fix: add disable_strict_ssl_verification to sync client (Python 3.13 RFC 5280 compat)

sajjadghf · sajjadghf · commit f3b6a1f3ae2e · 2026-06-06T15:17:06.000+03:30
diff --git a/kubernetes/aio/client/rest.py b/kubernetes/aio/client/rest.py
@@ -62,7 +62,8 @@ def __init__(self, configuration, pools_size=4, maxsize=None):
             ssl_context.check_hostname = False
             ssl_context.verify_mode = ssl.CERT_NONE
         if configuration.disable_strict_ssl_verification:
-            ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT
+            if hasattr(ssl, 'VERIFY_X509_STRICT') and hasattr(ssl_context, 'verify_flags'):
+                ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT
 
         connector = aiohttp.TCPConnector(
             limit=maxsize,
diff --git a/kubernetes/client/configuration.py b/kubernetes/client/configuration.py
@@ -179,6 +179,14 @@ def __init__(self, host=None,
            Set this to false to skip verifying SSL certificate when calling API
            from https server.
         """
+        self.disable_strict_ssl_verification = False
+        """Set to true, to accept certificates violate X509 strict certificate
+           verification requirements, like missing the following extensions:
+           - X509v3 Subject Key Identifier
+           - X509v3 Authority Key Identifier
+           - X509v3 Subject Alternative Name
+           (It is implemented by removing ssl.VERIFY_X509_STRICT from SSLContext.verify_flags)
+        """
         self.ssl_ca_cert = ssl_ca_cert
         """Set this to customize the certificate file to verify the peer.
         """
diff --git a/kubernetes/client/rest.py b/kubernetes/client/rest.py
@@ -81,27 +81,41 @@ def __init__(self, configuration, pools_size=4, maxsize=None):
             else:
                 maxsize = 4
 
+        if configuration.disable_strict_ssl_verification:
+            ssl_context = ssl.create_default_context(cafile=configuration.ssl_ca_cert)
+            if configuration.cert_file:
+                ssl_context.load_cert_chain(
+                    configuration.cert_file, keyfile=configuration.key_file
+                )
+            if not configuration.verify_ssl:
+                ssl_context.check_hostname = False
+                ssl_context.verify_mode = ssl.CERT_NONE
+            if hasattr(ssl, 'VERIFY_X509_STRICT') and hasattr(ssl_context, 'verify_flags'):
+                ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT
+            ssl_pool_kwargs = {'ssl_context': ssl_context}
+        else:
+            ssl_pool_kwargs = {
+                'cert_reqs': cert_reqs,
+                'ca_certs': configuration.ssl_ca_cert,
+                'cert_file': configuration.cert_file,
+                'key_file': configuration.key_file,
+            }
+
         # https pool manager
         if configuration.proxy and not should_bypass_proxies(configuration.host, no_proxy=configuration.no_proxy or ''):
             self.pool_manager = urllib3.ProxyManager(
                 num_pools=pools_size,
                 maxsize=maxsize,
-                cert_reqs=cert_reqs,
-                ca_certs=configuration.ssl_ca_cert,
-                cert_file=configuration.cert_file,
-                key_file=configuration.key_file,
                 proxy_url=configuration.proxy,
                 proxy_headers=configuration.proxy_headers,
+                **ssl_pool_kwargs,
                 **addition_pool_args
             )
         else:
             self.pool_manager = urllib3.PoolManager(
                 num_pools=pools_size,
                 maxsize=maxsize,
-                cert_reqs=cert_reqs,
-                ca_certs=configuration.ssl_ca_cert,
-                cert_file=configuration.cert_file,
-                key_file=configuration.key_file,
+                **ssl_pool_kwargs,
                 **addition_pool_args
             )
 
diff --git a/scripts/client_configuration_disable_ssl_strict_verification_patch.diff b/scripts/client_configuration_disable_ssl_strict_verification_patch.diff
@@ -0,0 +1,19 @@
+diff --git a/kubernetes/client/configuration.py b/kubernetes/client/configuration.py
+index d113df1e6..92ef01ec2 100644
+--- a/kubernetes/client/configuration.py
++++ b/kubernetes/client/configuration.py
+@@ -179,6 +179,14 @@ conf = client.Configuration(
+            Set this to false to skip verifying SSL certificate when calling API
+            from https server.
+         """
++        self.disable_strict_ssl_verification = False
++        """Set to true, to accept certificates violate X509 strict certificate
++           verification requirements, like missing the following extensions:
++           - X509v3 Subject Key Identifier
++           - X509v3 Authority Key Identifier
++           - X509v3 Subject Alternative Name
++           (It is implemented by removing ssl.VERIFY_X509_STRICT from SSLContext.verify_flags)
++        """
+         self.ssl_ca_cert = ssl_ca_cert
+         """Set this to customize the certificate file to verify the peer.
+         """
diff --git a/scripts/rest_client_disable_ssl_strict_verification_patch.diff b/scripts/rest_client_disable_ssl_strict_verification_patch.diff
@@ -0,0 +1,53 @@
+diff --git a/kubernetes/client/rest.py b/kubernetes/client/rest.py
+index 7c461b32e..e88290ef7 100644
+--- a/kubernetes/client/rest.py
++++ b/kubernetes/client/rest.py
+@@ -81,27 +81,40 @@ class RESTClientObject(object):
+             else:
+                 maxsize = 4
+ 
++        if configuration.disable_strict_ssl_verification:
++            ssl_context = ssl.create_default_context(cafile=configuration.ssl_ca_cert)
++            if configuration.cert_file:
++                ssl_context.load_cert_chain(
++                    configuration.cert_file, keyfile=configuration.key_file
++                )
++            if not configuration.verify_ssl:
++                ssl_context.check_hostname = False
++                ssl_context.verify_mode = ssl.CERT_NONE
++            if hasattr(ssl, 'VERIFY_X509_STRICT') and hasattr(ssl_context, 'verify_flags'):
++                ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT
++            ssl_pool_kwargs = {'ssl_context': ssl_context}
++        else:
++            ssl_pool_kwargs = {
++                'cert_reqs': cert_reqs,
++                'ca_certs': configuration.ssl_ca_cert,
++                'cert_file': configuration.cert_file,
++                'key_file': configuration.key_file,
++            }
++
+         # https pool manager
+         if configuration.proxy and not should_bypass_proxies(configuration.host, no_proxy=configuration.no_proxy or ''):
+             self.pool_manager = urllib3.ProxyManager(
+                 num_pools=pools_size,
+                 maxsize=maxsize,
+-                cert_reqs=cert_reqs,
+-                ca_certs=configuration.ssl_ca_cert,
+-                cert_file=configuration.cert_file,
+-                key_file=configuration.key_file,
+                 proxy_url=configuration.proxy,
+                 proxy_headers=configuration.proxy_headers,
++                **ssl_pool_kwargs,
+                 **addition_pool_args
+             )
+         else:
+             self.pool_manager = urllib3.PoolManager(
+                 num_pools=pools_size,
+                 maxsize=maxsize,
+-                cert_reqs=cert_reqs,
+-                ca_certs=configuration.ssl_ca_cert,
+-                cert_file=configuration.cert_file,
+-                key_file=configuration.key_file,
++                **ssl_pool_kwargs,
+                 **addition_pool_args
+             )
