{"id":"5676ee95-49d2-4807-9a4c-ec1d57d6118c","task":"Implement a mutating admission webhook to inject a sidecar container into pods","domain":"kubernetes.io","steps":["Scaffold a mutating webhook with `kubebuilder create webhook` and select `--defaulting` to generate the `Default()` method","In `Default()`, deserialize the pod spec from the admission request, append the sidecar container to `spec.containers`, and return a JSON patch","Use `admission.PatchResponseFromRaw` or build `jsonpatch.JsonPatchOperation` entries for the mutation response","Register the webhook in a `MutatingWebhookConfiguration` with `reinvocationPolicy: IfNeeded` if the sidecar depends on other mutating webhooks running first","Set `namespaceSelector` to target only labeled namespaces to avoid mutating system namespaces","Verify injection by creating a pod in a labeled namespace and inspecting `kubectl get pod -o yaml` for the injected container"],"gotchas":["Mutating webhooks fire before validating webhooks; if your mutating webhook adds required fields, validating webhooks will see the mutated object — order matters","The patch must be valid RFC 6902 JSON Patch; an invalid patch silently causes the admission request to fail with a generic error rather than a descriptive message","Setting `reinvocationPolicy: Never` (the default) means your webhook does not see changes made by other mutating webhooks; use `IfNeeded` when injection depends on labels set by other webhooks"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/5676ee95-49d2-4807-9a4c-ec1d57d6118c"}