# 来自服务器的错误（内部错误）：创建 "pod.yaml" 时出错：发生内部错误：调用 webhook "pod-validator.example.com" 失败：调用 webhook 失败：Post "https://webhook-service.namespace.svc:443/validate"：x509：证书对 *.example.com 有效，但对 webhook-service.namespace.svc 无效

- **ID:** `kubernetes/webhook-invalid-certificate`
- **领域:** kubernetes
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

准入 webhook 服务器使用的 TLS 证书未在 SAN 中包含 Kubernetes 服务 DNS 名称（例如 webhook-service.namespace.svc），导致 API 服务器拒绝连接。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Kubernetes 1.25 | active | — | — |
| Kubernetes 1.28 | active | — | — |
| cert-manager 1.12 | active | — | — |

## 解决方案

1. ```
   Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`.
   ```
2. ```
   Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common.
   ```

## 无效尝试

- **** — Disabling TLS verification in the webhook configuration (`insecureSkipTLSVerify: true`) bypasses security but is not recommended for production. (30% 失败率)
- **** — Recreating the webhook deployment without regenerating the certificate will produce the same error. (90% 失败率)