Compatibility with Kubernetes Platform Providers
Below you will find details on various compatibility issues and quirks that you may be affected by when deploying cert-manager. If you believe we’ve missed something please feel free to raise an issue or a pull request with the details!
If you’re using AWS Fargate or else if you’ve specifically configured
cert-manager to run the host’s network, be aware that kubelet listens on port
10250 by default which clashes with the default port for the cert-manager
As such, you’ll need to change the webhook’s port when setting up cert-manager.
For installations using Helm, you can set the
when installing cert-manager either using a command line flag or an entry in
If you have a port clash, you could see confusing error messages regarding untrusted certs. See #3237 for more details.
When Google configure the control plane for private clusters, they automatically configure VPC peering between your Kubernetes cluster’s network and a separate Google-managed project.
In order to restrict what Google are able to access within your cluster, the
firewall rules configured restrict access to your Kubernetes pods. This means
that the webhook won’t work, and you’ll see errors such as
Internal error occurred: failed calling admission webhook ... the server is currently unable to handle the request.
In order to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow the GKE control plane access to your webhook pod.
You can read more information on how to add firewall rules for the GKE control plane nodes in the GKE docs.
As of May 2021, GKE Autopilot has no support for 3rd party webhooks. Without webhooks, many Kubernetes plugins such as cert-manager cannot operate correctly.
When using a custom CNI (such as Weave or Calico) on EKS, the webhook cannot be reached by cert-manager. This happens because the control plane cannot be configured to run on a custom CNI on EKS, so the CNIs differ between control plane and worker nodes.
To address this, the webhook can be run in the host network so it can be reached
by cert-manager, by setting the
webhook.hostNetwork key to true on your
deployment, or, if using Helm, configuring it in your
Note that running on the host network will necessitate changing the webhook’s port; see the warning at the top of the page for details.
It’s worth noting that using AWS Fargate to run cert-manager will force you to run using the host’s network, and will force a port clash with the kubelet running on port 10250, as seen in #3237.
When deploying cert-manager on Fargate, you must change the port on which the webhook listens. See the warning at the top of this page for more details.