diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
index 8bdc85fc084..f08b2494cc8 100644
--- a/build/yamls/antrea-aks.yml
+++ b/build/yamls/antrea-aks.yml
@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
index ebec4bd6e2b..d38d722abc1 100644
--- a/build/yamls/antrea-eks.yml
+++ b/build/yamls/antrea-eks.yml
@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
index f6c3e274516..0420a4fd1f9 100644
--- a/build/yamls/antrea-gke.yml
+++ b/build/yamls/antrea-gke.yml
@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
index 1e3f7e9103c..bcb3702f993 100644
--- a/build/yamls/antrea-ipsec.yml
+++ b/build/yamls/antrea-ipsec.yml
@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
index 0a9723918ba..a52c5623e9e 100644
--- a/build/yamls/antrea.yml
+++ b/build/yamls/antrea.yml
@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.
diff --git a/build/yamls/base/controller-rbac.yml b/build/yamls/base/controller-rbac.yml
index 778edb522b5..7ed421b98cd 100644
--- a/build/yamls/base/controller-rbac.yml
+++ b/build/yamls/base/controller-rbac.yml
@@ -83,6 +83,12 @@ rules:
     verbs:
       - get
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
   - apiGroups:
       - apiregistration.k8s.io
     resources:
diff --git a/build/yamls/base/controller.yml b/build/yamls/base/controller.yml
index ae988e41a76..c22290b840c 100644
--- a/build/yamls/base/controller.yml
+++ b/build/yamls/base/controller.yml
@@ -11,16 +11,6 @@ spec:
   selector:
     component: antrea-controller
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: antrea-ca
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: antrea-cluster-identity
----
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
diff --git a/build/yamls/flow-aggregator.yml b/build/yamls/flow-aggregator.yml
index 840264d20c8..9e3c4038442 100644
--- a/build/yamls/flow-aggregator.yml
+++ b/build/yamls/flow-aggregator.yml
@@ -30,6 +30,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - ""
   resourceNames:
@@ -119,14 +125,6 @@ subjects:
   namespace: flow-aggregator
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: flow-aggregator
-  name: flow-aggregator-ca
-  namespace: flow-aggregator
----
-apiVersion: v1
 data:
   flow-aggregator.conf: |
     # Provide the flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp.
diff --git a/build/yamls/flow-aggregator/base/flow-aggregator.yml b/build/yamls/flow-aggregator/base/flow-aggregator.yml
index 4f349168ea7..ebeffc9955b 100644
--- a/build/yamls/flow-aggregator/base/flow-aggregator.yml
+++ b/build/yamls/flow-aggregator/base/flow-aggregator.yml
@@ -5,12 +5,6 @@ metadata:
   name: flow-aggregator
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: flow-aggregator-ca
-  namespace: flow-aggregator
----
-apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: flow-aggregator
@@ -26,6 +20,9 @@ rules:
     resources: ["configmaps"]
     resourceNames: ["flow-aggregator-ca"]
     verbs: ["get", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create"]
   - apiGroups: [""]
     resources: ["secrets"]
     resourceNames: ["flow-aggregator-client-tls"]
diff --git a/pkg/apiserver/certificate/cacert_controller.go b/pkg/apiserver/certificate/cacert_controller.go
index c5559090e31..70012f9ee05 100644
--- a/pkg/apiserver/certificate/cacert_controller.go
+++ b/pkg/apiserver/certificate/cacert_controller.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	v1 "k8s.io/api/admissionregistration/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -245,8 +246,20 @@ func (c *CACertController) syncConfigMap(caCert []byte) error {
 	// Use the Antrea Pod Namespace for the CA cert ConfigMap.
 	caConfigMapNamespace := GetCAConfigMapNamespace()
 	caConfigMap, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Get(context.TODO(), CAConfigMapName, metav1.GetOptions{})
+	exists := true
 	if err != nil {
-		return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		}
+		exists = false
+		caConfigMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      CAConfigMapName,
+				Namespace: caConfigMapNamespace,
+			},
+			Data:       map[string]string{},
+			BinaryData: map[string][]byte{},
+		}
 	}
 	if caConfigMap.Data != nil && caConfigMap.Data[CAConfigMapKey] == string(caCert) {
 		return nil
@@ -254,8 +267,14 @@ func (c *CACertController) syncConfigMap(caCert []byte) error {
 	caConfigMap.Data = map[string]string{
 		CAConfigMapKey: string(caCert),
 	}
-	if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Update(context.TODO(), caConfigMap, metav1.UpdateOptions{}); err != nil {
-		return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
+	if exists {
+		if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Update(context.TODO(), caConfigMap, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
+		}
+	} else {
+		if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Create(context.TODO(), caConfigMap, metav1.CreateOptions{}); err != nil {
+			return fmt.Errorf("error creating ConfigMap %s: %v", CAConfigMapName, err)
+		}
 	}
 	return nil
 }
diff --git a/pkg/clusteridentity/clusteridentity.go b/pkg/clusteridentity/clusteridentity.go
index ffb1455cac5..ac0cbe6c3b1 100644
--- a/pkg/clusteridentity/clusteridentity.go
+++ b/pkg/clusteridentity/clusteridentity.go
@@ -20,6 +20,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
@@ -54,8 +56,20 @@ func NewClusterIdentityAllocator(
 
 func (a *ClusterIdentityAllocator) updateConfigMapIfNeeded() error {
 	configMap, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Get(context.TODO(), a.clusterIdentityConfigMapName, metav1.GetOptions{})
+	exists := true
 	if err != nil {
-		return fmt.Errorf("error when getting '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error when getting '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
+		exists = false
+		configMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      a.clusterIdentityConfigMapName,
+				Namespace: a.clusterIdentityConfigMapNamespace,
+			},
+			Data:       map[string]string{},
+			BinaryData: map[string][]byte{},
+		}
 	}
 
 	// returns a triplet consisting of the cluster UUID, a boolean indicating if the UUID needs
@@ -88,8 +102,14 @@ func (a *ClusterIdentityAllocator) updateConfigMapIfNeeded() error {
 	configMap.Data = map[string]string{
 		uuidConfigMapKey: clusterUUID.String(),
 	}
-	if _, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil {
-		return fmt.Errorf("error when updating '%s/%s' ConfigMap with new cluster identity: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+	if exists {
+		if _, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error when updating '%s/%s' ConfigMap with new cluster identity: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
+	} else {
+		if _, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Create(context.TODO(), configMap, metav1.CreateOptions{}); err != nil {
+			return fmt.Errorf("error when creating '%s/%s' ConfigMap with new cluster identity: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
 	}
 	klog.Infof("New cluster UUID: %v", clusterUUID)
 	return nil
diff --git a/pkg/flowaggregator/certificate.go b/pkg/flowaggregator/certificate.go
index 853bcf2df4e..0d888231c13 100644
--- a/pkg/flowaggregator/certificate.go
+++ b/pkg/flowaggregator/certificate.go
@@ -28,6 +28,7 @@ import (
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/klog"
@@ -138,18 +139,36 @@ func generateCertKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, isServer b
 func syncCAAndClientCert(caCert, clientCert, clientKey []byte, k8sClient kubernetes.Interface) error {
 	klog.Info("Syncing CA certificate, client certificate and client key with ConfigMap")
 	caConfigMap, err := k8sClient.CoreV1().ConfigMaps(CAConfigMapNamespace).Get(context.TODO(), CAConfigMapName, metav1.GetOptions{})
+	exists := true
 	if err != nil {
-		return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		}
+		exists = false
+		caConfigMap = &v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      CAConfigMapName,
+				Namespace: CAConfigMapNamespace,
+			},
+			Data:       map[string]string{},
+			BinaryData: map[string][]byte{},
+		}
 	}
 	caConfigMap.Data = map[string]string{
 		CAConfigMapKey: string(caCert),
 	}
-	if _, err := k8sClient.CoreV1().ConfigMaps(CAConfigMapNamespace).Update(context.TODO(), caConfigMap, metav1.UpdateOptions{}); err != nil {
-		return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
+	if exists {
+		if _, err := k8sClient.CoreV1().ConfigMaps(CAConfigMapNamespace).Update(context.TODO(), caConfigMap, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
+		}
+	} else {
+		if _, err := k8sClient.CoreV1().ConfigMaps(CAConfigMapNamespace).Create(context.TODO(), caConfigMap, metav1.CreateOptions{}); err != nil {
+			return fmt.Errorf("error creating ConfigMap %s: %v", CAConfigMapName, err)
+		}
 	}
 
 	secret, err := k8sClient.CoreV1().Secrets(ClientSecretNamespace).Get(context.TODO(), ClientSecretName, metav1.GetOptions{})
-	exists := true
+	exists = true
 	if err != nil {
 		exists = false
 		secret = &v1.Secret{