diff --git a/pkg/controller/core/installplan_controller.go b/pkg/controller/core/installplan_controller.go
index ad860ddf4..b846cf8bd 100644
--- a/pkg/controller/core/installplan_controller.go
+++ b/pkg/controller/core/installplan_controller.go
@@ -711,12 +711,15 @@ func initTargetNamespace(ctx context.Context, client client.Client, namespace, e
 	if err := createNamespaceIfNotExists(ctx, client, namespace, extensionName); err != nil {
 		return fmt.Errorf("failed to create namespace: %v", err)
 	}
-	sa := rbacv1.Subject{
-		Kind:      rbacv1.ServiceAccountKind,
-		Name:      fmt.Sprintf("helm-executor.%s", extensionName),
-		Namespace: namespace,
-	}
 	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		sa := rbacv1.Subject{
+			Kind:      rbacv1.ServiceAccountKind,
+			Name:      fmt.Sprintf("helm-executor.%s", extensionName),
+			Namespace: namespace,
+		}
+		if err := createOrUpdateServiceAccount(ctx, client, extensionName, sa); err != nil {
+			return err
+		}
 		if err := createOrUpdateRole(ctx, client, namespace, extensionName, role.Rules); err != nil {
 			return err
 		}
@@ -733,6 +736,21 @@ func initTargetNamespace(ctx context.Context, client client.Client, namespace, e
 	})
 }
 
+func createOrUpdateServiceAccount(ctx context.Context, client client.Client, extensionName string, sa rbacv1.Subject) error {
+	serviceAccount := &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: sa.Name, Namespace: sa.Namespace}}
+	op, err := controllerutil.CreateOrUpdate(ctx, client, serviceAccount, func() error {
+		serviceAccount.Labels = map[string]string{corev1alpha1.ExtensionReferenceLabel: extensionName}
+		return nil
+	})
+
+	if err != nil {
+		return err
+	}
+
+	klog.V(4).Infof("service account %s in namespace %s %s", serviceAccount.Name, serviceAccount.Namespace, op)
+	return nil
+}
+
 func createOrUpdateClusterRole(ctx context.Context, client client.Client, extensionName string, rules []rbacv1.PolicyRule) error {
 	clusterRoleName := fmt.Sprintf(defaultClusterRoleFormat, extensionName)
 	clusterRole := &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: clusterRoleName}}