Introduction
Kubernetes admission webhooks intercept API requests to validate or mutate resources. When a webhook times out, the API server can't complete the request, and operations like deployments, pod creation, or updates fail. The default timeout is 10 seconds.
Symptoms
In kubectl:
Error from server (InternalError): Internal error occurred: failed calling webhook "webhook-service.default.svc": Post https://webhook-service.default.svc:443/mutate?timeout=10s: context deadline exceededIn API server logs:
E0115 10:30:00.123456 1 dispatcher.go:170] Failed calling webhook, failing open: webhook.default.svc: context deadline exceededCommon Causes
- 1.Webhook service unavailable - Deployment, pods, or service not running
- 2.Network policy blocking - EKS webhook networking restrictions
- 3.Timeout too short - Webhook processing takes longer than configured
- 4.DNS resolution failure - Webhook service DNS not resolving
- 5.TLS certificate issues - Certificate expired or not trusted
- 6.Resource limits - Webhook pod OOMKilled or CPU throttled
- 7.AWS VPC CNI issues - Pod networking problems in EKS
- 8.Service mesh interference - Istio or other mesh breaking webhook traffic
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: Identify Affected Webhooks
```bash # List all validating webhooks kubectl get validatingwebhookconfigurations
# List all mutating webhooks kubectl get mutatingwebhookconfigurations
# Check specific webhook configuration kubectl get validatingwebhookconfiguration my-webhook -o yaml ```
Step 2: Check Webhook Service and Pods
```bash # Check if webhook service exists kubectl get svc -n my-namespace webhook-service
# Check service endpoints kubectl get endpoints -n my-namespace webhook-service
# Check webhook pods kubectl get pods -n my-namespace -l app=webhook
# Check pod logs kubectl logs -n my-namespace -l app=webhook --tail=100 ```
If pods are not running:
kubectl describe pods -n my-namespace -l app=webhookStep 3: Test Webhook Connectivity
From a test pod in the cluster:
```bash # Create test pod kubectl run test-pod --image=busybox --rm -it --restart=Never -- sh
# Inside test pod, test connectivity wget -O- --no-check-certificate https://webhook-service.my-namespace.svc:443/mutate nc -zv webhook-service.my-namespace 443 ```
From EKS node:
```bash # SSH to node # Test service DNS nslookup webhook-service.my-namespace.svc.cluster.local
# Test endpoint curl -k https://webhook-service.my-namespace.svc:443/healthz ```
Step 4: Check Network Policies
```bash # List network policies kubectl get networkpolicies -n my-namespace
# Check if policy blocks API server traffic kubectl get networkpolicy -n my-namespace -o yaml ```
API server runs in kube-system or uses specific IP ranges. Add policy to allow:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-apiserver
namespace: my-namespace
spec:
podSelector:
matchLabels:
app: webhook
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0 # Or restrict to API server IP range
ports:
- port: 443
protocol: TCPStep 5: Increase Webhook Timeout
```bash # Edit webhook configuration kubectl edit validatingwebhookconfiguration my-webhook
# Add or increase timeout ```
webhooks:
- name: my-webhook.example.com
timeoutSeconds: 30 # Increase from default 10
sideEffects: None
admissionReviewVersions: ["v1"]
...Or patch directly:
kubectl patch validatingwebhookconfiguration my-webhook --type='json' \
-p='[{"op": "replace", "path": "/webhooks/0/timeoutSeconds", "value": 30}]'Step 6: Check TLS Configuration
```bash # Get webhook configuration kubectl get validatingwebhookconfiguration my-webhook -o jsonpath='{.webhooks[0].clientConfig.caBundle}' | base64 -d
# Check certificate in webhook pod kubectl exec -n my-namespace webhook-pod -- cat /etc/tls/tls.crt | openssl x509 -noout -dates ```
Regenerate certificates if expired:
```bash # Generate new CA and cert openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=webhook-ca" openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr -subj "/CN=webhook-service.my-namespace.svc" openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
# Update webhook with new CA CA_BUNDLE=$(cat ca.crt | base64 -w 0) kubectl patch validatingwebhookconfiguration my-webhook --type='json' \ -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value': '$CA_BUNDLE'}]" ```
Step 7: Check Webhook Pod Resources
```bash # Check resource usage kubectl top pods -n my-namespace -l app=webhook
# Check for OOMKilled kubectl describe pod -n my-namespace -l app=webhook | grep -A5 "Last State"
# Increase resources if needed kubectl set resources deployment/webhook -n my-namespace \ --limits=cpu=500m,memory=256Mi \ --requests=cpu=100m,memory=128Mi ```
Step 8: Temporarily Disable Webhook
If webhook is blocking all operations:
```bash # Delete webhook configuration temporarily kubectl delete validatingwebhookconfiguration my-webhook
# Or for mutating webhooks kubectl delete mutatingwebhookconfiguration my-webhook ```
This allows operations while you fix the underlying issue.
Step 9: Check for Failing Open Behavior
If webhook is configured to fail open:
webhooks:
- name: my-webhook.example.com
failurePolicy: Ignore # or FailIgnore: Timeout allows operation through (no validation)Fail: Timeout blocks operation
Ensure you understand the security implications.
Step 10: Review EKS-Specific Issues
For EKS, check if webhook is using AWS PrivateLink or VPC endpoints:
```bash # Check VPC endpoints aws ec2 describe-vpc-endpoints --filters Name=vpc-id,Values=vpc-12345
# Ensure API server can reach webhook service # EKS API server uses worker node security group ```
Verification
```bash # Test a resource creation kubectl apply -f - <<EOF apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: nginx image: nginx EOF
# Check webhook logs for request processing kubectl logs -n my-namespace -l app=webhook -f
# Verify no timeout errors kubectl logs -n kube-system -l k8s-app=kube-apiserver | grep -i webhook ```
Related Issues
- [Fix AWS EKS Cluster Unreachable](/articles/fix-aws-eks-cluster-unreachable)
- [Fix Kubernetes Pod Stuck in Pending](/articles/fix-kubernetes-pod-crashloopbackoff)
- [Fix AWS EKS Node Not Ready](/articles/fix-aws-eks-node-not-ready)
Related Articles
- [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
- [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
- [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
- [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
- [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS EKS Admission Webhook Timeout", "description": "Troubleshoot EKS admission webhook timeouts. Fix webhook service availability, network connectivity, and timeout configurations.", "url": "https://www.fixwikihub.com/fix-aws-eks-admission-webhook-timeout", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-01T05:41:53.406Z", "dateModified": "2026-04-01T05:41:53.406Z" } </script>