We all know and love the common ingress-nginx ValidatingWebhook errors:

Google Kubernetes Engine:

Error from server (InternalError): error when creating "ingress.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": context deadline exceeded

AWS Elastic Kubernetes Service:

Error from server (InternalError): error when creating "ingress.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate signed by unknown authority

Below I’ve listed the fixes that I’ve encountered so far.

Google Kubernetes Engine

The common issue I’ve seen for Google Kubernetes Engine (GKE) is that port 8443 has not been opened on the firewall for the GKE control-plane. To do so, please use the snippet below:

cluster_name=my-cluster
fw_rule=$(gcloud compute firewall-rules list --format=json --filter="name~'${cluster_name}-[a-z0-9]+-master'" | jq -r '.[0].name')
gcloud compute firewall-rules update ${fw_rule} --allow=tcp:8443,tcp:10250,tcp:443

AWS Elastic Kubernetes Service

The common issue I’ve seen for AWS Elastic Kubernetes Service (EKS) is that the CA is not matching on the ValidatingWebhook. To correct this use the patch below:

CA=$(kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}')
kubectl patch validatingwebhookconfigurations ingress-nginx-admission --type='json' -p='[{"op": "add", "path": "/webhooks/0/clientConfig/caBundle", "value":"'$CA'"}]'