
Kubernetes Mutating Admission Webhook for Pods. Applies arbitrary changes to Pod manifests.

Primary LanguageGoMIT LicenseMIT


Webhook Image Build Webhook Image Version Init Image Build Init Image Version

This is a Kubernetes Mutating Admission Webhook (see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It can apply arbitrary changes (a "patch") to a Pod's manifest. A patch can do anything from adding or changing metadata to containers and init-containers with volumes.

The Kubernetes API server only supports communication with webhooks over HTTPS - an init-container is included that automates cert generation and any necessary configuration (i.e. applying the caBundle to the MutatingWebhookConfiguration).

Problem Statement

It is a recurring requirement in Kubernetes deployments to transparently mutate Pod manifests - either to add new functionality transparently to existing deployments and applications, or to enforce compliance and other policies and requirements.

This webhook provides a flexible and scalable solution to those problems.

Notable Options


Path to the YAML file containing the patch to be applied to eligible Pods (see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#pod-v1-core for help).

Patches support wildcards ("*") instead of specific names for containers, init-containers and volumes. If a wildcard is specified, the operation is applied to all existing containers/init-containers/volumes (see examples).

A patch can contain wildcard and regular operations simultaneously.

A patch can contain only one wildcard per type (container/init-container/volume) currently.


panic | fatal | error | warn | info | debug | trace



  1. adjust the values.yaml in deploy/helm to your requirements
  2. install the chart via helm install k8s-pod-mutator deploy/helm -f deploy/helm/values.yaml

By default, the webhook is reachable under "https://<service_name>:8443/mutate"


Issue: Azure/azure-sdk-for-net#18312

To apply the workaround proposed here simply install the Helm chart with the provided example values:

helm upgrade --install k8s-pod-mutator deploy/helm -f values.yaml -f examples/values.example.yaml.

This example adds an init-container

    - name: wait-for-imds
      image: busybox:1.33
      command: ['sh', '-c', 'wget "" --header "Metadata: true" -S --spider -T 6']

to all Pods that have a Label aadpodidbinding.

Feature Request: #3

Consider the following patch:

  - name: ca
    image: alpine
    command: ["sh", "-c", "cp -r /etc/ssl/certs /volume"]
    - mountPath: /volume
      name: cacerts
  - name: "*"
    - mountPath: /etc/ssl
      name: cacerts
  - name: cacerts
    emptyDir: {}

When this patch is applied, the volumeMount "cacerts" is added to all containers currently present in the pod.


If you feel like anything is missing, should be fixed or could be improved, issues and pull requests are more than welcome.
