Stay organized with collectionsSave and categorize content based on your preferences.
Configure webhook timeout
This page describes how to configure the webhook timeout for Config Connector.
You can configure these webhooks in Config Connector version 1.110 and later.
Configure timeout for validating webhooks
You can configure the following validating webhooks:
For example, you can configure the timeout of validating webhooksdeny-immutable-field-updates.cnrm.cloud.google.comanddeny-unknown-fields.cnrm.cloud.google.comby creating and applying the
following example YAML file. These webhooks are part of the configuration of thevalidating-webhook.cnrm.cloud.google.comvalidating webhook
configuration.
Create a file namedconfigure-validating-webhook-timeout.yamland copy the
following YAML into it:
For example, you can configure the timeout of mutating webhookcontainer-annotation-handler.cnrm.cloud.google.comby creating and applying
the following example YAML file. The webhook is part of the configuration of themutating-webhook.cnrm.cloud.google.commutating webhook
configuration.
Create a file namedconfigure-mutating-webhook-timeout.yamland copy the
following YAML into it:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eConfig Connector version 1.110 and later allows for the configuration of timeouts for both validating and mutating webhooks.\u003c/p\u003e\n"],["\u003cp\u003eValidating webhooks such as \u003ccode\u003edeny-immutable-field-updates.cnrm.cloud.google.com\u003c/code\u003e and \u003ccode\u003edeny-unknown-fields.cnrm.cloud.google.com\u003c/code\u003e can have their timeouts customized via a \u003ccode\u003eValidatingWebhookConfigurationCustomization\u003c/code\u003e YAML file.\u003c/p\u003e\n"],["\u003cp\u003eMutating webhooks like \u003ccode\u003econtainer-annotation-handler.cnrm.cloud.google.com\u003c/code\u003e can be configured using a \u003ccode\u003eMutatingWebhookConfigurationCustomization\u003c/code\u003e YAML file to adjust their timeout durations.\u003c/p\u003e\n"],["\u003cp\u003eApplying the webhook timeout customizations involves creating and applying the respective YAML files with \u003ccode\u003ekubectl apply\u003c/code\u003e, followed by verifying the successful configuration with specific \u003ccode\u003ekubectl\u003c/code\u003e commands.\u003c/p\u003e\n"],["\u003cp\u003eWhen specifying webhook names in the YAML configuration files, users should omit the \u003ccode\u003e.cnrm.cloud.google.com\u003c/code\u003e suffix from the webhook names.\u003c/p\u003e\n"]]],[],null,["# Configure webhook timeout\n=========================\n\n*** ** * ** ***\n\nThis page describes how to configure the webhook timeout for Config Connector.\nYou can configure these webhooks in Config Connector version 1.110 and later.\n\nConfigure timeout for validating webhooks\n-----------------------------------------\n\nYou can configure the following validating webhooks:\n\n- `deny-immutable-field-updates.cnrm.cloud.google.com`\n- `deny-unknown-fields.cnrm.cloud.google.com`\n- `iam-validation.cnrm.cloud.google.com`\n- `resource-validation.cnrm.cloud.google.com`\n- `abandon-on-uninstall.cnrm.cloud.google.com`\n\nFor example, you can configure the timeout of validating webhooks\n`deny-immutable-field-updates.cnrm.cloud.google.com` and\n`deny-unknown-fields.cnrm.cloud.google.com` by creating and applying the\nfollowing example YAML file. These webhooks are part of the configuration of the\n`validating-webhook.cnrm.cloud.google.com` [validating webhook\nconfiguration](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration).\n\n1. Create a file named `configure-validating-webhook-timeout.yaml` and copy the\n following YAML into it:\n\n apiVersion: customize.core.cnrm.cloud.google.com/v1beta1\n kind: ValidatingWebhookConfigurationCustomization\n metadata:\n name: validating-webhook\n spec:\n webhooks:\n - name: deny-immutable-field-updates\n timeoutSeconds: 12\n - name: deny-unknown-fields\n timeoutSeconds: 15\n\n | **Note:** when specifying the name of webhook configuration and the names of webhooks in the YAML file, don't include the `.cnrm.cloud.google.com` suffix.\n2. Use [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply)\n to apply the webhook timeout customization to your cluster:\n\n ```\n kubectl apply -f configure-validating-webhook-timeout.yaml\n ```\n3. Verify the successful configuration by running the following command:\n\n ```\n kubectl get validatingwebhookconfigurationcustomizations validating-webhook -o jsonpath='{.status.healthy}{\"\\n\"}'\n ```\n\n It should display `status.healthy` field set to `true`.\n4. Verify that the new custom timeout has been applied to the target webhooks:\n\n ```\n kubectl get validatingwebhookconfigurations validating-webhook.cnrm.cloud.google.com -o jsonpath='{.webhooks[?(@.name==\"deny-immutable-field-updates.cnrm.cloud.google.com\")].timeoutSeconds}{\"\\n\"}'\n ``` \n\n ```\n kubectl get validatingwebhookconfigurations validating-webhook.cnrm.cloud.google.com -o jsonpath='{.webhooks[?(@.name==\"deny-unknown-fields.cnrm.cloud.google.com\")].timeoutSeconds}{\"\\n\"}'\n ```\n\n Applying the customization could take a few minutes.\n\nConfigure timeout for mutating webhooks\n---------------------------------------\n\nYou can configure the following mutating webhooks:\n\n- `container-annotation-handler.cnrm.cloud.google.com`\n- `generic-defaulter.cnrm.cloud.google.com`\n- `iam-defaulter.cnrm.cloud.google.com`\n- `management-conflict-annotation-defaulter.cnrm.cloud.google.com`\n\nFor example, you can configure the timeout of mutating webhook\n`container-annotation-handler.cnrm.cloud.google.com` by creating and applying\nthe following example YAML file. The webhook is part of the configuration of the\n`mutating-webhook.cnrm.cloud.google.com` [mutating webhook\nconfiguration](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration).\n\n1. Create a file named `configure-mutating-webhook-timeout.yaml` and copy the\n following YAML into it:\n\n apiVersion: customize.core.cnrm.cloud.google.com/v1beta1\n kind: MutatingWebhookConfigurationCustomization\n metadata:\n name: mutating-webhook\n spec:\n webhooks:\n - name: container-annotation-handler\n timeoutSeconds: 20\n\n | **Note:** when specifying the name of webhook configuration and the names of webhooks in the YAML file, don't include the `.cnrm.cloud.google.com` suffix.\n2. Use [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply)\n to apply the webhook timeout customization to your cluster:\n\n ```\n kubectl apply -f configure-mutating-webhook-timeout.yaml\n ```\n3. Verify the successful configuration by running the following command:\n\n ```\n kubectl get mutatingwebhookconfigurationcustomizations mutating-webhook -o jsonpath='{.status.healthy}{\"\\n\"}'\n ```\n\n It should display `status.healthy` field set to `true`.\n4. Verify that the new custom timeout has been applied to the target webhooks:\n\n ```\n kubectl get mutatingwebhookconfigurations mutating-webhook.cnrm.cloud.google.com -o jsonpath='{.webhooks[?(@.name==\"container-annotation-handler.cnrm.cloud.google.com\")].timeoutSeconds}{\"\\n\"}'\n ```\n\n Applying the customization could take a few minutes."]]
