Technology Encyclopedia Home >When using K8S official SDK to connect to the cluster API Server, the error "certificate verify failed: self signed certificate" is reported. How to deal with it?

When using K8S official SDK to connect to the cluster API Server, the error "certificate verify failed: self signed certificate" is reported. How to deal with it?

Created on 2025-04-25 14:33:59
112

When encountering the error "certificate verify failed: self signed certificate" while using the Kubernetes (K8S) official SDK to connect to the cluster's API Server, it typically indicates that the client is unable to verify the authenticity of the server's SSL/TLS certificate because it is self-signed and not present in the client's trusted certificate authority (CA) store.

To resolve this issue, you can take the following steps:

  1. Obtain the Self-Signed Certificate: First, you need to obtain the self-signed certificate used by the Kubernetes API Server. This can often be found in the cluster's configuration or by accessing the API Server directly via a web browser or tool like curl, which might prompt you to accept the certificate.

  2. Add the Certificate to the Trusted Store: Once you have the certificate, you need to add it to the trusted CA store of the client machine or application. This process varies depending on the operating system and the programming language's SDK you are using.

    • For Linux: You might add the certificate to /usr/local/share/ca-certificates/ and then run update-ca-certificates.
    • For Windows: You would import the certificate into the Trusted Root Certification Authorities store using the Certificate Manager.
    • For macOS: You can use the Keychain Access application to import the certificate into the System keychain.

  3. Configure the SDK to Use the Certificate: If your SDK allows for explicit configuration of SSL/TLS settings, you can specify the path to the certificate file or the CA bundle that includes the self-signed certificate.

    For example, in Python's Kubernetes client, you might configure the requests library (which the client uses under the hood) to use the certificate by setting the verify parameter when creating a session:

    from kubernetes import client, config

config.load_kube_config()
session = client.Configuration.get_default_copy().session
session.verify = '/path/to/your/certificate.crt'

# Now you can create an instance of the API class
v1 = client.CoreV1Api()

  4. Disable Certificate Verification (Not Recommended): As a last resort, you can disable certificate verification in your SDK configuration. However, this is not recommended due to the security risks involved, as it makes the connection susceptible to man-in-the-middle attacks.

    For example, in the Python Kubernetes client, you could set session.verify to False:

    session.verify = False

If you are working within a cloud environment, such as Tencent Cloud, you might leverage services like Tencent Kubernetes Engine (TKE), which provides managed Kubernetes services. TKE handles the management of certificates and security configurations, reducing the need for manual intervention and configuration.

Remember, handling self-signed certificates requires careful consideration of security implications. Always ensure that any certificate management practices comply with your organization's security policies.