cert-manager: i/o timeout from apiserver when connecting to webhook on k3s

Bugs should be filed for issues encountered whilst operating cert-manager. You should first attempt to resolve your issues through the community support channels, e.g. Slack, in order to rule out individual configuration errors. Please provide as much detail as possible.

Describe the bug: I was following along the steps at here: https://cert-manager.io/docs/installation/kubernetes/

Expected behaviour: I got an issue when trying to test the installation

Error from server (InternalError): error when creating "test-resources.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: dial tcp 10.43.18.
211:443: i/o timeout

Steps to reproduce the bug: Steps to reproduce the bug should be clear and easily reproducible to help people gain an understanding of the problem.

Following the steps in the link above and got the issue when testing the installation

Anything else we need to know?: The installation step is successfully, as I verified as follow

kubectl get pods --namespace cert-manager                                                                                                                                                                         Thu Apr 16 18:33:31 2020

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-cainjector-79f4496665-7gptd   1/1     Running   0          11m
cert-manager-57cdd66b-7xvj2                1/1     Running   0          11m
cert-manager-webhook-6d57dbf4f-28zjc       1/1     Running   0          11m

I’m using VMs from Google. Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.17.4
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): k3s
  • cert-manager version (e.g. v0.4.0): v0.14.0
  • Install method (e.g. helm or static manifests): Helm

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 20 (2 by maintainers)

Most upvoted comments

Same issue here using k3s. Resolved it using the flag --flannel-backend host-gw during the k3s setup. So it looks like something is wrong in the default flannel setup, but I didn’t investigate further

+5
alecunsolo on Apr 26, 2020

Hey @sangnguyen7

How have you deployed k3s/what environment is it deployed into? This error indicates that your apiserver is unable to route traffic to the cert-manager webhook pod, which is a required component.

This is something that is required to be working in order for Kubernetes conformance tests to pass as far as I’m aware, so this indicates that somewhere along the line your cluster is not configured correctly.

Are you able to run Sonobuoy to check and ensure your cluster is set up properly? This will hopefully help you to pinpoint what’s going on 😄

/triage support /area deploy /remove-kind bug

+1
munnerz on Apr 24, 2020
Read more comments on GitHub
← cert-manager: Internal error occurred: failed calling webhook. Wrong cert-manager hook ID.
cert-manager: Issue certificate using dns01 via route53 stuck on SelfCheck status →