diff --git a/pkg/libs/endpointaccessible/endpoint_accessible_controller.go b/pkg/libs/endpointaccessible/endpoint_accessible_controller.go
index 24bfee6ef..0ac34e1fe 100644
--- a/pkg/libs/endpointaccessible/endpoint_accessible_controller.go
+++ b/pkg/libs/endpointaccessible/endpoint_accessible_controller.go
@@ -94,12 +94,18 @@ func (c *endpointAccessibleController) sync(ctx context.Context, syncCtx factory
 		return err
 	}
 
-	newEndpoints := sets.New[string](endpoints...)
+	newEndpoints := sets.New(endpoints...)
 	endpointsChanged := !c.lastEndpoints.Equal(newEndpoints)
 
-	client, tlsChanged, err := c.buildTLSClient()
-	if err != nil {
-		return err
+	tlsChanged := false
+	var tlsConfig *tls.Config
+	if c.getTLSConfigFn != nil {
+		tlsConfig, err = c.getTLSConfigFn()
+		if err != nil {
+			return err
+		}
+
+		tlsChanged = c.lastServerName != tlsConfig.ServerName || !tlsConfig.RootCAs.Equal(c.lastCA)
 	}
 
 	isPastTimeForCheck := time.Since(c.lastCheckTime) > c.maxCheckLatency
@@ -109,6 +115,11 @@ func (c *endpointAccessibleController) sync(ctx context.Context, syncCtx factory
 	c.lastCheckTime = time.Now()
 	c.lastEndpoints = newEndpoints
 
+	client, err := c.buildTLSClient(tlsConfig)
+	if err != nil {
+		return err
+	}
+
 	// check all the endpoints in parallel.  This matters for pods.
 	errCh := make(chan error, len(endpoints))
 	wg := sync.WaitGroup{}
@@ -174,7 +185,7 @@ func (c *endpointAccessibleController) sync(ctx context.Context, syncCtx factory
 	return utilerrors.NewAggregate(errors)
 }
 
-func (c *endpointAccessibleController) buildTLSClient() (*http.Client, bool, error) {
+func (c *endpointAccessibleController) buildTLSClient(tlsConfig *tls.Config) (*http.Client, error) {
 	transport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		TLSClientConfig: &tls.Config{
@@ -182,16 +193,10 @@ func (c *endpointAccessibleController) buildTLSClient() (*http.Client, bool, err
 		},
 	}
 
-	tlsChanged := false
-	if c.getTLSConfigFn != nil {
-		tlsConfig, err := c.getTLSConfigFn()
-		if err != nil {
-			return nil, false, err
-		}
+	if tlsConfig != nil {
 		transport.TLSClientConfig = tlsConfig
 
 		// these are the fields that are set by our getTLSConfigFn funcs
-		tlsChanged = c.lastServerName != tlsConfig.ServerName || !tlsConfig.RootCAs.Equal(c.lastCA)
 		c.lastServerName = tlsConfig.ServerName
 		c.lastCA = tlsConfig.RootCAs
 	}
@@ -199,5 +204,5 @@ func (c *endpointAccessibleController) buildTLSClient() (*http.Client, bool, err
 	return &http.Client{
 		Timeout:   5 * time.Second,
 		Transport: transport,
-	}, tlsChanged, nil
+	}, nil
 }