Configure webhook timeout

This page describes how to configure the webhook timeout for Config Connector. You can configure these webhooks in Config Connector version 1.110 and later.

Configure timeout for validating webhooks

You can configure the following validating webhooks:

deny-immutable-field-updates.cnrm.cloud.google.com
deny-unknown-fields.cnrm.cloud.google.com
iam-validation.cnrm.cloud.google.com
resource-validation.cnrm.cloud.google.com
abandon-on-uninstall.cnrm.cloud.google.com

For example, you can configure the timeout of validating webhooks deny-immutable-field-updates.cnrm.cloud.google.com and deny-unknown-fields.cnrm.cloud.google.com by creating and applying the following example YAML file. These webhooks are part of the configuration of the validating-webhook.cnrm.cloud.google.com validating webhook configuration.

Create a file named configure-validating-webhook-timeout.yaml and copy the following YAML into it:

apiVersion: customize.core.cnrm.cloud.google.com/v1beta1
kind: ValidatingWebhookConfigurationCustomization
metadata:
  name: validating-webhook
spec:
  webhooks:
  - name: deny-immutable-field-updates
    timeoutSeconds: 12
  - name: deny-unknown-fields
    timeoutSeconds: 15

Use kubectl apply to apply the webhook timeout customization to your cluster:
```
kubectl apply -f configure-validating-webhook-timeout.yaml
```
Verify the successful configuration by running the following command:
```
kubectl get validatingwebhookconfigurationcustomizations validating-webhook -o jsonpath='{.status.healthy}{"\n"}'
```
It should display status.healthy field set to true.

Verify that the new custom timeout has been applied to the target webhooks:

kubectl get validatingwebhookconfigurations validating-webhook.cnrm.cloud.google.com -o jsonpath='{.webhooks[?(@.name=="deny-immutable-field-updates.cnrm.cloud.google.com")].timeoutSeconds}{"\n"}'

kubectl get validatingwebhookconfigurations validating-webhook.cnrm.cloud.google.com -o jsonpath='{.webhooks[?(@.name=="deny-unknown-fields.cnrm.cloud.google.com")].timeoutSeconds}{"\n"}'

Applying the customization could take a few minutes.

Configure timeout for mutating webhooks

You can configure the following mutating webhooks:

container-annotation-handler.cnrm.cloud.google.com
generic-defaulter.cnrm.cloud.google.com
iam-defaulter.cnrm.cloud.google.com
management-conflict-annotation-defaulter.cnrm.cloud.google.com

For example, you can configure the timeout of mutating webhook container-annotation-handler.cnrm.cloud.google.com by creating and applying the following example YAML file. The webhook is part of the configuration of the mutating-webhook.cnrm.cloud.google.com mutating webhook configuration.

Create a file named configure-mutating-webhook-timeout.yaml and copy the following YAML into it:

apiVersion: customize.core.cnrm.cloud.google.com/v1beta1
kind: MutatingWebhookConfigurationCustomization
metadata:
  name: mutating-webhook
spec:
  webhooks:
  - name: container-annotation-handler
    timeoutSeconds: 20

Use kubectl apply to apply the webhook timeout customization to your cluster:
```
kubectl apply -f configure-mutating-webhook-timeout.yaml
```
Verify the successful configuration by running the following command:
```
kubectl get mutatingwebhookconfigurationcustomizations mutating-webhook -o jsonpath='{.status.healthy}{"\n"}'
```
It should display status.healthy field set to true.

Verify that the new custom timeout has been applied to the target webhooks:

kubectl get mutatingwebhookconfigurations mutating-webhook.cnrm.cloud.google.com -o jsonpath='{.webhooks[?(@.name=="container-annotation-handler.cnrm.cloud.google.com")].timeoutSeconds}{"\n"}'

Applying the customization could take a few minutes.