diff --git a/services/vault/k8s-auth-config-cronjob.yaml b/services/vault/k8s-auth-config-cronjob.yaml
index be7f97a..f0b623d 100644
--- a/services/vault/k8s-auth-config-cronjob.yaml
+++ b/services/vault/k8s-auth-config-cronjob.yaml
@@ -41,10 +41,14 @@ spec:
                       key: root_token
                 - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
                   value: /var/run/secrets/vault-token-reviewer/token
-                - name: VAULT_K8S_ROLE_TTL
-                  value: 1h
-                - name: VAULT_K8S_BOUND_AUDIENCES
-                  value: https://kubernetes.default.svc.cluster.local,k3s
+            - name: VAULT_K8S_ROLE_TTL
+              value: 1h
+            - name: VAULT_K8S_BOUND_AUDIENCES
+              value: https://kubernetes.default.svc.cluster.local,k3s
+            - name: VAULT_K8S_ISSUER
+              value: https://kubernetes.default.svc.cluster.local
+            - name: VAULT_K8S_DISABLE_ISS_VALIDATION
+              value: "false"
               volumeMounts:
                 - name: k8s-auth-config-script
                   mountPath: /scripts
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index ae573f2..acd98e8 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -53,6 +53,8 @@ ensure_token
 k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
 k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
 k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+k8s_issuer="${VAULT_K8S_ISSUER:-}"
+disable_iss_validation="${VAULT_K8S_DISABLE_ISS_VALIDATION:-true}"
 role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"
 token_reviewer_jwt="${VAULT_K8S_TOKEN_REVIEWER_JWT:-}"
 
@@ -83,10 +85,19 @@ path \"auth/kubernetes/login\" {
 }
 
 log "configuring kubernetes auth"
-vault_cmd write auth/kubernetes/config \
-  token_reviewer_jwt="${token_reviewer_jwt}" \
-  kubernetes_host="${k8s_host}" \
-  kubernetes_ca_cert="${k8s_ca}"
+if [ -n "${k8s_issuer}" ]; then
+  vault_cmd write auth/kubernetes/config \
+    token_reviewer_jwt="${token_reviewer_jwt}" \
+    kubernetes_host="${k8s_host}" \
+    kubernetes_ca_cert="${k8s_ca}" \
+    issuer="${k8s_issuer}" \
+    disable_iss_validation="${disable_iss_validation}"
+else
+  vault_cmd write auth/kubernetes/config \
+    token_reviewer_jwt="${token_reviewer_jwt}" \
+    kubernetes_host="${k8s_host}" \
+    kubernetes_ca_cert="${k8s_ca}"
+fi
 
 ensure_default_policy_login