From 4b992c6f3e33a50438dbdafbf04a07ce3b376d1a Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Thu, 20 Mar 2025 08:49:27 +1300
Subject: [PATCH] fix(k8s/config): force insecure-skip-tls-verify option for
 internal use [BE-11706] (#537)

---
 api/http/handler/kubernetes/config.go       | 10 ++++++++++
 api/kubernetes/kubeclusteraccess_service.go |  1 +
 2 files changed, 11 insertions(+)

diff --git a/api/http/handler/kubernetes/config.go b/api/http/handler/kubernetes/config.go
index a42f98ee3..b9de1824b 100644
--- a/api/http/handler/kubernetes/config.go
+++ b/api/http/handler/kubernetes/config.go
@@ -167,6 +167,16 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 func (handler *Handler) buildCluster(r *http.Request, endpoint portainer.Endpoint, isInternal bool) clientV1.NamedCluster {
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(r.Host, endpoint.ID, isInternal)
 
+	if isInternal {
+		return clientV1.NamedCluster{
+			Name: buildClusterName(endpoint.Name),
+			Cluster: clientV1.Cluster{
+				Server:                kubeConfigInternal.ClusterServerURL,
+				InsecureSkipTLSVerify: true,
+			},
+		}
+	}
+
 	selfSignedCert := false
 	serverUrl, err := url.Parse(kubeConfigInternal.ClusterServerURL)
 	if err != nil {
diff --git a/api/kubernetes/kubeclusteraccess_service.go b/api/kubernetes/kubeclusteraccess_service.go
index 60f0cc503..fce7f55ea 100644
--- a/api/kubernetes/kubeclusteraccess_service.go
+++ b/api/kubernetes/kubeclusteraccess_service.go
@@ -109,6 +109,7 @@ func (service *kubeClusterAccessService) GetClusterDetails(hostURL string, endpo
 		Str("host_URL", hostURL).
 		Str("HTTPS_bind_address", service.httpsBindAddr).
 		Str("base_URL", baseURL).
+		Bool("is_internal", isInternal).
 		Msg("kubeconfig")
 
 	clusterServerURL, err := url.JoinPath("https://", hostURL, baseURL, "/api/endpoints/", strconv.Itoa(int(endpointID)), "/kubernetes")