Making kubectl Work Seamlessly with Zscaler in Corporate Networks
The culprit was Zscaler.
Many teams hit this wall when running kubectl in corporate networks protected by Zscaler. The problem stems from Zscaler’s SSL inspection and proxy routing. By default, Zscaler intercepts outbound requests and wraps them in its certificate chain. Kubernetes API calls from kubectl fail when the client cannot validate these certificates or route traffic as expected.
The fix starts with understanding how kubectl handles network traffic. It talks to the Kubernetes API server over HTTPS. With Zscaler in the middle, every request passes through its proxy. This means system-wide trust stores, environment variables, and potential custom proxy settings all matter.
Key steps to make kubectl work with Zscaler:
- Import Zscaler’s root CA into your system trust store so
kubectltrusts the intercepted connection. - Use
kubectl --insecure-skip-tls-verifyonly for testing, never for production. This bypasses validation but weakens security. - If your network uses PAC files, configure
kubectlvia the proxy settings your OS reads, or use a tool to export the resolved proxy target from the PAC script. - On locked-down endpoints, work with your IT team to whitelist Kubernetes API domains in Zscaler policies.
Set proxy environment variables before using kubectl:
export HTTPS_PROXY=http://<zscaler-proxy-host>:<port>
export NO_PROXY=localhost,127.0.0.1,<cluster-api-domain>
For containerized workflows, this configuration must exist inside the container environment as well, since Zscaler still intercepts outbound calls from pods or local containers running kubectl. Capturing these proxy details in code or CI pipelines prevents sudden failures during automation.
Zscaler’s inspection layer isn’t an enemy; it’s a constraint. Handle certificates, route traffic correctly, and kubectl regains full functionality.
Want to skip the manual setup and see a cluster with kubectl working through Zscaler in minutes? Try it live at hoop.dev and connect without friction.