diff --git a/pkg/models/iam/am.go b/pkg/models/iam/am.go
index c4da73533..a2dc51bcd 100644
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -642,11 +642,6 @@ func CreateClusterRoleBinding(username string, clusterRoleName string) error {
 			glog.Errorln("create cluster role binding", err)
 			return err
 		}
-		if clusterRoleName == constants.ClusterAdmin {
-			if err := kubectl.CreateKubectlDeploy(username); err != nil {
-				glog.Errorln("create user terminal pod failed", username, err)
-			}
-		}
 		return nil
 	} else if err != nil {
 		return err
@@ -679,6 +674,12 @@ func CreateClusterRoleBinding(username string, clusterRoleName string) error {
 		return err
 	}
 
+	if clusterRoleName == constants.ClusterAdmin {
+		if err := kubectl.CreateKubectlDeploy(username); err != nil {
+			glog.Errorln("create user terminal pod failed", username, err)
+		}
+	}
+
 	if !k8sutil.ContainsUser(found.Subjects, username) {
 		found.Subjects = clusterRoleBinding.Subjects
 		_, err = k8s.Client().RbacV1().ClusterRoleBindings().Update(found)