Pods fails to connect to kube-apiserver as CA cert does not include key usage extension
search cancel

Pods fails to connect to kube-apiserver as CA cert does not include key usage extension

book

Article ID: 413788

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

Pod that uses Python 3.13, fails to connect to kube-apiserver with error:

connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key
 usage extension (_ssl.c:1032)'))': /api/v1/configmaps?labelSelector=grafana_dashboard%3D1&timeoutSeconds=60&watch=True"}

Environment

TKGi v1.22

Cause

Python 3.13 was updated to include VERIFY_X509_STRICT in its default verify flags, which enforced stricter SSL certificate validation and requires Key Usage Extension to be included in the CA certificate, https://github.com/python/cpython/issues/107361

TKGi kube-apiserver CA certificate does not include Key Usage extension by default.

Resolution

Update the cluster to use custom CA and include Key Usage extension while generating it.

Powered by Wolken Software