diff --git a/internal/dynamiccert/provider.go b/internal/dynamiccert/provider.go
index 4e74d118..d5c76847 100644
--- a/internal/dynamiccert/provider.go
+++ b/internal/dynamiccert/provider.go
@@ -55,7 +55,11 @@ type provider struct {
 // NewServingCert returns a Private that is go routine safe.
 // It can only hold key pairs that have IsCA=false.
 func NewServingCert(name string) Private {
-	return &provider{name: name}
+	return struct {
+		Private
+	}{
+		Private: &provider{name: name},
+	}
 }
 
 // NewCA returns a Provider that is go routine safe.
diff --git a/internal/dynamiccert/provider_test.go b/internal/dynamiccert/provider_test.go
index b2d1d168..fce2cd39 100644
--- a/internal/dynamiccert/provider_test.go
+++ b/internal/dynamiccert/provider_test.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
@@ -224,3 +225,19 @@ func poolSubjects(pool *x509.CertPool) [][]byte {
 	}
 	return pool.Subjects()
 }
+
+func TestNewServingCert(t *testing.T) {
+	got := NewServingCert("")
+
+	ok1 := assert.Implements(fakeT{}, (*Private)(nil), got)
+	ok2 := assert.Implements(fakeT{}, (*Public)(nil), got)
+	ok3 := assert.Implements(fakeT{}, (*Provider)(nil), got)
+
+	require.True(t, ok1, "NewServingCert must implement Private")
+	require.False(t, ok2, "NewServingCert must not implement Public")
+	require.False(t, ok3, "NewServingCert must not implement Provider")
+}
+
+type fakeT struct{}
+
+func (fakeT) Errorf(string, ...interface{}) {}
diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go
index a4a514c6..7397f4d0 100644
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@@ -944,21 +944,17 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 				return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
 			}
 
-			pod, err := kubeClient.Pods(namespaceName).Create(ctx, &corev1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "test-impersonation-proxy-",
-				},
-				Spec: corev1.PodSpec{
+			pod := testlib.CreatePod(ctx, t, "impersonation-proxy", namespaceName,
+				corev1.PodSpec{
 					Containers: []corev1.Container{
 						{
-							Name:  "ignored-but-required",
-							Image: "does-not-matter",
+							Name:    "ignored-but-required",
+							Image:   "busybox",
+							Command: []string{"sh", "-c", "sleep 3600"},
 						},
 					},
 					ServiceAccountName: saName,
-				},
-			}, metav1.CreateOptions{})
-			require.NoError(t, err)
+				})
 
 			tokenRequestBadAudience, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{
 				Spec: authenticationv1.TokenRequestSpec{
diff --git a/test/integration/whoami_test.go b/test/integration/whoami_test.go
index ffb17db6..fe708613 100644
--- a/test/integration/whoami_test.go
+++ b/test/integration/whoami_test.go
@@ -164,21 +164,17 @@ func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
 		return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
 	}
 
-	pod, err := kubeClient.Pods(ns.Name).Create(ctx, &corev1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "test-whoami-",
-		},
-		Spec: corev1.PodSpec{
+	pod := testlib.CreatePod(ctx, t, "whoami", ns.Name,
+		corev1.PodSpec{
 			Containers: []corev1.Container{
 				{
-					Name:  "ignored-but-required",
-					Image: "does-not-matter",
+					Name:    "ignored-but-required",
+					Image:   "busybox",
+					Command: []string{"sh", "-c", "sleep 3600"},
 				},
 			},
 			ServiceAccountName: sa.Name,
-		},
-	}, metav1.CreateOptions{})
-	require.NoError(t, err)
+		})
 
 	tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
 		Spec: authenticationv1.TokenRequestSpec{
diff --git a/test/testlib/env.go b/test/testlib/env.go
index ea6834b6..523e2b69 100644
--- a/test/testlib/env.go
+++ b/test/testlib/env.go
@@ -142,8 +142,8 @@ func IntegrationEnv(t *testing.T) *TestEnv {
 	memoizedTestEnvsByTest.Store(t, &result)
 
 	// In every integration test, assert that no pods in our namespaces restart during the test.
-	assertNoRestartsDuringTest(t, result.ConciergeNamespace, "")
-	assertNoRestartsDuringTest(t, result.SupervisorNamespace, "")
+	assertNoRestartsDuringTest(t, result.ConciergeNamespace, "!pinniped.dev/test")
+	assertNoRestartsDuringTest(t, result.SupervisorNamespace, "!pinniped.dev/test")
 	return &result
 }