diff --git a/tetrate/TIS0303/check-duplicate-certificate-gateway.yaml b/tetrate/TIS0303/check-duplicate-certificate-gateway.yaml
new file mode 100644
index 00000000..8a57afb7
--- /dev/null
+++ b/tetrate/TIS0303/check-duplicate-certificate-gateway.yaml
@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-unique-gateway-tls
+  annotations:
+    policies.kyverno.io/title: Enforce Unique Gateway TLS Credentials
+    policies.kyverno.io/category: Istio Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Gateway
+    policies.kyverno.io/description: >-
+      Ensures that the same TLS credentialName is not reused across multiple Gateways
+      in the same namespace to prevent 404 errors when clients reuse HTTP2 connections.
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: enforce-unique-gateway-tls
+      match:
+        any:
+          - resources:
+              kinds:
+                - Gateway
+              operations:
+                - CREATE
+                - UPDATE
+      context:
+        - name: manifestNamespace
+          variable:
+            value: "{{ request.object.metadata.namespace }}"
+        - name: manifestTLS
+          variable:
+            jmesPath: "request.object.spec.servers[].tls.credentialName | [?@ != null] | [*]"
+        - name: existingTLS
+          apiCall:
+            urlPath: "/apis/networking.istio.io/v1/namespaces/{{ manifestNamespace }}/gateways"
+            jmesPath: "items[].spec.servers[].tls.credentialName | [?@ != null] | [*]"
+      validate:
+        message: "TLS credentials are being reused across Gateways in namespace '{{ manifestNamespace }}'. This may cause 404 errors when clients reuse HTTP2 connections. TLS used in manifest: {{ manifestTLS }}, existingTLS: {{ existingTLS }}"
+        deny:
+          conditions:
+            all:
+            - key: "{{ manifestTLS }}"
+              operator: AnyIn
+              value: "{{ existingTLS }}"
+            - key: "{{ existingTLS }}"
+              operator: AnyIn
+              value: "{{ manifestTLS }}"
diff --git a/tetrate/TIS0303/resource.yaml b/tetrate/TIS0303/resource.yaml
new file mode 100644
index 00000000..a82b533b
--- /dev/null
+++ b/tetrate/TIS0303/resource.yaml
@@ -0,0 +1,46 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: good-resource-1
+  namespace: test
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "example.com"
+    tls:
+      mode: SIMPLE
+      credentialName: example-cert-2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: bad-resource-1
+  namespace: test
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "example.com"
+    tls:
+      mode: SIMPLE
+      credentialName: example-cert-1
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "example.com"
+    tls:
+      mode: SIMPLE
+      credentialName: example-cert-3
\ No newline at end of file