diff --git a/nodepool/driver/openshiftpods/handler.py b/nodepool/driver/openshiftpods/handler.py
index 07354dbd8..c39cfacec 100644
--- a/nodepool/driver/openshiftpods/handler.py
+++ b/nodepool/driver/openshiftpods/handler.py
@@ -40,6 +40,7 @@ class OpenshiftPodLauncher(OpenshiftLauncher):
             'pod': pod_name,
             'namespace': project,
             'host': k8s.api_client.configuration.host,
+            'ca_crt': self.handler.manager.ca_crt,
             'skiptls': not k8s.api_client.configuration.verify_ssl,
             'token': self.handler.manager.token,
             'user': 'zuul-worker',
diff --git a/nodepool/driver/openshiftpods/provider.py b/nodepool/driver/openshiftpods/provider.py
index 7865b006c..0945f4a3e 100644
--- a/nodepool/driver/openshiftpods/provider.py
+++ b/nodepool/driver/openshiftpods/provider.py
@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import base64
 import logging
 import urllib3
 import time
@@ -34,7 +35,7 @@ class OpenshiftPodsProvider(OpenshiftProvider):
         self.provider = provider
         self.ready = False
         try:
-            self.token, self.k8s_client = self._get_client(
+            self.token, self.ca_crt, self.k8s_client = self._get_client(
                 provider.context)
         except kce.ConfigException:
             self.log.exception("Couldn't load client from config")
@@ -44,6 +45,7 @@ class OpenshiftPodsProvider(OpenshiftProvider):
                           "config.list_kube_config_contexts()[0]]))\"")
             self.token = None
             self.k8s_client = None
+            self.ca_crt = None
         self.pod_names = set()
         for pool in provider.pools.values():
             self.pod_names.update(pool.labels.keys())
@@ -51,7 +53,12 @@ class OpenshiftPodsProvider(OpenshiftProvider):
     def _get_client(self, context):
         conf = config.new_client_from_config(context=context)
         token = conf.configuration.api_key.get('authorization', '').split()[-1]
-        return (token, k8s_client.CoreV1Api(conf))
+        ca = None
+        if conf.configuration.ssl_ca_cert:
+            with open(conf.configuration.ssl_ca_cert) as ca_file:
+                ca = ca_file.read()
+                ca = base64.b64encode(ca.encode('utf-8')).decode('utf-8')
+        return (token, ca, k8s_client.CoreV1Api(conf))
 
     def start(self, zk_conn):
         self.log.debug("Starting")
diff --git a/nodepool/tests/unit/test_driver_openshiftpods.py b/nodepool/tests/unit/test_driver_openshiftpods.py
index e52da94a5..b4c92002c 100644
--- a/nodepool/tests/unit/test_driver_openshiftpods.py
+++ b/nodepool/tests/unit/test_driver_openshiftpods.py
@@ -76,7 +76,7 @@ class TestDriverOpenshiftPods(tests.DBTestCase):
         self.fake_k8s_client = FakeCoreClient()
 
         def fake_get_client(*args):
-            return "fake-token", self.fake_k8s_client
+            return "fake-token", None, self.fake_k8s_client
 
         self.useFixture(fixtures.MockPatchObject(
             provider.OpenshiftPodsProvider, '_get_client',
@@ -103,6 +103,7 @@ class TestDriverOpenshiftPods(tests.DBTestCase):
         self.assertIsNotNone(node.launcher)
         self.assertEqual(node.connection_type, 'kubectl')
         self.assertEqual(node.connection_port.get('token'), 'fake-token')
+        self.assertIn('ca_crt', node.connection_port)
         self.assertEqual(node.attributes,
                          {'key1': 'value1', 'key2': 'value2'})