diff --git a/pkg/controller/certificatesigningrequest/approving_controller.go b/pkg/controller/certificatesigningrequest/approving_controller.go
index 1f26a26a371..4a328df29a9 100644
--- a/pkg/controller/certificatesigningrequest/approving_controller.go
+++ b/pkg/controller/certificatesigningrequest/approving_controller.go
@@ -60,9 +60,7 @@ func NewCSRApprovingController(client clientset.Interface, csrInformer cache.Sha
 		csrListerSynced: csrInformer.HasSynced,
 		queue:           workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "certificateSigningRequest"),
 		approvers: []approver{
-			&ipsecCSRApprover{
-				client: client,
-			},
+			newIPsecCSRApprover(client),
 		},
 	}
 	csrInformer.AddEventHandlerWithResyncPeriod(
diff --git a/pkg/controller/certificatesigningrequest/ipsec_csr_approver.go b/pkg/controller/certificatesigningrequest/ipsec_csr_approver.go
index 1088f38942f..efd6804e6bc 100644
--- a/pkg/controller/certificatesigningrequest/ipsec_csr_approver.go
+++ b/pkg/controller/certificatesigningrequest/ipsec_csr_approver.go
@@ -38,14 +38,9 @@ const (
 	ipsecCSRApproverName = "AntreaIPsecCSRApprover"
 )
 
-var (
-	antreaAgentServiceAccountName = strings.Join([]string{
-		"system", "serviceaccount", env.GetAntreaNamespace(), "antrea-agent",
-	}, ":")
-)
-
 type ipsecCSRApprover struct {
-	client clientset.Interface
+	client                        clientset.Interface
+	antreaAgentServiceAccountName string
 }
 
 var ipsecTunnelUsages = sets.New[string](
@@ -54,6 +49,19 @@ var ipsecTunnelUsages = sets.New[string](
 
 var _ approver = (*ipsecCSRApprover)(nil)
 
+func getAntreaAgentServiceAccount() string {
+	return strings.Join([]string{
+		"system", "serviceaccount", env.GetAntreaNamespace(), "antrea-agent",
+	}, ":")
+}
+
+func newIPsecCSRApprover(client clientset.Interface) *ipsecCSRApprover {
+	return &ipsecCSRApprover{
+		client:                        client,
+		antreaAgentServiceAccountName: getAntreaAgentServiceAccount(),
+	}
+}
+
 func (ic *ipsecCSRApprover) recognize(csr *certificatesv1.CertificateSigningRequest) bool {
 	return csr.Spec.SignerName == antreaapis.AntreaIPsecCSRSignerName
 }
@@ -123,7 +131,7 @@ func (ic *ipsecCSRApprover) verifyCertificateRequest(req *x509.CertificateReques
 }
 
 func (ic *ipsecCSRApprover) verifyIdentity(nodeName string, csr *certificatesv1.CertificateSigningRequest) error {
-	if csr.Spec.Username != antreaAgentServiceAccountName {
+	if csr.Spec.Username != ic.antreaAgentServiceAccountName {
 		return errUserUnauthorized
 	}
 	podNameValues, podUIDValues := csr.Spec.Extra[sautil.PodNameKey], csr.Spec.Extra[sautil.PodUIDKey]
diff --git a/pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go b/pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go
index f4aaec4c854..138bbebc7fa 100644
--- a/pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go
+++ b/pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go
@@ -201,9 +201,7 @@ func Test_validIPSecCSR(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			client := fake.NewSimpleClientset(tt.objects...)
-			ic := &ipsecCSRApprover{
-				client: client,
-			}
+			ic := newIPsecCSRApprover(client)
 			err := ic.verifyCertificateRequest(tt.cr, tt.keyUsages)
 			if tt.expectedErr == nil {
 				assert.NoError(t, err, "validIPSecCSR should not return an error")
@@ -373,9 +371,7 @@ func Test_verifyIdentity(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			client := fake.NewSimpleClientset(tt.objects...)
-			ic := &ipsecCSRApprover{
-				client: client,
-			}
+			ic := newIPsecCSRApprover(client)
 			err := ic.verifyIdentity(tt.nodeName, tt.csr)
 			if tt.expectedErr == nil {
 				assert.NoError(t, err, "verifyPodOnNode should not return an error")
@@ -435,9 +431,7 @@ func Test_ipsecCertificateApprover_recognize(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			client := fake.NewSimpleClientset(tt.objects...)
-			ic := &ipsecCSRApprover{
-				client: client,
-			}
+			ic := newIPsecCSRApprover(client)
 			recognized := ic.recognize(tt.csr)
 			assert.Equal(t, tt.expectedResult, recognized)
 		})
@@ -590,9 +584,7 @@ func Test_ipsecCertificateApprover_verify(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			objs := append(tt.objects, tt.csr)
 			client := fake.NewSimpleClientset(objs...)
-			ic := &ipsecCSRApprover{
-				client: client,
-			}
+			ic := newIPsecCSRApprover(client)
 			approved, err := ic.verify(tt.csr)
 			if tt.expectedError != nil {
 				assert.EqualError(t, err, tt.expectedError.Error())