diff --git a/pkg/controller/serviceaccount/tokens_controller.go b/pkg/controller/serviceaccount/tokens_controller.go
index 2b418d61ac7..8087aeaa423 100644
--- a/pkg/controller/serviceaccount/tokens_controller.go
+++ b/pkg/controller/serviceaccount/tokens_controller.go
@@ -415,11 +415,6 @@ func (e *TokensController) deleteSecret(secret *api.Secret) error {
 // removeSecretReferenceIfNeeded updates the given ServiceAccount to remove a reference to the given secretName if needed.
 // Returns whether an update was performed, and any error that occurred
 func (e *TokensController) removeSecretReferenceIfNeeded(serviceAccount *api.ServiceAccount, secretName string) error {
-	// See if the account even referenced the secret
-	if !getSecretReferences(serviceAccount).Has(secretName) {
-		return nil
-	}
-
 	// We don't want to update the cache's copy of the service account
 	// so remove the secret from a freshly retrieved copy of the service account
 	serviceAccounts := e.client.Core().ServiceAccounts(serviceAccount.Namespace)
diff --git a/pkg/controller/serviceaccount/tokens_controller_test.go b/pkg/controller/serviceaccount/tokens_controller_test.go
index a5defad84ec..fb67dac210f 100644
--- a/pkg/controller/serviceaccount/tokens_controller_test.go
+++ b/pkg/controller/serviceaccount/tokens_controller_test.go
@@ -492,8 +492,10 @@ func TestTokenCreation(t *testing.T) {
 		"deleted secret with serviceaccount without reference": {
 			ExistingServiceAccount: serviceAccount(emptySecretReferences()),
 
-			DeletedSecret:   serviceAccountTokenSecret(),
-			ExpectedActions: []core.Action{},
+			DeletedSecret: serviceAccountTokenSecret(),
+			ExpectedActions: []core.Action{
+				core.NewGetAction("serviceaccounts", api.NamespaceDefault, "default"),
+			},
 		},
 	}