workload identity webhook controller pod show `http: TLS handshake error from`

[karataliu]

Describe the bug
When there are heavy load to webhook, the webhook would report http: TLS handshake error from <>: EOF message .

Steps To Reproduce
Create a deployment with 2000 pods that enables workload identity.

...
2023/03/06 08:24:03 http: TLS handshake error from 10.224.54.106:54844: EOF
2023/03/06 08:24:03 http: TLS handshake error from 10.224.54.106:54846: EOF
2023/03/06 08:24:03 http: TLS handshake error from 10.224.54.106:54862: EOF
2023/03/06 08:24:03 http: TLS handshake error from 10.224.54.6:60372: EOF
2023/03/06 08:24:03 http: TLS handshake error from 10.224.54.6:60398: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.6:60396: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.106:54884: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.6:60446: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.106:54876: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.6:60392: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.6:60412: EOF
2023/03/06 08:24:04 http: TLS handshake error from 10.224.54.6:60388: EOF
2023/03/06 08:24:05 http: TLS handshake error from 10.224.54.106:54898: EOF
2023/03/06 08:24:05 http: TLS handshake error from 10.224.54.6:60422: EOF
...

Expected behavior
Do not show such TLS error

Logs

Environment

• Kubernetes version (use kubectl version):
• Cloud provider or hardware configuration:
• OS (e.g: cat /etc/os-release):
• Kernel (e.g. uname -a):
• Install tools:
• Network plugin and version (if this is a network-related bug):
• Others:

Additional context

[databasedav]

this prevents my deployments which include pods that use workload identity from updating with the following ReplicaFailure

Internal error occurred: failed calling webhook
"mutation.azure-workload-identity.io": failed to call webhook: Post
"https://azure-wi-webhook-webhook-service.azure-workload-identity-webhook.svc:443/mutate-v1-pod?timeout=10s":
x509: certificate signed by unknown authority (possibly because of
"crypto/rsa: verification error" while trying to verify candidate
authority certificate "azure-workload-identity-ca")

[databasedav]

restarting the workload identity webhook deployment fixes this, is there some certificate expiration thing that needs to be managed that i'm not aware of?

[lalitmsft]

Even we are seeing this on our cluster quite frequently. Is there a fix or recommendation on how to avoid this?

[chris-clarkson]

I am getting this frequently, has anybody else experienced this or have a resolution? My pods get stuck in this state and need a restart to fix which is very inconvenient

[soberich]

Same here.. @maintainers????

[splattner]

same here, any update. And I assume this is related:
Sometimes we see this error:

ERROR: Job failed (system failure): prepare environment: setting up build pod: Internal error occurred: failed calling webhook "mutation.azure-workload-identity.io": failed to call webhook: Post "[https://azure-wi-webhook-webhook-service.kube-system.svc:443/mutate-v1-pod?timeout=10s](https://azure-wi-webhook-webhook-service.kube-system.svc/mutate-v1-pod?timeout=10s)": proxy error from localhost:9443 while dialing 10.0.40.126:9443, code 503: 503 Service Unavailable.

in our gitlab job logs (we use the kubernetes executor) which results in a failed job because the pod could not be created...

[nerdychick11]

I have a similar issue. Anyone know of a fix?

Internal error occurred: failed calling webhook "mutation.azure-workload-identity.io": failed to call webhook: Post "https://azure-wi-webhook-webhook-service.kube-system.svc:443/mutate-v1-pod?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority

[karataliu]

I have a similar issue. Anyone know of a fix?

Internal error occurred: failed calling webhook "mutation.azure-workload-identity.io": failed to call webhook: Post "https://azure-wi-webhook-webhook-service.kube-system.svc:443/mutate-v1-pod?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority

This one looks like a different pattern since it reports cert error instead of EOF.

Could you please check if there is tunnel issue? That might be one possible cause.
If cannot solve suggest to create a support ticket.