kubernetes
auth_error
ai_generated
true
Error from server (InternalError): error when creating "pod.yaml": Internal error occurred: failed calling webhook "pod-validator.example.com": failed to call webhook: Post "https://webhook-service.namespace.svc:443/validate": x509: certificate is valid for *.example.com, not webhook-service.namespace.svc
ID: kubernetes/webhook-invalid-certificate
90%Fix Rate
87%Confidence
1Evidence
2024-04-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Kubernetes 1.25 | active | — | — | — |
| Kubernetes 1.28 | active | — | — | — |
| cert-manager 1.12 | active | — | — | — |
Root Cause
The TLS certificate used by the admission webhook server does not include the Kubernetes service DNS name (e.g., webhook-service.namespace.svc) in its SAN, causing the API server to reject the connection.
generic中文
准入 webhook 服务器使用的 TLS 证书未在 SAN 中包含 Kubernetes 服务 DNS 名称(例如 webhook-service.namespace.svc),导致 API 服务器拒绝连接。
Official Documentation
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhook-tlsWorkarounds
-
90% success Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`.
Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`.
-
70% success Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common.
Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common.
中文步骤
Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`.
Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common.
Dead Ends
Common approaches that don't work:
-
30% fail
Disabling TLS verification in the webhook configuration (`insecureSkipTLSVerify: true`) bypasses security but is not recommended for production.
-
90% fail
Recreating the webhook deployment without regenerating the certificate will produce the same error.