Skip to content

feat: Remove the urllib3 pinning #2461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2025
Merged

feat: Remove the urllib3 pinning #2461

merged 1 commit into from
Oct 28, 2025

Conversation

@ZPascal
Copy link
Contributor

@ZPascal ZPascal commented Oct 14, 2025
edited
Loading

What type of PR is this?

/kind feature
/kind regression

What this PR does / why we need it:

Pull Request Description

The PR removes the version pinning for the urllib3 library.

Background

Starting with urllib3 version 2.4.0, stricter certificate validity checks were introduced when running on Python 3.13+ (urllib3#3571).
This change can trigger errors such as:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier

These errors occur only in environments where Kubernetes clusters are configured with invalid or incomplete certificates, most notably on AWS EKS clusters created with Kubernetes v1.16 and earlier.

Change

We are not pinning the urllib3 version. Instead, we keep the dependency flexible (optionally with a temporary upper bound if strictly necessary), ensuring compatibility with future versions of urllib3.

Rationale / Why not pin the version

  • 📦 Avoid unnecessary technical debt
    Pinning a widely used core dependency like urllib3 can quickly lead to upgrade blockers and complicate maintenance down the line.

  • 🔐 Don’t block important security updates
    urllib3 is a critical dependency for HTTPS communication. Pinning could delay or prevent applying security patches or other improvements.

  • 🧹 The issue only affects outdated infrastructure
    The certificate verification error occurs exclusively on clusters with invalid or outdated certificates. These environments should be updated rather than forcing the dependency to remain outdated.

  • 🧭 Fixing the root cause is better than downstream workarounds
    It’s more sustainable to address the infrastructure issue (fixing or rotating cluster certificates) than holding back modern library versions.

  • Keeps upgrade paths open
    By not pinning the version, we can easily adopt future urllib3 releases without major dependency refactors.

Recommendation for affected users

If this error occurs, the correct fix is to update or properly configure the Kubernetes cluster certificates. A temporary upper bound may be set in local deployments if an immediate infrastructure fix is not feasible.

Summary:
Instead of pinning urllib3 to a specific version, we keep the dependency flexible and address the underlying infrastructure issue.
This approach is more secure, easier to maintain, and aligned with dependency management best practices.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

We no longer pin the `urllib3` version.  
`urllib3` 2.4.0 introduced stricter certificate checks on Python 3.13+, which may trigger: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier

This only affects clusters (version <=1.16) with outdated or misconfigured certificates (e.g. old AWS EKS versions). Please update the Kubernetes cluster certificates.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. kind/regression Categorizes issue or PR as related to a regression from a prior release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 14, 2025
@k8s-ci-robot k8s-ci-robot requested a review from roycaihw October 14, 2025 12:04
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 14, 2025

Welcome @ZPascal!

It looks like this is your first PR to kubernetes-client/python 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-client/python has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot requested a review from yliaog October 14, 2025 12:04
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Oct 14, 2025
@arielvb
Copy link

arielvb commented Oct 15, 2025

Hi,

Would it be possible to cut a new release after merging either this pull request or PR #2439? This would help users stay up-to-date with security patches and compatibility improvements in urllib3.

Other packages are starting to require urllib3 >= 2.5 and this is bringing some incompatibilities.

Thanks!

@glennmatthews glennmatthews mentioned this pull request Oct 24, 2025
Merged
@ZPascal
Copy link
Contributor Author

ZPascal commented Oct 27, 2025

Hi @roycaihw & @yliaog, can you please check the PR?

@yliaog
Copy link
Contributor

yliaog commented Oct 28, 2025

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 28, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 28, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yliaog, ZPascal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 28, 2025
@k8s-ci-robot k8s-ci-robot merged commit fe1a331 into kubernetes-client:master Oct 28, 2025
10 checks passed
@ZPascal ZPascal deleted the patch-1 branch October 28, 2025 02:28
This was referenced Oct 30, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roycaihw roycaihw Awaiting requested review from roycaihw

@yliaog yliaog Awaiting requested review from yliaog

Assignees

@yliaog yliaog

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. kind/regression Categorizes issue or PR as related to a regression from a prior release. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ZPascal @k8s-ci-robot @arielvb @yliaog