diff --git a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
index 8211bcce83..926d1698b5 100755
--- a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
+++ b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
@@ -77,7 +77,7 @@ function featureFlag() {
 }
 
 set +x
-SCC_CHECK=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get pod ${LAGOON_BUILD_NAME} -o json | jq -r '.metadata.annotations."openshift.io/scc" // false')
+SCC_CHECK=$(kubectl -n ${NAMESPACE} get pod ${LAGOON_BUILD_NAME} -o json | jq -r '.metadata.annotations."openshift.io/scc" // false')
 set -x
 
 function patchBuildStep() {
@@ -104,7 +104,7 @@ function patchBuildStep() {
 
   # patch the buildpod with the buildstep
   if [ "${SCC_CHECK}" == false ]; then
-    kubectl patch --insecure-skip-tls-verify -n ${4} pod ${LAGOON_BUILD_NAME} \
+    kubectl patch -n ${4} pod ${LAGOON_BUILD_NAME} \
       -p "{\"metadata\":{\"labels\":{\"lagoon.sh/buildStep\":\"${5}\"}}}"
 
     # tiny sleep to allow patch to complete before logs roll again
@@ -127,21 +127,21 @@ set -x
 
 set +x
 echo "Updating lagoon-yaml configmap with a pre-deploy version of the .lagoon.yml file"
-if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
+if kubectl -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
   # replace it
   # if the environment has already been deployed with an existing configmap that had the file in the key `.lagoon.yml`
   # just nuke the entire configmap and replace it with our new key and file
-  LAGOON_YML_CM=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml -o json)
+  LAGOON_YML_CM=$(kubectl -n ${NAMESPACE} get configmap lagoon-yaml -o json)
   if [ "$(echo ${LAGOON_YML_CM} | jq -r '.data.".lagoon.yml" // false')" == "false" ]; then
     # if the key doesn't exist, then just update the pre-deploy yaml only
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."pre-deploy" = $add' | kubectl apply -f -
+    kubectl -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."pre-deploy" = $add' | kubectl apply -f -
   else
     # if the key does exist, then nuke it and put the new key
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml -o yaml --dry-run=client | kubectl replace -f -
+    kubectl -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml -o yaml --dry-run=client | kubectl replace -f -
   fi
  else
   # create it
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml
+  kubectl -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml
 fi
 set -x
 
@@ -334,7 +334,7 @@ do
   if [ "$SERVICE_TYPE" == "mariadb" ]; then
     # if there is already a service existing with the service_name we assume that for this project there has been a
     # mariadb-single deployed (probably from the past where there was no mariadb-shared yet, or mariadb-dbaas) and use that one
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
+    if kubectl -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
       SERVICE_TYPE="mariadb-single"
     elif checkDBaaSHealth; then
       # check if the dbaas operator responds to a health check
@@ -372,7 +372,7 @@ do
   if [ "$SERVICE_TYPE" == "postgres" ]; then
     # if there is already a service existing with the service_name we assume that for this project there has been a
     # postgres-single deployed (probably from the past where there was no postgres-shared yet, or postgres-dbaas) and use that one
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
+    if kubectl -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
       SERVICE_TYPE="postgres-single"
     elif checkDBaaSHealth; then
       # check if the dbaas operator responds to a health check
@@ -410,7 +410,7 @@ do
   if [ "$SERVICE_TYPE" == "mongo" ]; then
     # if there is already a service existing with the service_name we assume that for this project there has been a
     # mongodb-single deployed (probably from the past where there was no mongodb-shared yet, or mongodb-dbaas) and use that one
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
+    if kubectl -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
       SERVICE_TYPE="mongodb-single"
     elif checkDBaaSHealth; then
       # check if the dbaas operator responds to a health check
@@ -499,7 +499,7 @@ set -x
 ##############################################
 
 LAGOON_CACHE_BUILD_ARGS=()
-readarray LAGOON_CACHE_BUILD_ARGS < <(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get deployments -o yaml -l 'lagoon.sh/service' | yq e '.items[].spec.template.spec.containers[].image | capture("^(?P<image>.+\/.+\/.+\/(?P<name>.+)\@.*)$") | "LAGOON_CACHE_" + .name + "=" + .image' -)
+readarray LAGOON_CACHE_BUILD_ARGS < <(kubectl -n ${NAMESPACE} get deployments -o yaml -l 'lagoon.sh/service' | yq e '.items[].spec.template.spec.containers[].image | capture("^(?P<image>.+\/.+\/.+\/(?P<name>.+)\@.*)$") | "LAGOON_CACHE_" + .name + "=" + .image' -)
 
 
 
@@ -1099,7 +1099,7 @@ if [[ "${CAPABILITIES[@]}" =~ "backup.appuio.ch/v1alpha1/Schedule" ]]; then
       HELM_CUSTOM_BAAS_BACKUP_SECRET_KEY=${BAAS_CUSTOM_BACKUP_SECRET_KEY}
     else
       set +x
-      kubectl --insecure-skip-tls-verify -n ${NAMESPACE} delete secret baas-custom-backup-credentials --ignore-not-found
+      kubectl -n ${NAMESPACE} delete secret baas-custom-backup-credentials --ignore-not-found
       set -x
     fi
   fi
@@ -1116,15 +1116,15 @@ if [[ "${CAPABILITIES[@]}" =~ "backup.appuio.ch/v1alpha1/Schedule" ]]; then
       HELM_CUSTOM_BAAS_RESTORE_SECRET_KEY=${BAAS_CUSTOM_RESTORE_SECRET_KEY}
     else
       set +x
-      kubectl --insecure-skip-tls-verify -n ${NAMESPACE} delete secret baas-custom-restore-credentials --ignore-not-found
+      kubectl -n ${NAMESPACE} delete secret baas-custom-restore-credentials --ignore-not-found
       set -x
     fi
   fi
 
-  if ! kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get secret baas-repo-pw &> /dev/null; then
+  if ! kubectl -n ${NAMESPACE} get secret baas-repo-pw &> /dev/null; then
     # Create baas-repo-pw secret based on the project secret
     set +x
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create secret generic baas-repo-pw --from-literal=repo-pw=$(echo -n "$PROJECT_SECRET-BAAS-REPO-PW" | sha256sum | cut -d " " -f 1)
+    kubectl -n ${NAMESPACE} create secret generic baas-repo-pw --from-literal=repo-pw=$(echo -n "$PROJECT_SECRET-BAAS-REPO-PW" | sha256sum | cut -d " " -f 1)
     set -x
   fi
 
@@ -1239,7 +1239,7 @@ set -x
 
 if [ "$(ls -A $YAML_FOLDER/)" ]; then
   find $YAML_FOLDER -type f -exec cat {} \;
-  kubectl apply --insecure-skip-tls-verify -n ${NAMESPACE} -f $YAML_FOLDER/
+  kubectl apply -n ${NAMESPACE} -f $YAML_FOLDER/
 fi
 
 set +x
@@ -1298,7 +1298,7 @@ if [ ! -z "$LAGOON_PROJECT_VARIABLES" ]; then
   HAS_PROJECT_RUNTIME_VARS=$(echo $LAGOON_PROJECT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") )')
 
   if [ ! "$HAS_PROJECT_RUNTIME_VARS" = "[]" ]; then
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
       -n ${NAMESPACE} \
       configmap lagoon-env \
       -p "{\"data\":$(echo $LAGOON_PROJECT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") ) | map( { (.name) : .value } ) | add | tostring')}"
@@ -1308,7 +1308,7 @@ if [ ! -z "$LAGOON_ENVIRONMENT_VARIABLES" ]; then
   HAS_ENVIRONMENT_RUNTIME_VARS=$(echo $LAGOON_ENVIRONMENT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") )')
 
   if [ ! "$HAS_ENVIRONMENT_RUNTIME_VARS" = "[]" ]; then
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
       -n ${NAMESPACE} \
       configmap lagoon-env \
       -p "{\"data\":$(echo $LAGOON_ENVIRONMENT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") ) | map( { (.name) : .value } ) | add | tostring')}"
@@ -1317,7 +1317,7 @@ fi
 set -x
 
 if [ "$BUILD_TYPE" == "pullrequest" ]; then
-  kubectl patch --insecure-skip-tls-verify \
+  kubectl patch \
     -n ${NAMESPACE} \
     configmap lagoon-env \
     -p "{\"data\":{\"LAGOON_PR_HEAD_BRANCH\":\"${PR_HEAD_BRANCH}\", \"LAGOON_PR_BASE_BRANCH\":\"${PR_BASE_BRANCH}\", \"LAGOON_PR_TITLE\":$(echo $PR_TITLE | jq -R)}}"
@@ -1357,7 +1357,7 @@ done
 ### REDEPLOY DEPLOYMENTS IF CONFIG MAP CHANGES
 ##############################################
 
-CONFIG_MAP_SHA=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-env -o yaml | shyaml get-value data | sha256sum | awk '{print $1}')
+CONFIG_MAP_SHA=$(kubectl -n ${NAMESPACE} get configmap lagoon-env -o yaml | shyaml get-value data | sha256sum | awk '{print $1}')
 # write the configmap to the values file so when we `exec-kubectl-resources-with-images.sh` the deployments will get the value of the config map
 # which will cause a change in the deployment and trigger a rollout if only the configmap has changed
 yq3 write -i -- /kubectl-build-deploy/values.yaml 'configMapSha' $CONFIG_MAP_SHA
@@ -1580,7 +1580,7 @@ if [ "$(ls -A $YAML_FOLDER/)" ]; then
   fi
 
   find $YAML_FOLDER -type f -exec cat {} \;
-  kubectl apply --insecure-skip-tls-verify -n ${NAMESPACE} -f $YAML_FOLDER/
+  kubectl apply -n ${NAMESPACE} -f $YAML_FOLDER/
 fi
 set -x
 
@@ -1644,7 +1644,7 @@ do
     continue
   else
     #echo "Single cron missing: ${SINGLE_NATIVE_CRONJOB}"
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} delete cronjob ${SINGLE_NATIVE_CRONJOB}
+    kubectl -n ${NAMESPACE} delete cronjob ${SINGLE_NATIVE_CRONJOB}
   fi
 done
 
@@ -1696,12 +1696,12 @@ set -x
 
 set +x
 echo "Updating lagoon-yaml configmap with a post-deploy version of the .lagoon.yml file"
-if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
+if kubectl -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
   # replace it, no need to check if the key is different, as that will happen in the pre-deploy phase
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."post-deploy" = $add' | kubectl apply -f -
+  kubectl -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."post-deploy" = $add' | kubectl apply -f -
  else
   # create it
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-yaml --from-file=post-deploy=.lagoon.yml
+  kubectl -n ${NAMESPACE} create configmap lagoon-yaml --from-file=post-deploy=.lagoon.yml
 fi
 set -x
 
diff --git a/images/kubectl-build-deploy-dind/build-deploy.sh b/images/kubectl-build-deploy-dind/build-deploy.sh
index 05d1b4169c..292924c705 100755
--- a/images/kubectl-build-deploy-dind/build-deploy.sh
+++ b/images/kubectl-build-deploy-dind/build-deploy.sh
@@ -54,14 +54,14 @@ set +x # reduce noise in build logs
 DEPLOYER_TOKEN=$(cat /var/run/secrets/lagoon/deployer/token)
 
 kubectl config set-credentials lagoon/kubernetes.default.svc --token="${DEPLOYER_TOKEN}"
-kubectl config set-cluster kubernetes.default.svc --insecure-skip-tls-verify=true --server=https://kubernetes.default.svc
+kubectl config set-cluster kubernetes.default.svc --server=https://kubernetes.default.svc --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt
 kubectl config set-context default/lagoon/kubernetes.default.svc --user=lagoon/kubernetes.default.svc --namespace="${NAMESPACE}" --cluster=kubernetes.default.svc
 kubectl config use-context default/lagoon/kubernetes.default.svc
 
 if [ ! -z ${INTERNAL_REGISTRY_URL} ] && [ ! -z ${INTERNAL_REGISTRY_USERNAME} ] && [ ! -z ${INTERNAL_REGISTRY_PASSWORD} ] ; then
   echo "docker login -u '${INTERNAL_REGISTRY_USERNAME}' -p '${INTERNAL_REGISTRY_PASSWORD}' ${INTERNAL_REGISTRY_URL}" | /bin/bash
   # create lagoon-internal-registry-secret if it does not exist yet
-  if ! kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get secret lagoon-internal-registry-secret &> /dev/null; then
+  if ! kubectl -n ${NAMESPACE} get secret lagoon-internal-registry-secret &> /dev/null; then
     kubectl create secret docker-registry lagoon-internal-registry-secret --docker-server=${INTERNAL_REGISTRY_URL} --docker-username=${INTERNAL_REGISTRY_USERNAME} --docker-password=${INTERNAL_REGISTRY_PASSWORD} --dry-run -o yaml | kubectl apply -f -
   fi
   REGISTRY_SECRETS+=("lagoon-internal-registry-secret")
diff --git a/images/kubectl-build-deploy-dind/scripts/exec-generate-insights-configmap.sh b/images/kubectl-build-deploy-dind/scripts/exec-generate-insights-configmap.sh
index 369a9932eb..b4f9ca0e4a 100755
--- a/images/kubectl-build-deploy-dind/scripts/exec-generate-insights-configmap.sh
+++ b/images/kubectl-build-deploy-dind/scripts/exec-generate-insights-configmap.sh
@@ -18,20 +18,20 @@ processImageInspect() {
 
   set -x
   # If lagoon-insights-image-inpsect-[IMAGE] configmap already exists then we need to update, else create new
-  if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap $IMAGE_INSPECT_CONFIGMAP &> /dev/null; then
-      kubectl --insecure-skip-tls-verify \
+  if kubectl -n ${NAMESPACE} get configmap $IMAGE_INSPECT_CONFIGMAP &> /dev/null; then
+      kubectl \
           -n ${NAMESPACE} \
           create configmap $IMAGE_INSPECT_CONFIGMAP \
           --from-file=${IMAGE_INSPECT_OUTPUT_FILE} \
           -o json \
           --dry-run=client | kubectl replace -f -
   else
-      kubectl --insecure-skip-tls-verify \
+      kubectl \
           -n ${NAMESPACE} \
           create configmap ${IMAGE_INSPECT_CONFIGMAP} \
           --from-file=${IMAGE_INSPECT_OUTPUT_FILE}
   fi
-  kubectl --insecure-skip-tls-verify \
+  kubectl \
       -n ${NAMESPACE} \
       label configmap ${IMAGE_INSPECT_CONFIGMAP} \
       lagoon.sh/insightsProcessed- \
@@ -64,8 +64,8 @@ processSbom() {
 
     set -x
     # If lagoon-insights-sbom-[IMAGE] configmap already exists then we need to update, else create new
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap $SBOM_CONFIGMAP &> /dev/null; then
-        kubectl --insecure-skip-tls-verify \
+    if kubectl -n ${NAMESPACE} get configmap $SBOM_CONFIGMAP &> /dev/null; then
+        kubectl \
             -n ${NAMESPACE} \
             create configmap $SBOM_CONFIGMAP \
             --from-file=${SBOM_OUTPUT_FILE} \
@@ -73,12 +73,12 @@ processSbom() {
             --dry-run=client | kubectl replace -f -
     else
         # Create configmap and add label (#have to add label separately: https://github.com/kubernetes/kubernetes/issues/60295)
-        kubectl --insecure-skip-tls-verify \
+        kubectl \
             -n ${NAMESPACE} \
             create configmap ${SBOM_CONFIGMAP} \
             --from-file=${SBOM_OUTPUT_FILE}
     fi
-    kubectl --insecure-skip-tls-verify \
+    kubectl \
         -n ${NAMESPACE} \
         label configmap ${SBOM_CONFIGMAP} \
         lagoon.sh/insightsProcessed- \
diff --git a/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mariadb-dbaas.sh b/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mariadb-dbaas.sh
index 114d2d4051..30dae3d91d 100644
--- a/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mariadb-dbaas.sh
+++ b/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mariadb-dbaas.sh
@@ -5,7 +5,7 @@
 OPERATOR_COUNTER=1
 OPERATOR_TIMEOUT=180
 # use the secret name from the consumer to prevent credential clash
-until kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
+until kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
 do
 if [ $OPERATOR_COUNTER -lt $OPERATOR_TIMEOUT ]; then
     let SERVICE_BROKER_COUNTER=SERVICE_BROKER_COUNTER+1
@@ -18,26 +18,26 @@ fi
 done
 set +x
 # Grab the details from the consumer spec
-DB_HOST=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
-DB_USER=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
-DB_PASSWORD=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
-DB_NAME=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
-DB_PORT=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
+DB_HOST=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
+DB_USER=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
+DB_PASSWORD=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
+DB_NAME=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
+DB_PORT=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
 
 # Add credentials to our configmap, prefixed with the name of the servicename of this servicebroker
-kubectl patch --insecure-skip-tls-verify \
+kubectl patch \
     -n ${NAMESPACE} \
     configmap lagoon-env \
     -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_HOST\":\"${DB_HOST}\", \"${SERVICE_NAME_UPPERCASE}_USERNAME\":\"${DB_USER}\", \"${SERVICE_NAME_UPPERCASE}_PASSWORD\":\"${DB_PASSWORD}\", \"${SERVICE_NAME_UPPERCASE}_DATABASE\":\"${DB_NAME}\", \"${SERVICE_NAME_UPPERCASE}_PORT\":\"${DB_PORT}\"}}"
 
 # only add the DB_READREPLICA_HOSTS variable if it exists in the consumer spec
 # since the operator can support multiple replica hosts being defined, we should comma seperate them here
-if DB_READREPLICA_HOSTS=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.replicas); then
+if DB_READREPLICA_HOSTS=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.replicas); then
     DB_READREPLICA_HOSTS=$(echo $DB_READREPLICA_HOSTS | cut -c 3- | rev | cut -c 1- | rev | sed 's/^\|$//g' | paste -sd, -)
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
         -n ${NAMESPACE} \
         configmap lagoon-env \
         -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_READREPLICA_HOSTS\":\"${DB_READREPLICA_HOSTS}\"}}"
 fi
 
-set -x
\ No newline at end of file
+set -x
diff --git a/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mongodb-dbaas.sh b/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mongodb-dbaas.sh
index 85b7a21335..1c5a44d747 100644
--- a/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mongodb-dbaas.sh
+++ b/images/kubectl-build-deploy-dind/scripts/exec-kubectl-mongodb-dbaas.sh
@@ -5,7 +5,7 @@
 OPERATOR_COUNTER=1
 OPERATOR_TIMEOUT=180
 # use the secret name from the consumer to prevent credential clash
-until kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
+until kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
 do
 if [ $OPERATOR_COUNTER -lt $OPERATOR_TIMEOUT ]; then
     let OPERATOR_COUNTER=OPERATOR_COUNTER+1
@@ -18,17 +18,17 @@ fi
 done
 set +x
 # Grab the details from the consumer spec
-DB_HOST=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
-DB_USER=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
-DB_PASSWORD=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
-DB_NAME=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
-DB_PORT=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
-DB_AUTHSOURCE=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.auth.source)
-DB_AUTHMECHANISM=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.auth.mechanism)
-DB_AUTHTLS=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.auth.tls)
+DB_HOST=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
+DB_USER=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
+DB_PASSWORD=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
+DB_NAME=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
+DB_PORT=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
+DB_AUTHSOURCE=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.auth.source)
+DB_AUTHMECHANISM=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.auth.mechanism)
+DB_AUTHTLS=$(kubectl -n ${NAMESPACE} get mongodbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.auth.tls)
 
 # Add credentials to our configmap, prefixed with the name of the servicename of this servicebroker
-kubectl patch --insecure-skip-tls-verify \
+kubectl patch \
     -n ${NAMESPACE} \
     configmap lagoon-env \
     -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_HOST\":\"${DB_HOST}\", \"${SERVICE_NAME_UPPERCASE}_USERNAME\":\"${DB_USER}\", \"${SERVICE_NAME_UPPERCASE}_PASSWORD\":\"${DB_PASSWORD}\", \"${SERVICE_NAME_UPPERCASE}_DATABASE\":\"${DB_NAME}\", \"${SERVICE_NAME_UPPERCASE}_PORT\":\"${DB_PORT}\", \"${SERVICE_NAME_UPPERCASE}_AUTHSOURCE\":\"${DB_AUTHSOURCE}\", \"${SERVICE_NAME_UPPERCASE}_AUTHMECHANISM\":\"${DB_AUTHMECHANISM}\", \"${SERVICE_NAME_UPPERCASE}_AUTHTLS\":\"${DB_AUTHTLS}\" }}"
diff --git a/images/kubectl-build-deploy-dind/scripts/exec-kubectl-postgres-dbaas.sh b/images/kubectl-build-deploy-dind/scripts/exec-kubectl-postgres-dbaas.sh
index 319f6f30e1..ea49292be0 100644
--- a/images/kubectl-build-deploy-dind/scripts/exec-kubectl-postgres-dbaas.sh
+++ b/images/kubectl-build-deploy-dind/scripts/exec-kubectl-postgres-dbaas.sh
@@ -5,7 +5,7 @@
 OPERATOR_COUNTER=1
 OPERATOR_TIMEOUT=180
 # use the secret name from the consumer to prevent credential clash
-until kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
+until kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
 do
 if [ $OPERATOR_COUNTER -lt $OPERATOR_TIMEOUT ]; then
     let SERVICE_BROKER_COUNTER=SERVICE_BROKER_COUNTER+1
@@ -18,26 +18,26 @@ fi
 done
 set +x
 # Grab the details from the consumer spec
-DB_HOST=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
-DB_USER=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
-DB_PASSWORD=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
-DB_NAME=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
-DB_PORT=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
+DB_HOST=$(kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
+DB_USER=$(kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
+DB_PASSWORD=$(kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
+DB_NAME=$(kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
+DB_PORT=$(kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
 
 # Add credentials to our configmap, prefixed with the name of the servicename of this servicebroker
-kubectl patch --insecure-skip-tls-verify \
+kubectl patch \
     -n ${NAMESPACE} \
     configmap lagoon-env \
     -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_HOST\":\"${DB_HOST}\", \"${SERVICE_NAME_UPPERCASE}_USERNAME\":\"${DB_USER}\", \"${SERVICE_NAME_UPPERCASE}_PASSWORD\":\"${DB_PASSWORD}\", \"${SERVICE_NAME_UPPERCASE}_DATABASE\":\"${DB_NAME}\", \"${SERVICE_NAME_UPPERCASE}_PORT\":\"${DB_PORT}\"}}"
 
 # only add the DB_READREPLICA_HOSTS variable if it exists in the consumer spec
 # since the operator can support multiple replica hosts being defined, we should comma seperate them here
-if DB_READREPLICA_HOSTS=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.replicas); then
+if DB_READREPLICA_HOSTS=$(kubectl -n ${NAMESPACE} get postgresqlconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.replicas); then
     DB_READREPLICA_HOSTS=$(echo $DB_READREPLICA_HOSTS | cut -c 3- | rev | cut -c 1- | rev | sed 's/^\|$//g' | paste -sd, -)
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
         -n ${NAMESPACE} \
         configmap lagoon-env \
         -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_READREPLICA_HOSTS\":\"${DB_READREPLICA_HOSTS}\"}}"
 fi
 
-set -x
\ No newline at end of file
+set -x
diff --git a/images/kubectl-build-deploy-dind/scripts/exec-monitor-deploy.sh b/images/kubectl-build-deploy-dind/scripts/exec-monitor-deploy.sh
index bfbd1d366b..4938b34ccb 100755
--- a/images/kubectl-build-deploy-dind/scripts/exec-monitor-deploy.sh
+++ b/images/kubectl-build-deploy-dind/scripts/exec-monitor-deploy.sh
@@ -13,10 +13,10 @@ stream_logs_deployment() {
   while [ 1 ]
   do
     # Gather all pods and their containers for the current rollout and stream their logs into files
-    kubectl -n ${NAMESPACE} get --insecure-skip-tls-verify pods -l pod-template-hash=${LATEST_POD_TEMPLATE_HASH} -o json | jq -r '.items[] | .metadata.name + " " + .spec.containers[].name' |
+    kubectl -n ${NAMESPACE} get pods -l pod-template-hash=${LATEST_POD_TEMPLATE_HASH} -o json | jq -r '.items[] | .metadata.name + " " + .spec.containers[].name' |
     {
       while read -r POD CONTAINER ; do
-          kubectl -n ${NAMESPACE} logs --insecure-skip-tls-verify --timestamps -f $POD -c $CONTAINER $SINCE_TIME 2> /dev/null > /tmp/kubectl-build-deploy/logs/container/${SERVICE_NAME}/$POD-$CONTAINER.log &
+          kubectl -n ${NAMESPACE} logs --timestamps -f $POD -c $CONTAINER $SINCE_TIME 2> /dev/null > /tmp/kubectl-build-deploy/logs/container/${SERVICE_NAME}/$POD-$CONTAINER.log &
       done
 
       # this will wait for all log streaming we started to finish
@@ -36,7 +36,7 @@ ret=0
 # default progressDeadlineSeconds is 600, doubling that here for a timeout on the status check for 1200s (20m) as a fallback for exceeding the progressdeadline
 # when there may be another issue with the rollout failing, the progresdeadline doesn't always work
 # (eg, existing pod in previous replicaset fails to terminate properly)
-kubectl rollout --insecure-skip-tls-verify -n ${NAMESPACE} status deployment ${SERVICE_NAME} --watch --timeout=1200s || ret=$?
+kubectl rollout -n ${NAMESPACE} status deployment ${SERVICE_NAME} --watch --timeout=1200s || ret=$?
 
 if [[ $ret -ne 0 ]]; then
   # stop all running stream logs
@@ -61,7 +61,7 @@ if [[ $ret -ne 0 ]]; then
   # solr-abcd12345-abcde	Pending	PodScheduled	0/3 nodes are available: 3 Too many pods.
   #
   echo "If there is any additional information about the status of pods, it will be available here"
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get pods -l lagoon.sh/service=${SERVICE_NAME} -o json | \
+  kubectl -n ${NAMESPACE} get pods -l lagoon.sh/service=${SERVICE_NAME} -o json | \
     jq -r '["POD/SERVICE NAME","STATUS","CONDITION","MESSAGE"], (.items[] | . as $pod | .status.conditions[] | [ $pod.metadata.name, $pod.status.phase, .type, .message]) | @tsv'
 
   exit 1
diff --git a/images/kubectl-build-deploy-dind/scripts/exec-routes-generation.sh b/images/kubectl-build-deploy-dind/scripts/exec-routes-generation.sh
index 4cd9cea730..8103897827 100644
--- a/images/kubectl-build-deploy-dind/scripts/exec-routes-generation.sh
+++ b/images/kubectl-build-deploy-dind/scripts/exec-routes-generation.sh
@@ -353,15 +353,15 @@ done
 ### Add the merged or to be created routes into a configmap
 echo "${FINAL_ROUTES_JSON}" | jq -r > /kubectl-build-deploy/routes.json
 echo "Updating lagoon-routes configmap with the newly generated routes JSON"
-if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-routes &> /dev/null; then
+if kubectl -n ${NAMESPACE} get configmap lagoon-routes &> /dev/null; then
     # if the key does exist, then nuke it and put the new key
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-routes --from-file=lagoon-routes=/kubectl-build-deploy/routes.json -o yaml --dry-run=client | kubectl replace -f -
+    kubectl -n ${NAMESPACE} create configmap lagoon-routes --from-file=lagoon-routes=/kubectl-build-deploy/routes.json -o yaml --dry-run=client | kubectl replace -f -
 else
     # create it
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-routes --from-file=lagoon-routes=/kubectl-build-deploy/routes.json
+    kubectl -n ${NAMESPACE} create configmap lagoon-routes --from-file=lagoon-routes=/kubectl-build-deploy/routes.json
 fi
 
 ### Run the generation function to create all the kubernetes resources etc
 echo "Generating the routes templates"
 generateRoutes "$(cat /kubectl-build-deploy/routes.json | jq -r)" false
-set -x
\ No newline at end of file
+set -x
diff --git a/images/kubectl-build-deploy-dind/scripts/kubectl-get-cluster-capabilities.sh b/images/kubectl-build-deploy-dind/scripts/kubectl-get-cluster-capabilities.sh
index 860d4ece71..1dc24ae718 100755
--- a/images/kubectl-build-deploy-dind/scripts/kubectl-get-cluster-capabilities.sh
+++ b/images/kubectl-build-deploy-dind/scripts/kubectl-get-cluster-capabilities.sh
@@ -22,6 +22,6 @@ while IFS='/' read -ra VERSION; do # api groups and versions are separated by `/
     else
       CAPABILITIES+=("${API_GROUP}/${API_VERSION}/${RESOURCE}")
     fi
-  done < <(kubectl --insecure-skip-tls-verify api-resources --no-headers --cached  --namespaced=true --api-group="${API_GROUP}" | awk '{print $NF}' )
+  done < <(kubectl api-resources --no-headers --cached  --namespaced=true --api-group="${API_GROUP}" | awk '{print $NF}' )
 
-done < <(kubectl --insecure-skip-tls-verify api-versions)
+done < <(kubectl api-versions)