diff --git a/sonobuoy/templates/serviceaccount-readonly.yaml b/sonobuoy/templates/serviceaccount-readonly.yaml
index 913db39e..e0b1b566 100644
--- a/sonobuoy/templates/serviceaccount-readonly.yaml
+++ b/sonobuoy/templates/serviceaccount-readonly.yaml
@@ -102,7 +102,17 @@ metadata:
     before creating a secret token for it. By default helm deploys secrets
     before ServiceAccounts which causes this secret to not exist since the
     ServiceAccount is missing.
+    post-upgrade hook is required when upgrading from a previous version of
+    this chart that did not have this secret.
     */}}
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
+    {{/*
+    before--hook-creation hook is required for sequential upgrades. Tiller
+    does not keep track of resources installed via post-{install,upgrade} hooks,
+    this causes an "Already exists" error when upgrading without this hook. With
+    this hook, this secret will be deleted before upgrading, which will then install
+    this resource.
+    */}}
+    "helm.sh/hook-delete-policy": "before-hook-creation"
 ---
 {{- end }}