diff --git a/pkg/spoke/hubclientcert/controller.go b/pkg/spoke/hubclientcert/controller.go
index 5e43ecd46..e75ee5b7a 100644
--- a/pkg/spoke/hubclientcert/controller.go
+++ b/pkg/spoke/hubclientcert/controller.go
@@ -103,17 +103,23 @@ func NewClientCertForHubController(
 	}
 
 	return factory.New().
-		WithInformersQueueKeyFunc(func(obj runtime.Object) string {
-			accessor, err := meta.Accessor(obj)
-			if err != nil {
-				return irrelevantSecretKey
-			}
-			// we want to only care about the hub kubeconfig secret, others are irrelevant
-			if accessor.GetNamespace() == hubKubeconfigSecretNamespace && accessor.GetName() == kubeconfigSecretName {
+		WithFilteredEventsInformersQueueKeyFunc(
+			func(obj runtime.Object) string {
+				accessor, _ := meta.Accessor(obj)
 				return accessor.GetName()
-			}
-			return irrelevantSecretKey
-		}, spokeSecretInformer.Informer()).
+			},
+			func(obj interface{}) bool {
+				accessor, err := meta.Accessor(obj)
+				if err != nil {
+					return false
+				}
+				// only enqueue when hub kubeconfig secret is changed
+				if accessor.GetNamespace() == hubKubeconfigSecretNamespace && accessor.GetName() == kubeconfigSecretName {
+					return true
+				}
+				return false
+			},
+			spokeSecretInformer.Informer()).
 		WithInformers(hubCSRInformer.Informer()).
 		WithSync(c.sync).
 		ResyncEvery(ControllerSyncInterval).
@@ -121,16 +127,6 @@ func NewClientCertForHubController(
 }
 
 func (c *ClientCertForHubController) sync(ctx context.Context, syncCtx factory.SyncContext) error {
-	// there are three cases for the quequeKey
-	// 1. queueKey equals irrelevantSecretKey, this key is the result of other secret changes on managed cluster, ignore it
-	// 2. queueKey equals hub kubeconfig secret name, this key is the result of the hub kubeconfig secret changes on managed
-	//    cluster, reconcile the secret
-	// 3. queueKey equals defautl queue key value ("key"), this key is the result of the csr changes on hub, we need
-	//    reconcile the hub kubeconfig secret
-	queueKey := syncCtx.QueueKey()
-	if queueKey == irrelevantSecretKey {
-		return nil
-	}
 	// get hubKubeconfigSecret
 	secret, err := c.spokeCoreClient.Secrets(c.hubKubeconfigSecretNamespace).Get(ctx, c.hubKubeconfigSecretName, metav1.GetOptions{})
 	switch {
diff --git a/pkg/spoke/hubclientcert/secret_controller.go b/pkg/spoke/hubclientcert/secret_controller.go
index f5673dd8a..0e9bb2c7d 100644
--- a/pkg/spoke/hubclientcert/secret_controller.go
+++ b/pkg/spoke/hubclientcert/secret_controller.go
@@ -47,16 +47,21 @@ func NewHubKubeconfigSecretController(
 	}
 
 	return factory.New().
-		WithInformersQueueKeyFunc(
+		WithFilteredEventsInformersQueueKeyFunc(
 			func(obj runtime.Object) string {
+				accessor, _ := meta.Accessor(obj)
+				return accessor.GetName()
+			},
+			func(obj interface{}) bool {
 				accessor, err := meta.Accessor(obj)
 				if err != nil {
-					return ""
+					return false
 				}
+				// only enqueue when hub kubeconfig secret is changed
 				if accessor.GetNamespace() == hubKubeconfigSecretNamespace && accessor.GetName() == hubKubeconfigSecretName {
-					return accessor.GetName()
+					return true
 				}
-				return ""
+				return false
 			}, spokeSecretInformer.Informer()).
 		WithSync(s.sync).
 		ResyncEvery(5*time.Minute).
@@ -64,10 +69,6 @@ func NewHubKubeconfigSecretController(
 }
 
 func (s *hubKubeconfigSecretController) sync(ctx context.Context, syncCtx factory.SyncContext) error {
-	queueKey := syncCtx.QueueKey()
-	if queueKey == "" {
-		return nil
-	}
 	klog.V(4).Infof("Reconciling Hub KubeConfig secret %q", s.hubKubeconfigSecretName)
 	secret, err := s.spokeCoreClient.Secrets(s.hubKubeconfigSecretNamespace).Get(ctx, s.hubKubeconfigSecretName, metav1.GetOptions{})
 	if errors.IsNotFound(err) {