diff --git a/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go b/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
index f0d8da258..3ec5a702f 100644
--- a/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
+++ b/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
@@ -213,11 +213,10 @@ func (c *Controller) reconcile(key string) error {
 		return err
 	}
 
-	isClusterAdmin := clusterRoleBinding.RoleRef.Name == iamv1alpha2.ClusterAdmin
-	if isClusterAdmin {
+	if clusterRoleBinding.RoleRef.Name == iamv1alpha2.ClusterAdmin {
 		for _, subject := range clusterRoleBinding.Subjects {
 			if subject.Kind == iamv1alpha2.ResourceKindUser {
-				err = c.kubectlOperator.CreateKubectlDeploy(subject.Name)
+				err = c.kubectlOperator.CreateKubectlDeploy(subject.Name, clusterRoleBinding)
 				if err != nil {
 					klog.Error(err)
 					return err
diff --git a/pkg/models/kubectl/kubectl.go b/pkg/models/kubectl/kubectl.go
index 85b29b0ed..e460ccbf6 100644
--- a/pkg/models/kubectl/kubectl.go
+++ b/pkg/models/kubectl/kubectl.go
@@ -43,7 +43,7 @@ const (
 
 type Interface interface {
 	GetKubectlPod(username string) (models.PodInfo, error)
-	CreateKubectlDeploy(username string) error
+	CreateKubectlDeploy(username string, owner metav1.Object) error
 }
 
 type operator struct {
@@ -108,10 +108,10 @@ func selectCorrectPod(namespace string, pods []*v1.Pod) (kubectlPod *v1.Pod, err
 	return kubectlPodList[random], nil
 }
 
-func (o *operator) CreateKubectlDeploy(username string) error {
+func (o *operator) CreateKubectlDeploy(username string, owner metav1.Object) error {
 	deployName := fmt.Sprintf(deployNameFormat, username)
 
-	user, err := o.userInformer.Lister().Get(username)
+	_, err := o.userInformer.Lister().Get(username)
 	if err != nil {
 		klog.Error(err)
 		// ignore if user not exist
@@ -165,7 +165,8 @@ func (o *operator) CreateKubectlDeploy(username string) error {
 		},
 	}
 
-	err = controllerutil.SetControllerReference(user, deployment, scheme.Scheme)
+	// bind the lifecycle of role binding
+	err = controllerutil.SetControllerReference(owner, deployment, scheme.Scheme)
 	if err != nil {
 		klog.Errorln(err)
 		return err