Below you will find details on various compatibility issues and quirks that you may be effected by in your environment.


When Google configure the control plane for private clusters, they automatically configure VPC peering between your Kubernetes cluster's network and a separate Google managed project.

In order to restrict what Google are able to access within your cluster, the firewall rules configured restrict access to your Kubernetes pods. This will mean that you will experience the webhook to not work and experience errors such as Internal error occurred: failed calling admission webhook ... the server is currently unable to handle the request.

In order to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow the GKE control plane access to your webhook pod.

You can read more information on how to add firewall rules for the GKE control plane nodes in the GKE docs.

Alternatively, you can read how to disable the webhook component.

Disabling Webhook

If you are having issues with the webhook and cannot use it at this time, you can optionally disable the webhook altogether.

Doing this may expose your cluster to miss-configuration problems that in some cases could cause cert-manager to stop working altogether (i.e. if invalid types are set for fields on cert-manager resources).

How you disable the webhook depends on your deployment method.

With Helm

The Helm chart exposes an option that can be used to disable the webhook.

To do so with an existing installation, you can run:

$ helm upgrade cert-manager \
--reuse-values \
--set webhook.enabled=false

If you have not installed cert-manager yet, you can add the --set webhook.enabled=false to the helm install command used to install cert-manager.

With static manifests

Because we cannot specify options when installing the static manifests to conditionally disable different components, we also ship a copy of the deployment files that do not include the webhook.

Instead of installing with cert-manager.yaml file, you should instead use the cert-manager-no-webhook.yaml file located in the deploy directory.

This is a destructive operation, as it will remove the CustomResourceDefinition resources, causing your configured Issuers, Certificates etc to be deleted.

You should first backup your configuration before running the following commands.

To re-install cert-manager without the webhook, run:

$ kubectl delete -f
$ kubectl apply -f

Once you have re-installed cert-manager, you should then restore your configuration.