After upgrading VKS guest clusters from VKr 1.32 to VKr 1.33, attempts to authenticate to the guest cluster using a kubeconfig containing a custom Public Key Algorithm: ED25519 client certificate fail with the following error:

kubectl get nodes --kubeconfig ed25519_kubeconfig
Unable to connect to the server: tls: peer doesn't support any of the certificate's signature algorithms

Before the upgrade, the same Public Key Algorithm: ED25519-based kubeconfig functioned correctly. Post-upgrade, the default kubeconfig obtained from Supervisor/vCenter continues to work, and custom RSA-based client certificates also authenticate successfully.

Beginning with VKr 1.33.x, the platform enforces FIPS-140-3 compliance across all included binaries. As a result, only FIPS-approved cryptographic algorithms are supported. Public Key Algorithm: ED25519 is not a FIPS-approved algorithm and is therefore rejected during TLS negotiation.
This restriction applies regardless of whether FIPS mode is enabled, since VKr 1.33+ binaries themselves are built to be FIPS-compliant.

Custom kubeconfigs relying on Public Key Algorithm: ED25519 keys are not supported on VKr 1.33+. To restore access, regenerate the client certificate and key using a FIPS-approved algorithm, such as RSA.