diff --git a/athenz-sia.env b/athenz-sia.env
index 261586f5..7cfa75c3 100644
--- a/athenz-sia.env
+++ b/athenz-sia.env
@@ -116,7 +116,7 @@ SA_TOKEN_FILE=
 # POD_IP may be extracted from status.podIP in Kubernetes manifests
 # Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/c8478297a9d228ffc0a6a1ea469ad0ef8a682dc8/pkg/config/default.go#L85
 #
-POD_IP=127.0.0.1
+POD_IP=
 #
 # Kubernetes Pod UID
 #
diff --git a/pkg/certificate/identity.go b/pkg/certificate/identity.go
index 58734316..3d8d0632 100644
--- a/pkg/certificate/identity.go
+++ b/pkg/certificate/identity.go
@@ -381,14 +381,19 @@ func PrepareIdentityCsrOptions(idCfg *config.IdentityConfig, domain, service str
 		CommonName:         fmt.Sprintf("%s.%s", domain, service),
 	}
 
-	return &util.CSROptions{
+	csrOptions := &util.CSROptions{
 		Subject: subject,
 		SANs: util.SubjectAlternateNames{
-			DNSNames:    sans,
-			IPAddresses: []net.IP{idCfg.PodIP},
-			URIs:        []url.URL{*spiffeURI},
+			DNSNames: sans,
+			URIs:     []url.URL{*spiffeURI},
 		},
-	}, nil
+	}
+
+	if idCfg.PodIP != nil {
+		csrOptions.SANs.IPAddresses = []net.IP{idCfg.PodIP}
+	}
+
+	return csrOptions, nil
 }
 
 // PrepareRoleCsrOptions prepares csrOptions for an X.509 certificate
@@ -426,8 +431,7 @@ func PrepareRoleCsrOptions(idCfg *config.IdentityConfig, domain, service string)
 		roleCsrOption := util.CSROptions{
 			Subject: subject,
 			SANs: util.SubjectAlternateNames{
-				DNSNames:    sans,
-				IPAddresses: []net.IP{idCfg.PodIP},
+				DNSNames: sans,
 				URIs: []url.URL{
 					*spiffeURI,
 				},
@@ -437,6 +441,10 @@ func PrepareRoleCsrOptions(idCfg *config.IdentityConfig, domain, service string)
 			},
 		}
 
+		if idCfg.PodIP != nil {
+			roleCsrOption.SANs.IPAddresses = []net.IP{idCfg.PodIP}
+		}
+
 		roleCsrOptions = append(roleCsrOptions, roleCsrOption)
 	}
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 71e74e57..253e9aa9 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -118,10 +118,11 @@ func (idCfg *IdentityConfig) loadFromENV() error {
 
 	// parse values
 	var err error
-	idCfg.PodIP = net.ParseIP(idCfg.rawPodIP)
-	if idCfg.PodIP == nil {
-		// PodIP should always be non-nil to issue role certificate
-		return fmt.Errorf("Invalid POD_IP [%q]", idCfg.rawPodIP)
+	if idCfg.rawPodIP != "" {
+		idCfg.PodIP = net.ParseIP(idCfg.rawPodIP)
+		if idCfg.PodIP == nil {
+			return fmt.Errorf("Invalid POD_IP [%q], %w", idCfg.rawPodIP, err)
+		}
 	}
 	idCfg.Refresh, err = time.ParseDuration(idCfg.rawRefresh)
 	if err != nil {
diff --git a/pkg/config/default.go b/pkg/config/default.go
index 8f5cb105..93ed389a 100644
--- a/pkg/config/default.go
+++ b/pkg/config/default.go
@@ -16,7 +16,6 @@ package config
 
 import (
 	"fmt"
-	"net"
 	"strconv"
 	"time"
 )
@@ -86,7 +85,7 @@ func DefaultIdentityConfig() *IdentityConfig {
 		AthenzSuffix:              "",
 		ServiceAccount:            "",
 		SaTokenFile:               "",
-		PodIP:                     net.ParseIP("127.0.0.1"),
+		PodIP:                     nil,
 		PodUID:                    "",
 		PodName:                   "",
 		Reloader:                  nil,
@@ -118,7 +117,7 @@ func DefaultIdentityConfig() *IdentityConfig {
 		LogLevel: "INFO",
 
 		rawMode:                  "init",
-		rawPodIP:                 "127.0.0.1",
+		rawPodIP:                 "",
 		rawTargetDomainRoles:     "",
 		rawRefresh:               "24h",
 		rawDelayJitterSeconds:    "0",