Specifically kube api server expects admission control webhooks to a have SAN entry for <service-name>.kube-system.svc
# kubectl -n kube-system logs deployment/<name>-webhook -c certificate-init-container
# openssl x509 -in certificate.crt -text -noout
Certificate Information:
Common Name: 100-96-2-2.kube-system.pod.cluster.local
Subject Alternative Names:
100-96-2-2.kube-system.pod.cluster.local
<service-name>.kube-system.svc.cluster.local
<service-name>.kube-system.svc
IP Address:100.96.2.2
IP Address:100.69.175.40
Valid From: August 14, 2020
Valid To: August 14, 2021
Serial Number: 8f618d0c4564d8233bc158d097534b03
Failed calling webhook,
failing open <name>:
failed calling webhook "<name>":
Post https://<service-name>.kube-system.svc:443/mutate?timeout=10s: x509: certificate is valid for
<service-name>.kube-system.svc.cluster.local, (fully qualified service name)
not <service-name>.kube-system.svc