来自服务器的错误(内部错误):创建 "pod.yaml" 时出错:发生内部错误:调用 webhook "pod-validator.example.com" 失败:调用 webhook 失败:Post "https://webhook-service.namespace.svc:443/validate":x509:证书对 *.example.com 有效,但对 webhook-service.namespace.svc 无效
Error from server (InternalError): error when creating "pod.yaml": Internal error occurred: failed calling webhook "pod-validator.example.com": failed to call webhook: Post "https://webhook-service.namespace.svc:443/validate": x509: certificate is valid for *.example.com, not webhook-service.namespace.svc
ID: kubernetes/webhook-invalid-certificate
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Kubernetes 1.25 | active | — | — | — |
| Kubernetes 1.28 | active | — | — | — |
| cert-manager 1.12 | active | — | — | — |
根因分析
准入 webhook 服务器使用的 TLS 证书未在 SAN 中包含 Kubernetes 服务 DNS 名称(例如 webhook-service.namespace.svc),导致 API 服务器拒绝连接。
English
The TLS certificate used by the admission webhook server does not include the Kubernetes service DNS name (e.g., webhook-service.namespace.svc) in its SAN, causing the API server to reject the connection.
官方文档
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhook-tls解决方案
-
Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`.
-
Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common.
无效尝试
常见但无效的做法:
-
30% 失败
Disabling TLS verification in the webhook configuration (`insecureSkipTLSVerify: true`) bypasses security but is not recommended for production.
-
90% 失败
Recreating the webhook deployment without regenerating the certificate will produce the same error.