kubectl "x509: certificate signed by unknown authority" in CI - Fix it
kubectl opened a TLS connection to the API server but could not verify its certificate chain. The cluster CA is not in the kubeconfig (certificate-authority-data) or the runner trust store, so the handshake is rejected.
What this error means
A kubectl call fails with Unable to connect to the server: x509: certificate signed by unknown authority. The endpoint is reachable; only certificate validation fails.
Unable to connect to the server: x509: certificate signed by unknown authorityCommon causes
The kubeconfig lacks the cluster CA
A hand-built kubeconfig omits certificate-authority-data, so kubectl has nothing to validate the server certificate against.
A self-signed or private CA not trusted by the runner
The cluster uses an internal CA the runner image does not trust, and verification is not skipped or pointed at the right bundle.
How to fix it
Regenerate the kubeconfig with the CA embedded
Provider credential commands embed certificate-authority-data automatically. Fetch the kubeconfig from the provider instead of assembling it by hand.
aws eks update-kubeconfig --name prod --region us-east-1
kubectl get nodesPoint kubectl at the correct CA file
If you must supply the CA out of band, set it in the cluster entry rather than disabling verification.
kubectl config set-cluster prod \
--certificate-authority=/etc/ci/cluster-ca.pem \
--embed-certs=trueHow to prevent it
- Fetch kubeconfigs from the provider so the CA is always embedded.
- Avoid
--insecure-skip-tls-verifyas a permanent workaround. - Keep the cluster CA bundle current in custom runner images.