Your cluster-lint tool is good; I appreciate its insights. It flags webhooks with timeouts greater than 29 seconds as blocking upgrades. By itself, this is reasonable. Cert-manager ( https://cert-manager.io/ ) is a popular tool for automating renewal of TLS certificates. It installs two webhooks with timeouts of 30 seconds. By itself, this is reasonable. However, this means an unmodified install of cert-manager will block upgrading a DOKS cluster. As an application developer, with no real opinion on how long webhook timeouts should be, this is frustrating. (I was able to edit my cert-manager template to change the timeouts to 29 seconds, so I am able to proceed with my work.) As you and they are only one second apart, it appears that there is not an actual professional disagreement here. Please coordinate with the cert-manager project in setting standards so everyone's tools interoperate.