Kubernetes Admission Webhook Error Fix (2026)
Getting 'admission webhook denied the request' or webhook timeout errors in Kubernetes? Here's how to debug and fix admission webhook issues step by step.
admission webhook denied the request or failed calling webhook errors block your deployments. Here's the systematic fix.
Common Error Messages
# Deployment blocked by webhook
Error from server: error when creating "deployment.yaml":
admission webhook "validate.nginx.ingress.kubernetes.io" denied the request:
spec.rules[0].host: Invalid value: "": must be a non-empty string
# Webhook timeout
Error from server (InternalError): error when creating "pod.yaml":
Internal error occurred: failed calling webhook "mutate.example.com":
failed to call webhook: Post "https://webhook-svc.default.svc:443/mutate":
context deadline exceeded
# Webhook not found
error when creating: admission webhook "my-webhook.io" references service
that does not exist
Step 1: Find Which Webhooks Are Active
# List all validating webhooks
kubectl get validatingwebhookconfigurations
# List all mutating webhooks
kubectl get mutatingwebhookconfigurations
# Describe a specific one
kubectl describe validatingwebhookconfiguration ingress-nginx-admission
# Check what resources and operations each webhook intercepts
kubectl get validatingwebhookconfigurations -o yaml | grep -A5 "rules:"Fix 1: Webhook Service or Pod Is Down
The most common cause — the webhook's backing service isn't running.
# Find the webhook service
kubectl get validatingwebhookconfigurations my-webhook -o jsonpath='{.webhooks[*].clientConfig.service}'
# Check if the service exists
kubectl get svc -n <webhook-namespace>
# Check if pods are running
kubectl get pods -n <webhook-namespace>
# Check pod logs
kubectl logs -n <webhook-namespace> -l app=my-webhook --tail=50If the pod is crashing, fix it first. Then retry your original deployment.
Fix 2: Timeout — Increase failurePolicy or Timeout
If the webhook pod is slow or under load:
# Check current timeout setting
kubectl get validatingwebhookconfiguration my-webhook -o yaml | grep timeoutEdit the webhook configuration:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: my-webhook
webhooks:
- name: validate.example.com
timeoutSeconds: 30 # increase from default 10s
failurePolicy: Ignore # Change from Fail to Ignore if non-critical
...kubectl edit validatingwebhookconfiguration my-webhookWarning: failurePolicy: Ignore means if the webhook fails, the request goes through anyway. Only use this for non-security-critical webhooks.
Fix 3: Certificate Issues
Webhook TLS certificates can expire or mismatch:
# Check if cert-manager is managing webhook certs
kubectl get certificate -A | grep webhook
# Check cert expiry
kubectl get secret -n <webhook-namespace> <webhook-tls-secret> -o jsonpath='{.data.tls\.crt}' | \
base64 -d | openssl x509 -noout -dates
# If cert is expired, delete and let cert-manager recreate
kubectl delete certificate -n <webhook-namespace> <cert-name>For webhooks not using cert-manager, update the caBundle in the webhook config:
# Get current CA bundle from the secret
CA_BUNDLE=$(kubectl get secret -n <ns> <tls-secret> -o jsonpath='{.data.ca\.crt}')
# Patch the webhook
kubectl patch validatingwebhookconfiguration my-webhook \
--type='json' \
-p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value': '${CA_BUNDLE}'}]"Fix 4: Namespace Selector Blocking Resources
Webhooks can be scoped to specific namespaces. If yours is too broad, it blocks everything:
webhooks:
- name: validate.example.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system # exclude system namespaces
- kube-public
- cert-manager # prevent circular dependencyIf a webhook applies to kube-system, it can block system components and cause cluster-level failures.
Fix 5: Temporarily Disable a Webhook for Debugging
If a broken webhook is blocking critical work:
# Delete the webhook configuration temporarily
kubectl delete validatingwebhookconfiguration my-webhook
# Do your work
kubectl apply -f deployment.yaml
# Re-install the webhook after fixing
helm upgrade my-webhook-chart ...Or patch it to Ignore mode:
kubectl patch validatingwebhookconfiguration my-webhook \
--type='json' \
-p='[{"op":"replace","path":"/webhooks/0/failurePolicy","value":"Ignore"}]'Fix 6: Kyverno / OPA Gatekeeper Policy Violations
If you're running Kyverno or OPA Gatekeeper, policy violations look like webhook errors:
# Check Kyverno policy reports
kubectl get policyreport -A
kubectl describe policyreport -n my-namespace
# Check which Kyverno policies apply
kubectl get clusterpolicy
kubectl get policy -A
# Check OPA constraint violations
kubectl get constraints -A
kubectl describe k8srequiredlabels <name>Fix: either update your resource to comply with the policy, or update the policy to allow your use case.
Debugging Checklist
# 1. Identify which webhook blocked the request (from error message)
# 2. Check webhook pod health
kubectl get pods -n <webhook-ns>
# 3. Check webhook logs for the specific denial reason
kubectl logs -n <webhook-ns> -l app=<webhook> --tail=100 | grep -i "deny\|error\|invalid"
# 4. Check webhook config
kubectl describe validatingwebhookconfiguration <name>
kubectl describe mutatingwebhookconfiguration <name>
# 5. Check events
kubectl get events -n <your-namespace> --sort-by=.lastTimestamp | tail -20Quick summary:
- Webhook pod down → fix the pod first
- Timeout → increase
timeoutSeconds, check pod resources - Cert expired → rotate cert-manager certificate or update caBundle
- Policy violation (Kyverno/OPA) → fix resource to match policy
- Blocking critical work → temporarily set
failurePolicy: Ignore
Stay ahead of the curve
Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.
Related Articles
cert-manager Certificate Not Ready: Causes and Fixes
cert-manager Certificate stuck in a non-Ready state is a common Kubernetes TLS issue. This guide covers every root cause — DNS challenges, RBAC, rate limits, and issuer problems — with step-by-step fixes.
Vault Secrets Not Injecting into Kubernetes Pod Fix (2026)
Vault Agent Injector not mounting secrets into your pod? Here's how to debug and fix Vault secret injection issues in Kubernetes step by step.
AWS EKS Pods Stuck in Pending State: Causes and Fixes
Pods stuck in Pending on EKS are caused by a handful of known issues — insufficient node capacity, taint mismatches, PVC problems, and more. Here's how to diagnose and fix each one.