diff --git a/config/config_source.go b/config/config_source.go
index ef81d449a..80e5d3757 100644
--- a/config/config_source.go
+++ b/config/config_source.go
@@ -238,6 +238,16 @@ func (src *FileWatcherSource) check(ctx context.Context, cfg *Config) {
 		fs = append(fs, pair.CertFile, pair.KeyFile)
 	}
 
+	for _, policy := range cfg.Options.Policies {
+		fs = append(fs,
+			policy.KubernetesServiceAccountTokenFile,
+			policy.TLSClientCertFile,
+			policy.TLSClientKeyFile,
+			policy.TLSCustomCAFile,
+			policy.TLSDownstreamClientCAFile,
+		)
+	}
+
 	for _, f := range fs {
 		_, _ = h.Write([]byte{0})
 		bs, err := ioutil.ReadFile(f)
diff --git a/config/config_source_test.go b/config/config_source_test.go
index 3d6c5bf79..224bcdec4 100644
--- a/config/config_source_test.go
+++ b/config/config_source_test.go
@@ -27,9 +27,17 @@ func TestFileWatcherSource(t *testing.T) {
 		return
 	}
 
+	err = ioutil.WriteFile(filepath.Join(tmpdir, "kubernetes-example.txt"), []byte{1, 2, 3, 4}, 0o600)
+	if !assert.NoError(t, err) {
+		return
+	}
+
 	ssrc := NewStaticSource(&Config{
 		Options: &Options{
 			CAFile: filepath.Join(tmpdir, "example.txt"),
+			Policies: []Policy{{
+				KubernetesServiceAccountTokenFile: filepath.Join(tmpdir, "kubernetes-example.txt"),
+			}},
 		},
 	})
 
@@ -53,6 +61,17 @@ func TestFileWatcherSource(t *testing.T) {
 		t.Error("expected OnConfigChange to be fired after modifying a file")
 	}
 
+	err = ioutil.WriteFile(filepath.Join(tmpdir, "kubernetes-example.txt"), []byte{5, 6, 7, 8}, 0o600)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	select {
+	case <-ch:
+	case <-time.After(time.Second):
+		t.Error("expected OnConfigChange to be fired after modifying a policy file")
+	}
+
 	ssrc.SetConfig(ctx, &Config{
 		Options: &Options{
 			CAFile: filepath.Join(tmpdir, "example.txt"),