diff --git a/CHANGELOG.md b/CHANGELOG.md
index 514addd4..6a9f38c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,9 @@ Notable changes between versions.
 ## 1.3.7
 
 - [Authenticator: 1.3.3 to 1.3.4 (authenticator & authenticator-migrations)](https://github.com/tapis-project/authenticator/blob/prod/CHANGELOG.md)
-- [Globus Proxy: 1.3.0 to 1.3.1](https://github.com/tapis-project/globus-proxy/blob/dev/CHANGELOG.md)
+- [Notifications: 1.3.3 to 1.3.4 (notifications, notifications-dispatcher)](https://github.com/tapis-project/tapis-notifications/blob/1.3.4/CHANGELOG.md)
+- [Globus Proxy: 1.3.0 to 1.3.1 (globus-proxy)](https://github.com/tapis-project/globus-proxy/blob/dev/CHANGELOG.md)
+- Added optional `skadmin_sk_privileged_sa` var to skadmin component to enable Kubernetes privilege separation.
 
 ## 1.3.6
 
diff --git a/playbooks/roles/monitoring/templates/kube/burndown b/playbooks/roles/monitoring/templates/kube/burndown
index b7925374..2dceabd7 100755
--- a/playbooks/roles/monitoring/templates/kube/burndown
+++ b/playbooks/roles/monitoring/templates/kube/burndown
@@ -13,4 +13,5 @@ kubectl delete -f monitoring-config.yml
 kubectl delete -f apps
 kubectl delete -f stern-fluentd
 
-
+#Jobs
+ kubectl delete -f monitor-init-user.yml
diff --git a/playbooks/roles/notifications/defaults/main/images.yml b/playbooks/roles/notifications/defaults/main/images.yml
index 3ce9c3aa..62372af0 100644
--- a/playbooks/roles/notifications/defaults/main/images.yml
+++ b/playbooks/roles/notifications/defaults/main/images.yml
@@ -1,5 +1,5 @@
 notifications_postgres_image: postgres:12.4
 notifications_pgadmin_image: dpage/pgadmin4:6.20
 notifications_rabbitmq_image: rabbitmq:3.8.11-management
-notifications_api_image: tapis/notifications:1.3.3
-notifications_dispatcher_image: tapis/notifications-dispatcher:1.3.3
+notifications_api_image: tapis/notifications:1.3.4
+notifications_dispatcher_image: tapis/notifications-dispatcher:1.3.4
diff --git a/playbooks/roles/skadmin/defaults/main/vars.yml b/playbooks/roles/skadmin/defaults/main/vars.yml
index 25f1d3ef..bbbb59fd 100644
--- a/playbooks/roles/skadmin/defaults/main/vars.yml
+++ b/playbooks/roles/skadmin/defaults/main/vars.yml
@@ -11,4 +11,9 @@ skadmin_initLoad_jwtsigning_tenants:
   - admin
   - dev
 
+# Set this to a different service account name (other than your default) to be used for for certain sk processes.
+# This service account should be created in Kubernetes outside of Tapis Deployer.
+skadmin_sk_privileged_sa: null
+
+
 
diff --git a/playbooks/roles/skadmin/templates/kube/renew-sk-secret/renew-sk-secret.yml b/playbooks/roles/skadmin/templates/kube/renew-sk-secret/renew-sk-secret.yml
index c5e1364f..1a8bcea7 100644
--- a/playbooks/roles/skadmin/templates/kube/renew-sk-secret/renew-sk-secret.yml
+++ b/playbooks/roles/skadmin/templates/kube/renew-sk-secret/renew-sk-secret.yml
@@ -7,6 +7,9 @@ metadata:
 spec:
   template:
     spec:
+{% if skadmin_sk_privileged_sa is not none %}
+      serviceAccountName: {{ skadmin_sk_privileged_sa }}
+{% endif %}
       restartPolicy: Never
       containers:
       - name: renew-sk-secret
diff --git a/playbooks/roles/skadmin/templates/kube/sk-admin-init.yml b/playbooks/roles/skadmin/templates/kube/sk-admin-init.yml
index 56d6ac54..cee2982f 100644
--- a/playbooks/roles/skadmin/templates/kube/sk-admin-init.yml
+++ b/playbooks/roles/skadmin/templates/kube/sk-admin-init.yml
@@ -7,6 +7,9 @@ metadata:
 spec:
   template:
     spec:
+{% if skadmin_sk_privileged_sa is not none %}
+      serviceAccountName: {{ skadmin_sk_privileged_sa }}
+{% endif %}
       restartPolicy: Never
       containers:
       - name: sk-admin-init
diff --git a/playbooks/roles/skadmin/templates/kube/sk-presetup-test.yml b/playbooks/roles/skadmin/templates/kube/sk-presetup-test.yml
index 5ee9bc3f..00c60d24 100644
--- a/playbooks/roles/skadmin/templates/kube/sk-presetup-test.yml
+++ b/playbooks/roles/skadmin/templates/kube/sk-presetup-test.yml
@@ -7,6 +7,9 @@ metadata:
 spec:
   template:
     spec:
+{% if skadmin_sk_privileged_sa is not none %}
+      serviceAccountName: {{ skadmin_sk_privileged_sa }}
+{% endif %}
       restartPolicy: Never
       containers:
       - name: sk-presetup-test
diff --git a/playbooks/roles/skadmin/templates/kube/sk-presetup.yml b/playbooks/roles/skadmin/templates/kube/sk-presetup.yml
index 0103e0a1..6a87aee9 100644
--- a/playbooks/roles/skadmin/templates/kube/sk-presetup.yml
+++ b/playbooks/roles/skadmin/templates/kube/sk-presetup.yml
@@ -7,6 +7,9 @@ metadata:
 spec:
   template:
     spec:
+{% if skadmin_sk_privileged_sa is not none %}
+      serviceAccountName: {{ skadmin_sk_privileged_sa }}
+{% endif %}
       restartPolicy: Never
       containers:
       - name: sk-presetup