diff --git a/test/cluster_capabilities/aks.yaml b/test/cluster_capabilities/aks.yaml
index 2a944bda..8bdfa98e 100644
--- a/test/cluster_capabilities/aks.yaml
+++ b/test/cluster_capabilities/aks.yaml
@@ -1,6 +1,9 @@
 # Copyright 2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+# The name of the cluster type.
+kubernetesDistribution: AKS
+
 # Describe the capabilities of the cluster against which the integration tests will run.
 capabilities:
 
diff --git a/test/cluster_capabilities/eks.yaml b/test/cluster_capabilities/eks.yaml
index 9bce553d..304922f8 100644
--- a/test/cluster_capabilities/eks.yaml
+++ b/test/cluster_capabilities/eks.yaml
@@ -1,6 +1,9 @@
 # Copyright 2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+# The name of the cluster type.
+kubernetesDistribution: EKS
+
 # Describe the capabilities of the cluster against which the integration tests will run.
 capabilities:
 
diff --git a/test/cluster_capabilities/gke.yaml b/test/cluster_capabilities/gke.yaml
index 080cec4a..a1247788 100644
--- a/test/cluster_capabilities/gke.yaml
+++ b/test/cluster_capabilities/gke.yaml
@@ -1,6 +1,9 @@
 # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+# The name of the cluster type.
+kubernetesDistribution: GKE
+
 # Describe the capabilities of the cluster against which the integration tests will run.
 capabilities:
 
diff --git a/test/cluster_capabilities/kind.yaml b/test/cluster_capabilities/kind.yaml
index 92759ed9..485ba506 100644
--- a/test/cluster_capabilities/kind.yaml
+++ b/test/cluster_capabilities/kind.yaml
@@ -1,6 +1,9 @@
 # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+# The name of the cluster type.
+kubernetesDistribution: Kind
+
 # Describe the capabilities of the cluster against which the integration tests will run.
 capabilities:
 
diff --git a/test/cluster_capabilities/tkgs.yaml b/test/cluster_capabilities/tkgs.yaml
index 4c7d05ba..86220291 100644
--- a/test/cluster_capabilities/tkgs.yaml
+++ b/test/cluster_capabilities/tkgs.yaml
@@ -1,6 +1,9 @@
 # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+# The name of the cluster type.
+kubernetesDistribution: TKGS
+
 # Describe the capabilities of the cluster against which the integration tests will run.
 capabilities:
 
@@ -15,4 +18,4 @@ capabilities:
   anonymousAuthenticationSupported: true
 
   # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
-  canReachInternetLDAPPorts: false
+  canReachInternetLDAPPorts: true
diff --git a/test/integration/ldap_client_test.go b/test/integration/ldap_client_test.go
index 0b41d00d..99a6b7fb 100644
--- a/test/integration/ldap_client_test.go
+++ b/test/integration/ldap_client_test.go
@@ -25,7 +25,11 @@ import (
 )
 
 func TestLDAPSearch(t *testing.T) {
-	env := testlib.IntegrationEnv(t)
+	// This test does not interact with Kubernetes itself. It is a test of our LDAP client code, and only interacts
+	// with our test OpenLDAP server, which is exposed directly to this test via kubectl port-forward.
+	// Theoretically we should always be able to run this test, but something about the kubectl port forwarding
+	// was very flaky on AKS, so we'll get the coverage by only running it on kind.
+	env := testlib.IntegrationEnv(t).WithKubeDistribution(testlib.KindDistro)
 
 	// Note that these tests depend on the values hard-coded in the LDIF file in test/deploy/tools/ldap.yaml.
 	// It requires the test LDAP server from the tools deployment.
@@ -613,7 +617,11 @@ func TestLDAPSearch(t *testing.T) {
 }
 
 func TestSimultaneousLDAPRequestsOnSingleProvider(t *testing.T) {
-	env := testlib.IntegrationEnv(t)
+	// This test does not interact with Kubernetes itself. It is a test of our LDAP client code, and only interacts
+	// with our test OpenLDAP server, which is exposed directly to this test via kubectl port-forward.
+	// Theoretically we should always be able to run this test, but something about the kubectl port forwarding
+	// was very flaky on AKS, so we'll get the coverage by only running it on kind.
+	env := testlib.IntegrationEnv(t).WithKubeDistribution(testlib.KindDistro)
 
 	// Note that these tests depend on the values hard-coded in the LDIF file in test/deploy/tools/ldap.yaml.
 	// It requires the test LDAP server from the tools deployment.
diff --git a/test/testlib/env.go b/test/testlib/env.go
index 3ff75f03..ea6834b6 100644
--- a/test/testlib/env.go
+++ b/test/testlib/env.go
@@ -19,12 +19,19 @@ import (
 )
 
 type Capability string
+type KubeDistro string
 
 const (
 	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
 	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
 	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
 	CanReachInternetLDAPPorts        Capability = "canReachInternetLDAPPorts"
+
+	KindDistro KubeDistro = "Kind"
+	GKEDistro  KubeDistro = "GKE"
+	AKSDistro  KubeDistro = "AKS"
+	EKSDistro  KubeDistro = "EKS"
+	TKGSDistro KubeDistro = "TKGS"
 )
 
 // TestEnv captures all the external parameters consumed by our integration tests.
@@ -38,6 +45,7 @@ type TestEnv struct {
 	SupervisorAppName              string                               `json:"supervisorAppName"`
 	SupervisorCustomLabels         map[string]string                    `json:"supervisorCustomLabels"`
 	ConciergeCustomLabels          map[string]string                    `json:"conciergeCustomLabels"`
+	KubernetesDistribution         KubeDistro                           `json:"kubernetesDistribution"`
 	Capabilities                   map[Capability]bool                  `json:"capabilities"`
 	TestWebhook                    auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
 	SupervisorHTTPAddress          string                               `json:"supervisorHttpAddress"`
@@ -285,3 +293,16 @@ func (e *TestEnv) WithoutCapability(cap Capability) *TestEnv {
 	}
 	return e
 }
+
+// WithKubeDistribution skips the test unless it will run on the expected cluster type.
+// Please use this sparingly. We would prefer that a test run on every cluster type where it can possibly run, so
+// prefer to run everywhere when possible or use cluster capabilities when needed, rather than looking at the
+// type of cluster to decide to skip a test. However, there are some tests that do not depend on or interact with
+// Kubernetes itself which really only need to run on on a single platform to give us the coverage that we desire.
+func (e *TestEnv) WithKubeDistribution(distro KubeDistro) *TestEnv {
+	e.t.Helper()
+	if e.KubernetesDistribution != distro {
+		e.t.Skipf("skipping integration test because test environment is running %q but this test wants %q", e.KubernetesDistribution, distro)
+	}
+	return e
+}