fix: add disable_strict_ssl_verification to sync client

[sajjadghf]

What type of PR is this?

/kind bug
/kind feature

What this PR does / why we need it:

Since Python 3.13, ssl.VERIFY_X509_STRICT is enforced by default via
SSLContext.verify_flags. This causes TLS handshakes to fail when the
server's certificate is missing extensions that RFC 5280 mandates in
strict mode (e.g. X509v3 Subject Key Identifier,
X509v3 Authority Key Identifier, X509v3 Subject Alternative Name).
Many real-world Kubernetes clusters (especially self-signed or
internally issued PKI) issue certificates without these extensions.

The async client (kubernetes.aio.client) already exposes a
disable_strict_ssl_verification flag on its Configuration class,
and the matching RESTClientObject strips ssl.VERIFY_X509_STRICT
from the SSLContext.verify_flags when the flag is set. The sync
client (kubernetes.client) was missing this support entirely.

This PR:

1. Adds disable_strict_ssl_verification = False to
   kubernetes.client.configuration.Configuration with the same
   docstring as the async counterpart.
2. Refactors kubernetes.client.rest.RESTClientObject.__init__ to
   build the SSL keyword arguments into a single ssl_pool_kwargs dict.
   When disable_strict_ssl_verification is True, a fully-configured
   ssl.SSLContext (with VERIFY_X509_STRICT removed) is created and
   passed directly to urllib3.PoolManager / urllib3.ProxyManager,
   avoiding the deprecation of mixing ssl_context with individual SSL
   parameters in urllib3 ≥ 2.x.
3. Adds patch diff files under scripts/ to document the changes for
   future client regeneration cycles.

Which issue(s) this PR fixes:

Fixes #2602

Special notes for your reviewer:

• The sync RESTClientObject uses urllib3 (not aiohttp), so the
  SSL context is built with ssl.create_default_context() and passed
  via the ssl_context kwarg to urllib3's pool managers, rather than
  via aiohttp.TCPConnector as in the async client.
• Passing ssl_context and the individual cert parameters
  (cert_reqs, ca_certs, cert_file, key_file) simultaneously to
  urllib3 ≥ 2.x triggers a DeprecationWarning. The refactored code
  uses mutually exclusive dict unpacking (ssl_pool_kwargs) to avoid
  this.
• When disable_strict_ssl_verification=True and verify_ssl=False
  the code mirrors the async client: check_hostname is disabled and
  verify_mode is set to ssl.CERT_NONE.

Does this PR introduce a user-facing change?

Add `disable_strict_ssl_verification` option to
`kubernetes.client.configuration.Configuration` and update
`kubernetes.client.rest.RESTClientObject` to respect it by stripping
`ssl.VERIFY_X509_STRICT` from the SSLContext verify flags. This
restores connectivity with Python 3.13 to Kubernetes clusters whose
TLS certificates do not include all RFC 5280 extensions required by
strict X.509 verification.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [async client configuration reference (existing)]: kubernetes/aio/client/configuration.py
- [async REST client reference (existing)]: kubernetes/aio/client/rest.py
- [Python 3.13 ssl changes]: https://docs.python.org/3.13/library/ssl.html#ssl.VERIFY_X509_STRICT
- [RFC 5280]: https://datatracker.ietf.org/doc/html/rfc5280

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: sajjadghf / name: Sajjad Ghafarian (35d66e5)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sajjadghf
Once this PR has been reviewed and has the lgtm label, please assign roycaihw for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds an opt-in configuration flag to relax strict X.509 verification in the Kubernetes Python client by supplying a custom ssl.SSLContext to urllib3, and includes patch files intended to capture/apply these changes.

Changes:

• Introduces disable_strict_ssl_verification to Configuration.
• Builds an SSLContext and clears VERIFY_X509_STRICT when the flag is enabled, passing it via ssl_context to urllib3 managers.
• Adds two .diff files under scripts/ representing the patch.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
scripts/rest_client_disable_ssl_strict_verification_patch.diff	Adds a patch file intended to modify REST client SSL handling.
scripts/client_configuration_disable_ssl_strict_verification_patch.diff	Adds a patch file intended to add the new configuration flag.
kubernetes/client/rest.py	Switches urllib3 SSL configuration to use either explicit cert params or a custom SSLContext with relaxed X509 strict checks.
kubernetes/client/configuration.py	Adds disable_strict_ssl_verification configuration attribute and its inline documentation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.