Custom Resource
Definitions
(CRDs) are powerful tools for extending Kubernetes
capabilities.
However, if a CRD contains an invalid or malformed Certificate Authority (CA)
bundle within its conversion webhook configuration
spec.conversion.webhook.clientConfig.caBundle, it can disrupt cluster
operations. This can manifest as errors during resource creation, updates, or
deletions. Google Kubernetes Engine (GKE) monitors your clusters and uses the
Recommender service to deliver guidance for how you can optimize your usage of
the platform.
To help you ensure that your cluster remains stable and
performant, see recommendations from GKE for CRDs that operate but
have an invalid CA bundle. Use this guidance to check your potentially misconfigured CRDs and update them, if necessary. To learn more about how to manage insights and recommendations from
Recommenders, see Optimize your usage of GKE with insights and
recommendations.
Identify impacted clusters
To get insights identifying clusters that are affected by CRDs with invalid CA bundles, follow
the instructions to view insights and recommendations for subtype K8S_CRD_WITH_INVALID_CA_BUNDLE. You can get insights in
the following ways:
Use the Google Cloud console.
Use the Google Cloud CLI, or the Recommender API, filtering with the subtype
K8S_CRD_WITH_INVALID_CA_BUNDLE.
GKE generates an insight and recommendation with the
K8S_CRD_WITH_INVALID_CA_BUNDLE subtype if the GKE cluster has
one or more CRDs reporting a misconfigured caBundle for the webhook client
configuration in spec.conversion.webhook.clientConfig.
The following sections have instructions for you to troubleshoot the CRDs that
GKE detected as potentially misconfigured.
After you implement the instructions and the CRDs are correctly configured, the
recommendation is resolved within 24 hours and no longer appears in the console.
If it has been less than 24 hours since you've implemented the guidance of the
recommendation, you can mark the recommendation as
resolved.
If you don't want to implement the recommendation, you can dismiss
it.
Identify affected CRDs in a cluster
View insights and
recommendations for subtype K8S_CRD_WITH_INVALID_CA_BUNDLE,
choosing one insight at a time to troubleshoot. GKE generates
one insight per cluster which has a broken CRD.
Run the following command to describe the Service to find CRDs with
potentially problematic CA bundles:
CaBundle: The CA bundle associated with the CRD's conversion
webhook, if present. Examine the output. If the caBundle column is empty
for a CRD that you know utilizes a conversion webhook, this signals a
potential issue with the caBundle.
Recreate the CRD
To resolve this error, recreate the affected CRD with a valid CA bundle:
Back up existing custom resources associated with this problematic
CRD, if you have any. Run the following command to export the existing
resources:
kubectlget<crd-name>-oyaml > backup.yaml
Delete the existing CRD:
kubectldeletecrd<crd-name>
Ensure that the caBundle field of the CRD contains a well-formed,
base-64-encoded PEM certificate. You can do this either by editing the
CRD directly or by reaching out to its authors.
Modify the CRD YAML definition, updating the
spec.conversion.webhook.clientConfig.caBundle field with the valid
CA bundle data. The result should look something like the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Troubleshoot CRDs with an invalid CA bundle\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\n[Custom Resource\nDefinitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)\n(CRDs) are powerful tools for [extending Kubernetes\ncapabilities](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/).\nHowever, if a CRD contains an invalid or malformed Certificate Authority (CA)\nbundle within its conversion webhook configuration\n`spec.conversion.webhook.clientConfig.caBundle`, it can disrupt cluster\noperations. This can manifest as errors during resource creation, updates, or\ndeletions. Google Kubernetes Engine (GKE) monitors your clusters and uses the\nRecommender service to deliver guidance for how you can optimize your usage of\nthe platform.\n\nTo help you ensure that your cluster remains stable and\nperformant, see recommendations from GKE for CRDs that operate but\nhave an invalid CA bundle. Use this guidance to check your potentially misconfigured CRDs and update them, if necessary. To learn more about how to manage insights and recommendations from\nRecommenders, see [Optimize your usage of GKE with insights and\nrecommendations](/kubernetes-engine/docs/how-to/optimize-with-recommenders).\n\nIdentify impacted clusters\n--------------------------\n\nTo get insights identifying clusters that are affected by CRDs with invalid CA bundles, follow\nthe instructions to [view insights and recommendations](/kubernetes-engine/docs/how-to/optimize-with-recommenders#view-insights-recs) for subtype `K8S_CRD_WITH_INVALID_CA_BUNDLE`. You can get insights in\nthe following ways:\n\n- Use the Google Cloud console.\n- Use the Google Cloud CLI, or the Recommender API, filtering with the subtype `K8S_CRD_WITH_INVALID_CA_BUNDLE`.\n\nAfter you identify the CRDs using the insights, follow the instructions to\n[troubleshoot the misconfigured CA bundle](#troubleshoot-crds).\n\nWhen GKE detects misconfigured CRDs\n-----------------------------------\n\nGKE generates an insight and recommendation with the\n`K8S_CRD_WITH_INVALID_CA_BUNDLE` subtype if the GKE cluster has\none or more CRDs reporting a misconfigured `caBundle` for the webhook client\nconfiguration in `spec.conversion.webhook.clientConfig`.\n\nFollow the instructions to [check CRDs with misconfigured CA bundle](#check-invalid-caBundle).\n\nTroubleshoot the detected CRDs\n------------------------------\n\nThe following sections have instructions for you to troubleshoot the CRDs that\nGKE detected as potentially misconfigured.\n\nAfter you implement the instructions and the CRDs are correctly configured, the\nrecommendation is resolved within 24 hours and no longer appears in the console.\nIf it has been less than 24 hours since you've implemented the guidance of the\nrecommendation, you can [mark the recommendation as\nresolved](/kubernetes-engine/docs/how-to/optimize-with-recommenders#resolve-recommendation).\nIf you don't want to implement the recommendation, you can [dismiss\nit](/kubernetes-engine/docs/how-to/optimize-with-recommenders#dismiss-recommendation).\n\n### Identify affected CRDs in a cluster\n\n1. [View insights and\n recommendations](/kubernetes-engine/docs/how-to/optimize-with-recommenders#view-insights-recs) for subtype `K8S_CRD_WITH_INVALID_CA_BUNDLE`,\n choosing one insight at a time to troubleshoot. GKE generates\n one insight per cluster which has a broken CRD.\n\n2. Run the following command to describe the Service to find CRDs with\n potentially problematic CA bundles:\n\n kubectl get crd -o custom-columns=NAME:.metadata.name,CABUNDLE:.spec.conversion.webhook.clientConfig.caBundle\n\n The output includes the following:\n - **Name**: The name of the CRD.\n - **CaBundle**: The CA bundle associated with the CRD's conversion webhook, if present. Examine the output. If the caBundle column is empty for a CRD that you know utilizes a conversion webhook, this signals a potential issue with the caBundle.\n\n### Recreate the CRD\n\nTo resolve this error, recreate the affected CRD with a valid CA bundle:\n\n1. Back up existing custom resources associated with this problematic\n CRD, if you have any. Run the following command to export the existing\n resources:\n\n kubectl get \u003ccrd-name\u003e -o yaml \u003e backup.yaml\n\n2. Delete the existing CRD:\n\n kubectl delete crd \u003ccrd-name\u003e\n\n3. Ensure that the `caBundle` field of the CRD contains a well-formed,\n base-64-encoded PEM certificate. You can do this either by editing the\n CRD directly or by reaching out to its authors.\n\n4. Modify the CRD YAML definition, updating the\n `spec.conversion.webhook.clientConfig.caBundle` field with the valid\n CA bundle data. The result should look something like the following:\n\n spec:\n conversion:\n webhook:\n clientConfig:\n caBundle: \u003cbase64-encoded-ca-bundle\u003e\n\n5. Apply the corrected CRD:\n\n kubectl apply -f \u003ccorrected-crd-file.yaml\u003e\n\n6. Restore your custom resources:\n\n kubectl apply -f backup.yaml\n\nWhat's next\n-----------\n\n- [Optimize your usage of GKE with insights and\n recommendations](/kubernetes-engine/docs/how-to/optimize-with-recommenders)\n- [Troubleshooting common issues](/kubernetes-engine/docs/troubleshooting)"]]
