Skip to content

Atlas Entry

Atlas: Admission Webhook Timeouts

Creates/updates fail or hang; errors mention webhook timeouts or admission failures.

Back to AtlasLabsOperations Handbook

Text

Symptom → evidence → resolution.

Symptom

Creates/updates fail or hang; errors mention webhook timeouts or admission failures.

Control PlaneSecurityOperationsReliability

What this usually means

A policy component on the API write path is unhealthy or slow. Until it is restored, the cluster cannot accept the changes you are trying to apply.

Likely causes

Admission is on the write path. Its failure modes are outages.

  • Webhook pods are unhealthy (CrashLoop, CPU-starved, no endpoints).
  • Network policy / DNS prevents API server reaching the webhook service.
  • TLS/certificate problems.
  • Latency spikes from overloaded admission logic or external dependencies.

What to inspect first

Identify which webhook is failing and why. Don’t guess.

  • Find the webhook name in the error.
  • Locate the backing service/deployment and inspect logs.

kubectl

shell

kubectl get validatingwebhookconfigurations,mutatingwebhookconfigurations
kubectl get events -A --sort-by=.lastTimestamp | rg -n "admission|webhook" | tail -n 40 || true

Resolution guidance

Restore write-path stability first. If you degrade policy, do it explicitly and reverse it promptly.

  • Fix health/endpoints; eliminate external dependencies from admission if they add latency.
  • Set and monitor admission latency budgets.
  • Define a break-glass posture: who can bypass, how it is audited, what compensations apply.

Related

Next

Link

Codex Gigas: Admission Control

Continue with the linked text.

Next

Link

Tenet I: The Control Plane

Continue with the linked text.

Next

Link

Codex Gigas: Debugging the Control Plane

Continue with the linked text.

Canonical link

Canonical URL: /atlas/admission-webhook-timeouts