Define a ClusterPolicy with a mutate rule whose match block targets Deployment resources.
Use the patchStrategicMerge patch type under mutate; inside the patch, specify spec.template.spec.containers as a list with the sidecar container definition you want to inject.
Add preconditions if the injection should be conditional, for example only when a specific annotation is present on the Deployment (e.g., sidecar-inject: "true").
Similarly inject initContainers and volumes in separate patchStrategicMerge patches or in the same patch alongside containers.
Apply the policy and create or update a Deployment that matches; verify the sidecar appears in kubectl get pod -o yaml under the containers list.
Use kyverno apply <policy.yaml> --resource <deployment.yaml> locally to test the mutation before cluster deployment.
Known gotchas
patchStrategicMerge merges lists by name by default; if the sidecar name already exists in the Deployment, the patch will update rather than duplicate it, which can silently overwrite user-defined settings.
Mutation webhooks run before validation webhooks; if a downstream validating policy checks container names, ensure the injected name does not conflict with any deny rules.
Kyverno ClusterPolicy mutations apply to the resource spec as submitted to the API server; mutations do not re-trigger on subsequent updates unless the match block explicitly includes UPDATE operations.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp