProgramHandler, address string) {
-	setupLog.Info("starting file server to serve Program objects", "address", programHandler.Address())
+	setupLog.Info("starting file server to serve Program objects", "address", address, "advertisedAddress", programHandler.Address())
 	mux := http.NewServeMux()
 	mux.Handle("/programs/", programHandler.HandleProgramServing())
 	err := http.ListenAndServe(address, mux)
diff --git a/operator/config/manager/kustomization.yaml b/operator/config/manager/kustomization.yaml
index c0602569..c8e26c83 100644
--- a/operator/config/manager/kustomization.yaml
+++ b/operator/config/manager/kustomization.yaml
@@ -3,6 +3,5 @@ kind: Kustomization
 images:
 - name: controller
   newName: pulumi/pulumi-kubernetes-operator-v2
-  newTag: latest
 resources:
 - manager.yaml
diff --git a/operator/config/manager/manager.yaml b/operator/config/manager/manager.yaml
index 1ed63d04..37560edd 100644
--- a/operator/config/manager/manager.yaml
+++ b/operator/config/manager/manager.yaml
@@ -31,9 +31,19 @@ spec:
       containers:
         - command:
             - /manager
+          env:
+            - name: RUNTIME_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
           args:
             - --leader-elect
             - --health-probe-bind-address=:8081
+            - --program-fs-adv-addr=pulumi-kubernetes-operator.$(RUNTIME_NAMESPACE).svc.cluster.local
+          ports:
+            - containerPort: 9090
+              name: http-fileserver
+              protocol: TCP
           image: controller:latest
           imagePullPolicy: IfNotPresent
           name: manager
@@ -63,3 +73,20 @@ spec:
               memory: 64Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 60
+---
+# Service is required to expose the file server for workspace pods to fetch Program objects.
+apiVersion: v1
+kind: Service
+metadata:
+  name: pulumi-kubernetes-operator
+  labels:
+    control-plane: controller-manager
+spec:
+  type: ClusterIP
+  selector:
+    control-plane: controller-manager
+  ports:
+    - name: http-fileserver
+      port: 80
+      protocol: TCP
+      targetPort: http-fileserver
diff --git a/operator/internal/controller/pulumi/program_controller.go b/operator/internal/controller/pulumi/program_controller.go
index 2a25bfa1..6eeb556f 100644
--- a/operator/internal/controller/pulumi/program_controller.go
+++ b/operator/internal/controller/pulumi/program_controller.go
@@ -172,8 +172,6 @@ func (p *ProgramHandler) HandleProgramServing() http.HandlerFunc {
 		w.Header().Set("Content-Type", "application/x-tar")
 		w.Header().Set("Content-Disposition", "attachment; filename=project.tar")
 		w.Write([]byte(out))
-		w.WriteHeader(http.StatusOK)
-
 	}
 }