Kube-apiserver fails to call cert-manager webhook


I’ve been trying to get to the bottom of a problem setting up cert-manager on a fresh Cluster that was provisioned with

Kube: v1.17.17
Rancher: v2.3.8

I’m installing cert-manager on my own, not relying on any built in rancher functionality and When I go to register my Certificate Issuer I get an error because the kubeapi server is unable to resolve the service dns name to talk to the cert-manager webhook service.

What I’ve been able to deduce is that this problem is simply because the kube-apiserver container doesn’t resolve cluster dns names. I’m trying to figure out if this is a known bug with my combination of versions, or if there is something else going on here that requries a configuration change.

From what I’ve read, it seems like it’s by design that the kube-apiserver container doesn’t use the coredns service to resolve cluster dns names (pods, services, etc). And that the “admissionregistration” api is what is used by the cert-managers manifest (helm chart) to inform the apisever of how to connect to the webhook service.

Maybe this is a bug in 1.17 and I just need to update, or maybe this is a bug with how rancher provisions the api server? Before I go upgrading my rancher installation I was hoping someone might already be familiar with this issue and I can avoid something hacky like editing the host’s /etc/resolv.conf file to circumvent this issue.

Thanks in advance for any help you might be able to provide!