diff --git a/go.mod b/go.mod
index eb6c811c..3198912d 100644
--- a/go.mod
+++ b/go.mod
@@ -36,7 +36,7 @@ require (
 	k8s.io/client-go v0.20.4
 	k8s.io/component-base v0.20.4
 	k8s.io/gengo v0.0.0-20201113003025-83324d819ded
-	k8s.io/klog/v2 v2.5.0
+	k8s.io/klog/v2 v2.6.0
 	k8s.io/kube-aggregator v0.20.4
 	k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
diff --git a/go.sum b/go.sum
index 1d0de09f..8abae75f 100644
--- a/go.sum
+++ b/go.sum
@@ -1528,8 +1528,8 @@ k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.5.0 h1:8mOnjf1RmUPW6KRqQCfYSZq/K20Unmp3IhuZUhxl8KI=
-k8s.io/klog/v2 v2.5.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
+k8s.io/klog/v2 v2.6.0 h1:c1wFxejFMBkp/VxCdc6kYdgrBkC2gzmcl6afuJAkJyU=
+k8s.io/klog/v2 v2.6.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
 k8s.io/kube-aggregator v0.20.4 h1:j/SUwPy1eO+ud3XOUGmH18gISPyerqhXOoNRZDbv3fs=
 k8s.io/kube-aggregator v0.20.4/go.mod h1:0ixQ9De7KXyHteXizS6nVtrnKqGa4kiuxl9rEBsNccw=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c=
diff --git a/internal/oidc/discovery/discovery_handler.go b/internal/oidc/discovery/discovery_handler.go
index 5eb6c481..b45c1042 100644
--- a/internal/oidc/discovery/discovery_handler.go
+++ b/internal/oidc/discovery/discovery_handler.go
@@ -5,6 +5,7 @@
 package discovery
 
 import (
+	"bytes"
 	"encoding/json"
 	"net/http"
 
@@ -40,28 +41,38 @@ type Metadata struct {
 
 // NewHandler returns an http.Handler that serves an OIDC discovery endpoint.
 func NewHandler(issuerURL string) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
+	oidcConfig := Metadata{
+		Issuer:                            issuerURL,
+		AuthorizationEndpoint:             issuerURL + oidc.AuthorizationEndpointPath,
+		TokenEndpoint:                     issuerURL + oidc.TokenEndpointPath,
+		JWKSURI:                           issuerURL + oidc.JWKSEndpointPath,
+		ResponseTypesSupported:            []string{"code"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"ES256"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
+		ScopesSupported:                   []string{"openid", "offline"},
+		ClaimsSupported:                   []string{"groups"},
+	}
 
+	var b bytes.Buffer
+	encodeErr := json.NewEncoder(&b).Encode(&oidcConfig)
+	encodedMetadata := b.Bytes()
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet {
 			http.Error(w, `Method not allowed (try GET)`, http.StatusMethodNotAllowed)
 			return
 		}
 
-		oidcConfig := Metadata{
-			Issuer:                            issuerURL,
-			AuthorizationEndpoint:             issuerURL + oidc.AuthorizationEndpointPath,
-			TokenEndpoint:                     issuerURL + oidc.TokenEndpointPath,
-			JWKSURI:                           issuerURL + oidc.JWKSEndpointPath,
-			ResponseTypesSupported:            []string{"code"},
-			SubjectTypesSupported:             []string{"public"},
-			IDTokenSigningAlgValuesSupported:  []string{"ES256"},
-			TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
-			ScopesSupported:                   []string{"openid", "offline"},
-			ClaimsSupported:                   []string{"groups"},
+		if encodeErr != nil {
+			http.Error(w, encodeErr.Error(), http.StatusInternalServerError)
+			return
 		}
-		if err := json.NewEncoder(w).Encode(&oidcConfig); err != nil {
+
+		w.Header().Set("Content-Type", "application/json")
+		if _, err := w.Write(encodedMetadata); err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
 		}
 	})
 }
diff --git a/test/integration/category_test.go b/test/integration/category_test.go
index e8edc7bd..42d44582 100644
--- a/test/integration/category_test.go
+++ b/test/integration/category_test.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"os/exec"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 
@@ -20,13 +21,21 @@ func TestGetPinnipedCategory(t *testing.T) {
 	t.Run("category, no special params", func(t *testing.T) {
 		var stdOut, stdErr bytes.Buffer
 
-		cmd := exec.Command("kubectl", "get", "pinniped", "-A")
-		cmd.Stdout = &stdOut
-		cmd.Stderr = &stdErr
-		err := cmd.Run()
-		require.NoError(t, err, stdErr.String(), stdOut.String())
+		var err error
+		require.Eventuallyf(t, func() bool {
+			cmd := exec.Command("kubectl", "get", "pinniped", "-A")
+			cmd.Stdout = &stdOut
+			cmd.Stderr = &stdErr
+			err = cmd.Run()
+			return err == nil
+		},
+			60*time.Second,
+			1*time.Second,
+			"never ran 'kubectl get pinniped -A' successfully:\n%s\n\n%s",
+			stdErr.String(),
+			stdOut.String(),
+		)
 		require.Empty(t, stdErr.String())
-
 		require.NotContains(t, stdOut.String(), "MethodNotAllowed")
 		require.Contains(t, stdOut.String(), dotSuffix)
 	})
diff --git a/test/integration/kubeclient_test.go b/test/integration/kubeclient_test.go
index 53826d6e..88edc854 100644
--- a/test/integration/kubeclient_test.go
+++ b/test/integration/kubeclient_test.go
@@ -5,6 +5,7 @@ package integration
 
 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"
 
@@ -74,15 +75,18 @@ func TestKubeClientOwnerRef(t *testing.T) {
 		UID:        parentSecret.UID,
 	}
 
+	snorlaxAPIGroup := fmt.Sprintf("%s.snorlax.dev", library.RandHex(t, 8))
 	parentAPIService, err := regularAggregationClient.ApiregistrationV1().APIServices().Create(
 		ctx,
 		&apiregistrationv1.APIService{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: "v1.snorlax.dev",
+				Name:        "v1." + snorlaxAPIGroup,
+				Labels:      map[string]string{"pinniped.dev/test": ""},
+				Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
 			},
 			Spec: apiregistrationv1.APIServiceSpec{
 				Version:              "v1",
-				Group:                "snorlax.dev",
+				Group:                snorlaxAPIGroup,
 				GroupPriorityMinimum: 10_000,
 				VersionPriority:      500,
 			},
@@ -184,16 +188,19 @@ func TestKubeClientOwnerRef(t *testing.T) {
 	})
 
 	// cluster scoped API service should be owned by the other one we created above
+	pandasAPIGroup := fmt.Sprintf("%s.pandas.dev", library.RandHex(t, 8))
 	apiService, err := ownerRefClient.Aggregation.ApiregistrationV1().APIServices().Create(
 		ctx,
 		&apiregistrationv1.APIService{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:            "v1.pandas.dev",
+				Name:            "v1." + pandasAPIGroup,
 				OwnerReferences: nil, // no owner refs set
+				Labels:          map[string]string{"pinniped.dev/test": ""},
+				Annotations:     map[string]string{"pinniped.dev/testName": t.Name()},
 			},
 			Spec: apiregistrationv1.APIServiceSpec{
 				Version:              "v1",
-				Group:                "pandas.dev",
+				Group:                pandasAPIGroup,
 				GroupPriorityMinimum: 10_000,
 				VersionPriority:      500,
 			},