Enable the Gatekeeper mutation feature by setting --enable-mutation in the Gatekeeper controller manager arguments or via the Helm chart value; restart the controller after enabling.
Write an AssignMetadata manifest to inject a specific label into every pod's metadata.labels using spec.match to scope it by namespace or resource kind.
Write an Assign manifest to inject a value into a non-metadata field (e.g., spec.containers[].securityContext.readOnlyRootFilesystem) using a location path and spec.parameters.
Apply both mutation CRDs and create a test pod to verify the label and field are injected; describe the pod and inspect its metadata.
Check for mutation conflicts: if two Assign objects target the same path, Gatekeeper resolves them by applying all matching mutations and a conflict will cause neither to apply; audit the MutationStatus.
Known gotchas
Mutation is applied before validation; a mutation that injects a value that then fails a validate policy will surface as a validation denial, which can be confusing to debug.
AssignMetadata only targets metadata.labels and metadata.annotations; use Assign for any other field location.
Mutations are not retroactively applied to existing resources; they only affect new admissions or resources that are updated.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp