kubernetes
network_error
ai_generated
true
服务器错误(内部错误):创建 "pod.yaml" 时出错:调用 Webhook "pod-identity-webhook.m8r.io" 失败:Post "https://pod-identity-webhook.m8r.io/mutate?timeout=10s":上下文截止时间已过
Error from server (InternalError): error when creating "pod.yaml": Internal error occurred: failed calling webhook "pod-identity-webhook.m8r.io": Post "https://pod-identity-webhook.m8r.io/mutate?timeout=10s": context deadline exceeded
ID: kubernetes/mutating-webhook-timeout
85%修复率
87%置信度
1证据数
2023-11-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Kubernetes 1.26 | active | — | — | — |
| Kubernetes 1.27 | active | — | — | — |
| Kubernetes 1.28 | active | — | — | — |
| istio 1.18 | active | — | — | — |
| cert-manager 1.12 | active | — | — | — |
根因分析
可变准入 Webhook 不可达或超时,通常是由于网络问题、服务缺失或 Webhook Pod 宕机。
English
A mutating admission webhook is unreachable or timing out, often due to network issues, missing service, or the webhook pod being down.
官方文档
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/解决方案
-
Check webhook pod status: kubectl get pods -n <namespace> -l app=<webhook-name>, then restart if not running: kubectl rollout restart deployment/<webhook-deployment> -n <namespace>
-
Verify network connectivity by exec into a temporary pod: kubectl run test --image=busybox --rm -it -- wget -O- https://pod-identity-webhook.m8r.io/mutate --timeout=5
无效尝试
常见但无效的做法:
-
Increasing webhook timeout in the ValidatingWebhookConfiguration
75% 失败
超时通常是网络不通或服务宕机,增加超时不会解决根本问题
-
Restarting the API server
90% 失败
问题出在 Webhook 服务端,不是 API 服务器
-
Disabling the webhook temporarily by deleting the MutatingWebhookConfiguration
50% 失败
虽然可以绕过错误,但会禁用安全功能,且需要重新创建配置