diff --git a/helm-charts/basehub/templates/serviceaccount-admin.yaml b/helm-charts/basehub/templates/serviceaccount-admin.yaml
new file mode 100644
index 0000000000..c189b57e61
--- /dev/null
+++ b/helm-charts/basehub/templates/serviceaccount-admin.yaml
@@ -0,0 +1,7 @@
+{{ if .Values.adminServiceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-sa
+  annotations: {{ .Values.adminServiceAccount.annotations | toJson }}
+{{- end }}
diff --git a/helm-charts/basehub/templates/user-sa.yaml b/helm-charts/basehub/templates/serviceaccount-user.yaml
similarity index 97%
rename from helm-charts/basehub/templates/user-sa.yaml
rename to helm-charts/basehub/templates/serviceaccount-user.yaml
index e70dc17b39..3173ec52f0 100644
--- a/helm-charts/basehub/templates/user-sa.yaml
+++ b/helm-charts/basehub/templates/serviceaccount-user.yaml
@@ -2,6 +2,6 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations: {{ .Values.userServiceAccount.annotations | toJson}}
   name: user-sa
+  annotations: {{ .Values.userServiceAccount.annotations | toJson }}
 {{- end }}
diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml
index 466a2a9936..607f994b32 100644
--- a/helm-charts/basehub/values.schema.yaml
+++ b/helm-charts/basehub/values.schema.yaml
@@ -16,6 +16,7 @@ required:
   - global
   - jupyterhub
   - userServiceAccount
+  - adminServiceAccount
   - dex
   - staticWebsite
   - ingressBasicAuth
@@ -149,6 +150,27 @@ properties:
         description: |
           Dictionary of annotations that can be applied to the service account.
 
+          When used with GKE and Workload Identity, you need to set
+          the annotation with key "iam.gke.io/gcp-service-account" to the
+          email address of the Google Service Account whose credentials it
+          should have.
+  adminServiceAccount:
+    type: object
+    additionalProperties: false
+    required:
+      - enabled
+    properties:
+      enabled:
+        type: boolean
+        description: |
+          Enables creation of a Service Account named admin-sa for opt-in use
+          via jupyterhub.custom.singleuserAdmin.serviceAccountName.
+      annotations:
+        type: object
+        additionalProperties: true
+        description: |
+          Dictionary of annotations that can be applied to the service account.
+
           When used with GKE and Workload Identity, you need to set
           the annotation with key "iam.gke.io/gcp-service-account" to the
           email address of the Google Service Account whose credentials it
@@ -450,6 +472,8 @@ properties:
                   additionalProperties: true
               extraEnv:
                 type: object
+              serviceAccountName:
+                type: string
           2i2c:
             type: object
             additionalProperties: false
diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml
index 40bb0958c0..6e8716c5b5 100644
--- a/helm-charts/basehub/values.yaml
+++ b/helm-charts/basehub/values.yaml
@@ -5,6 +5,10 @@ userServiceAccount:
   enabled: true
   annotations: {}
 
+adminServiceAccount:
+  enabled: false
+  annotations: {}
+
 binderhub-service:
   enabled: false
   nodeSelector: