Skip to content
Latchkey

Kubernetes "admission webhook denied the request" in CI - Fix it

A validating admission webhook intercepted your create/update and refused it. The object reached the API server fine; a policy controller judged it non-compliant and returned the denial. The message after "denied the request:" is the actual rule.

What this error means

kubectl apply fails with Error from server: admission webhook "<name>" denied the request: <reason>. It is deterministic for the same object and policy.

kubectl
Error from server: error when creating "deploy.yaml": admission webhook
"validate.kyverno.svc" denied the request: require-requests-limits: CPU and
memory resource requests are required

Common causes

Object violates a cluster policy

A Kyverno/Gatekeeper/built-in policy requires or forbids something (a label, resource limits, a registry) that your manifest does not satisfy.

Policy tightened under you

A manifest that applied before now fails because a new or stricter policy was rolled out.

How to fix it

Read the denial and the policy

The text after the colon is the rule; find the webhook/policy behind it.

Terminal
kubectl get validatingwebhookconfigurations
kubectl get cpol,pol -A     # Kyverno
kubectl get constraints     # Gatekeeper

Make the manifest compliant

  1. Add the required field/label or remove the forbidden setting named in the message.
  2. Re-apply and confirm admission succeeds.
  3. If the policy itself is wrong, fix it with the policy owner - do not bypass the webhook.

How to prevent it

  • Run cluster policies in CI dry-run (conftest/kyverno cli) before apply.
  • Keep manifests aligned with the org policy set.
  • Coordinate policy rollouts so teams update manifests before enforcement.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →