SSLError Certificate verify failed (not the one about hostnames)

[seralogar]

Once I setup the kubernetes cluster with kubeadm init, I can access the API using the CA cert generated by kubeadm with no problem at all:

curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --cacert /etc/kubernetes/pki/apiserver.crt
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "$MYIP:6443"
    }
  ]
}

However, when doing so with the python client I get an SSL error

[...]
api_instance = kubernetes.client.AppsV1beta1Api()
dep = yaml.load(yamldocument % (name, replicas, label, container_name, image))
try:
    api_response = api_instance.create_namespaced_deployment('default', dep, pretty='true')
    pprint(api_response)
except ApiException as e:
    print("Exception: %s\n" % e)\
[...]

Exception: (0)
Reason: SSLError
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

The above won't work with python nor python3, and I've already run requirements.txt and setup.py with no luck.

The same script does work if I setup the API without TLS, by setting up kubectl proxy --port=8080.

I've tried adding the certificate to the ubuntu ca-certificate path but it didn't work.

Thanks in advance.

[mbohlool]

Where did you load config (or set configs) in your python client? You did not share that part of the code. Best practice is to add the config to ~/.kube/config file (test it with kubectl and make sure it works) and then use config.load_kube_config() method to load it from there.

[seralogar]

You're right. I found this line of code somewhere kubernetes.client.Configuration().host="https://$MYIP:6443" and I thought that would do.

Using your method with config.load_kube_config() works perfectly.
Thank you very much.