diff --git a/lib/promscrape/discovery/kubernetes/api.go b/lib/promscrape/discovery/kubernetes/api.go
index 79615b320..a01feaad1 100644
--- a/lib/promscrape/discovery/kubernetes/api.go
+++ b/lib/promscrape/discovery/kubernetes/api.go
@@ -90,6 +90,10 @@ func newAPIConfig(sdc *SDConfig, baseDir string, swcFunc ScrapeWorkConstructorFu
 	for strings.HasSuffix(apiServer, "/") {
 		apiServer = apiServer[:len(apiServer)-1]
 	}
+	// pre-check tls config
+	if _, err := ac.NewTLSConfig(); err != nil {
+		return nil, fmt.Errorf("cannot initialize tls config: %w", err)
+	}
 	aw := newAPIWatcher(apiServer, ac, sdc, swcFunc)
 	cfg := &apiConfig{
 		aw: aw,
diff --git a/lib/promscrape/discovery/kubernetes/api_watcher.go b/lib/promscrape/discovery/kubernetes/api_watcher.go
index 5894f6107..d44b60cd6 100644
--- a/lib/promscrape/discovery/kubernetes/api_watcher.go
+++ b/lib/promscrape/discovery/kubernetes/api_watcher.go
@@ -234,6 +234,7 @@ func newGroupWatcher(apiServer string, ac *promauth.Config, namespaces []string,
 		proxy = http.ProxyURL(proxyURL)
 	}
 	tlsConfig, err := ac.NewTLSConfig()
+	// we should always check tlsconfig in advance to avoid panic here
 	if err != nil {
 		logger.Panicf("FATAL: cannot initialize tls config: %s", err)
 	}