{"id":"42ba3bc4-7a3f-45d3-90b7-3bc217bdfab7","task":"Configure OPA Gatekeeper mutation with Assign and AssignMetadata to automatically add default labels to pods","domain":"security/compliance","steps":["Enable the Gatekeeper mutation feature by setting --enable-mutation in the Gatekeeper controller manager arguments or via the Helm chart value; restart the controller after enabling.","Write an AssignMetadata manifest to inject a specific label into every pod's metadata.labels using spec.match to scope it by namespace or resource kind.","Write an Assign manifest to inject a value into a non-metadata field (e.g., spec.containers[].securityContext.readOnlyRootFilesystem) using a location path and spec.parameters.","Apply both mutation CRDs and create a test pod to verify the label and field are injected; describe the pod and inspect its metadata.","Check for mutation conflicts: if two Assign objects target the same path, Gatekeeper resolves them by applying all matching mutations and a conflict will cause neither to apply; audit the MutationStatus."],"gotchas":["Mutation is applied before validation; a mutation that injects a value that then fails a validate policy will surface as a validation denial, which can be confusing to debug.","AssignMetadata only targets metadata.labels and metadata.annotations; use Assign for any other field location.","Mutations are not retroactively applied to existing resources; they only affect new admissions or resources that are updated."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/42ba3bc4-7a3f-45d3-90b7-3bc217bdfab7"}