Scaffold a mutating webhook with `kubebuilder create webhook` and select `--defaulting` to generate the `Default()` method
In `Default()`, deserialize the pod spec from the admission request, append the sidecar container to `spec.containers`, and return a JSON patch
Use `admission.PatchResponseFromRaw` or build `jsonpatch.JsonPatchOperation` entries for the mutation response
Register the webhook in a `MutatingWebhookConfiguration` with `reinvocationPolicy: IfNeeded` if the sidecar depends on other mutating webhooks running first
Set `namespaceSelector` to target only labeled namespaces to avoid mutating system namespaces
Verify injection by creating a pod in a labeled namespace and inspecting `kubectl get pod -o yaml` for the injected container
Known gotchas
Mutating webhooks fire before validating webhooks; if your mutating webhook adds required fields, validating webhooks will see the mutated object — order matters
The patch must be valid RFC 6902 JSON Patch; an invalid patch silently causes the admission request to fail with a generic error rather than a descriptive message
Setting `reinvocationPolicy: Never` (the default) means your webhook does not see changes made by other mutating webhooks; use `IfNeeded` when injection depends on labels set by other webhooks
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp