K
Q

Getting error when using cert-manager on GKE

1/25/2019

I get the following error:

Error from server (InternalError): error when creating "/root/patched_issuer.yml": Internal error occurred: failed calling admission webhook "issuers.admission.certmanager.k8s.io": the server is currently unable to handle the request
Exited with code 1

Here is how my workloads look.

Name    Status  Type    Pods    Namespace   Cluster
staging-cert-manager     OK Deployment  1/1 default staging
staging-webhook  Does not have minimum availability Deployment  0/1 default staging

Any idea what might cause this?

-- Peter R
cert-manager
kubernetes

Similar Questions

Get the Pod which has the maximum CPU usage
Service a static website using Kubernetes and Ambassador
Deploying GitLab on Minikube
Cannot delete cluster, Peering does not exist
List kubernetes resources by clinet-go, How can I get the kind and apiversion?
Exception on the pods java.lang.IllegalStateException: Unknown protocol: HTT

1 Answer

9/17/2019

First make sure you when through the cert-manager troubleshooting page:

https://docs.cert-manager.io/en/latest/getting-started/troubleshooting.html

Since you mention you're using GKE (so there is a change that you're a GKE private cluster) I would suggest that you also take a look at this:

http://docs.cert-manager.io/en/latest/getting-started/webhook.html#running-on-private-gke-clusters

In my case I had to create a firewall rule to allow traffic from master nodes to the private instances. This is the command I had to run:

gcloud compute firewall-rules create allow-connect-cert-manager-webhook \ --action ALLOW \ --direction INGRESS \ --source-ranges 172.16.0.0/28 \ --rules tcp:6443 \ --target-tags gke-platform-staging-5d5216f8-node --network platform-staging-vpc-network

The --network parameter is crucial and it must target the network that's being used by your cluster.

-- Yoanis Gil
Source: StackOverflow