Kubernetes Admission Controller Timeout
criticalOPA Gatekeeper admission controller evaluation exceeds Kubernetes API server timeout thresholds, causing pod admission failures and deployment blockages. This typically occurs when policy evaluation takes longer than the webhook timeout (default 10-30s).
Monitor Kubernetes admission webhook latency metrics and OPA evaluation duration. Alert when admission requests timeout or when OPA evaluation time approaches webhook timeout thresholds. Track admission failure rates and pod creation errors related to admission webhooks.
Optimize policy evaluation using linear-time Rego fragments and indexed statements. Pre-filter input data before evaluation. Implement policy caching for deterministic decisions. Verify webhook timeout configuration is appropriate. Use Gatekeeper constraint templates with optimized Rego. Consider increasing webhook timeout if policies are necessarily complex. Enable early-exit semantics for complete document rules.