Below you will find details on various compatibility issues and quirks that you may be effected by in your environment.
When Google configure the control plane for private clusters, they automatically configure VPC peering between your Kubernetes cluster's network and a separate Google managed project.
In order to restrict what Google are able to access within your cluster, the
firewall rules configured restrict access to your Kubernetes pods. This will
mean that you will experience the webhook to not work and experience errors such
Internal error occurred: failed calling admission webhook ... the server is currently unable to handle the request.
In order to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow the GKE control plane access to your webhook pod.
You can read more information on how to add firewall rules for the GKE control plane nodes in the GKE docs.
Alternatively, you can read how to disable the webhook component.
If you are having issues with the webhook and cannot use it at this time, you can optionally disable the webhook altogether.
Doing this may expose your cluster to miss-configuration problems that in some cases could cause cert-manager to stop working altogether (i.e. if invalid types are set for fields on cert-manager resources).
How you disable the webhook depends on your deployment method.
The Helm chart exposes an option that can be used to disable the webhook.
To do so with an existing installation, you can run:
$ helm upgrade cert-manager \--reuse-values \--set webhook.enabled=false
If you have not installed cert-manager yet, you can add the
--set webhook.enabled=false to the
helm install command used to install
Because we cannot specify options when installing the static manifests to conditionally disable different components, we also ship a copy of the deployment files that do not include the webhook.
This is a destructive operation, as it will remove the
CustomResourceDefinition resources, causing your configured
Certificates etc to be deleted.
You should first backup your configuration before running the following commands.
To re-install cert-manager without the webhook, run:
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v0.12.0/cert-manager.yaml$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v0.12.0/cert-manager-no-webhook.yaml
Once you have re-installed cert-manager, you should then restore your configuration.