Skip to content

Istiod and Pepr Startup Failures Due to Webhook Dependencies

During cluster restarts or after upgrades, Istiod and Pepr pods may fail to start properly due to a circular dependency between their admission webhooks.

Both Istiod and Pepr depend on each other’s webhooks being available, which can cause a deadlock if one cannot admit the other’s workloads.

This document explains how to manually resolve the deadlock.

  • Pepr pods are stuck in CrashLoopBackOff or Pending state.
  • Istiod pods are stuck in CrashLoopBackOff or Pending state.
  • Cluster replicaset events show webhook admission errors like:
Failed to call webhook: error calling webhook "pepr-uds-core"
Failed to call webhook: error calling webhook "istiod-istio-system"

Both Pepr and Istiod register Kubernetes admission webhooks. When a cluster restarts, if the webhook targets (pods) aren’t available yet, admission fails, blocking the pods from being recreated — a chicken-and-egg problem.

Temporarily modify the Pepr mutating and validating webhooks to exclude each other:

1. Patch the Pepr Webhooks to Exclude Itself and Istio

Section titled “1. Patch the Pepr Webhooks to Exclude Itself and Istio”
Terminal window
kubectl patch mutatingwebhookconfiguration pepr-uds-core --type='json' \
-p='[{
"op": "add",
"path": "/webhooks/0/namespaceSelector/matchExpressions/0/values/-",
"value": "istio-system"
}]'
kubectl patch validatingwebhookconfiguration pepr-uds-core --type='json' \
-p='[{
"op": "add",
"path": "/webhooks/0/namespaceSelector/matchExpressions/0/values/-",
"value": "istio-system"
}]'

This isn’t always required — typically the pods will retry and succeed once Istiod is healthy.

Terminal window
kubectl rollout restart deployment pepr-uds-core -n pepr-system
kubectl rollout restart deployment istiod -n istio-system

This forces Kubernetes to recreate them.

Terminal window
kubectl get mutatingwebhookconfiguration pepr-uds-core -o json | \
uds zarf tools yq -p json -o json '.webhooks[0].namespaceSelector.matchExpressions[0].values |= map(select(. != "istio-system"))' | \
kubectl apply -f -
kubectl get validatingwebhookconfiguration pepr-uds-core -o json | \
uds zarf tools yq -p json -o json '.webhooks[0].namespaceSelector.matchExpressions[0].values |= map(select(. != "istio-system"))' | \
kubectl apply -f -

This restores strict security enforcement in admission control.