diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index 5b98d61c79a..12e0fe130b3 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -109,6 +109,9 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
 		return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name)
 	}
 
+	// DeepDerivative does not understand default metav1.Time{} as an empty value
+	expected.CreationTimestamp = sa.CreationTimestamp
+
 	if !equality.Semantic.DeepDerivative(expected, sa) {
 		expected.ResourceVersion = sa.ResourceVersion