Admission webhooks timeout because the webhook handler is slow, unavailable, or the cluster cannot reach it. Webhooks block pod creation/updates, causing deployments to fail. Fix by optimizing webhook performance, adding replicas behind a service, or adjusting timeout values.
Admission webhooks intercept API server requests (pod creation, updates, deletions) and must respond within timeoutSeconds (default 10s). If webhook times out, the API request fails per failurePolicy (Fail=reject, Ignore=allow). Timeouts indicate slow handler, network issues, or webhook unavailability.
Verify webhook is running:
kubectl get pods -n <webhook-namespace> -o wide
kubectl describe pod <webhook-pod> -n <webhook-namespace>
kubectl logs <webhook-pod> -n <webhook-namespace>Pod should be Running and Ready. Check logs for errors.
Check service configuration:
kubectl get svc -n <webhook-namespace>
kubectl get endpoints <webhook-service> -n <webhook-namespace>
kubectl describe svc <webhook-service> -n <webhook-namespace>Service should have endpoints pointing to ready pods.
Test TLS connection to webhook:
kubectl port-forward -n <namespace> svc/<webhook-service> 8443:8443
# In another terminal
curl -k https://localhost:8443/validateIf connection fails or times out, webhook is unreachable.
Check timeout and failure policy:
kubectl get validatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations
kubectl describe validatingwebhookconfig <name> | grep -A10 timeoutSecondsDefault timeout is 10s (1-30s range). Failur policy: Fail=reject, Ignore=allow on timeout.
Add load balancing:
kubectl scale deployment -n <namespace> <webhook> --replicas=3Ensure multiple replicas are running and ready. Webhook service will load-balance across them.
Reduce latency in webhook code:
- Remove external API calls or cache responses
- Optimize policy evaluation logic
- Profile webhook for bottlenecks
- Add connection pooling
- Reduce webhook scope via objectSelector/namespaceSelector
Example: validate only specific namespaces or resource types.
Increase timeoutSeconds (use cautiously):
kubectl patch validatingwebhookconfig <name> --type merge \
-p '{"webhooks":[{"name":"<webhook>","timeoutSeconds":15}]}'Max 30s. Higher timeouts may mask performance issues.
Webhook timeouts block critical cluster operations; failures cascade. Use failurePolicy: Ignore only for non-critical webhooks (masks issues). Monitor webhook latency and set alerts if timeout rate >1%. Exclude webhook system namespaces from webhook rules to prevent recursion. Use sideEffects: None to ensure dry-run safety.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm