We are currently generating certificates for the admission webhooks in Toolforge using the v1beta1 certificates API because it allows the unknown-legacy signer. That is not valid in the certificates/v1 API, and v1beta1 gets dropped in 1.22.
We should not upgrade to this level until this is resolved. (noticed in T289390) and confirmed as an issue in upstream Github issues. A new signer may be added by the upstream project for https://github.com/kubernetes/kubernetes/issues/63732, but we'd need that to be used first. We just need a trusted TLS cert (that the control plane pod trusts) to run those controllers.