diff --git a/go.mod b/go.mod
index ae222981..92a511e1 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	go.uber.org/multierr v1.11.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de
-	google.golang.org/grpc v1.63.0
+	google.golang.org/grpc v1.63.2
 	k8s.io/apimachinery v0.29.3
 )
 
diff --git a/go.sum b/go.sum
index 1a393723..3089ac0b 100644
--- a/go.sum
+++ b/go.sum
@@ -324,10 +324,10 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
 google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
-google.golang.org/grpc v1.63.0 h1:WjKe+dnvABXyPJMD7KDNLxtoGk5tgk+YFWN6cBWjZE8=
-google.golang.org/grpc v1.63.0/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/sidecar-injector/Dockerfile b/sidecar-injector/Dockerfile
new file mode 100644
index 00000000..0518a556
--- /dev/null
+++ b/sidecar-injector/Dockerfile
@@ -0,0 +1,11 @@
+FROM golang:1.22 as build
+RUN go install golang.org/x/lint/golint@latest
+WORKDIR /build
+COPY . ./
+RUN CGO_ENABLED=0 GOOS=linux go build -o sidecar-injector
+
+FROM scratch
+WORKDIR /
+COPY --from=build /build/sidecar-injector /
+
+ENTRYPOINT ["/sidecar-injector"]
diff --git a/sidecar-injector/README.md b/sidecar-injector/README.md
new file mode 100644
index 00000000..a73a3ad2
--- /dev/null
+++ b/sidecar-injector/README.md
@@ -0,0 +1,202 @@
+# Kyverno Envoy Sidecar Injector 
+
+Uses [MutatingAdmissionWebhook Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) in Kubernetes to inject kyverno-envoy-plugin sidecar into newly created pods. This injection occurs at pod creation time, targeting pods that have the label `kyverno-envoy-sidecar/injection=enabled`. By introducing this sidecar, we can enforce policies on all incoming HTTP requests and make external authorization decisions to the targeted pod without modifying the primary application code/containers.
+
+
+## Prerequisites
+
+Kubernetes 1.16.0 or above with the `admissionregistration.k8s.io/v1` API enabled.
+Verify that by the following command:
+```bash
+ ~$ kubectl api-versions | grep admissionregistration.k8s.io/v1
+```
+The result should be:
+```bash
+admissionregistration.k8s.io/v1
+```
+## Installation  
+
+#### Dedicated Namespace
+
+Create a namespace `kyverno-envoy-sidecar-injector`, where you will deploy the Kyverno Envoy Sidecar Injector Webhook components.
+
+```bash
+ ~$ kubectl create namespace kyverno-envoy-sidecar-injector
+```
+
+#### Deploy Sidecar Injector
+
+1. Create a signed cert/key pair and store it in a Kubernetes `secret` that will be consumed by sidecar injector deployment 
+ 
+    Generate cert/key pair with openssl 
+    ```bash
+     ~$ openssl req -new -x509  \
+        -subj "/CN=kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc" \
+        -addext "subjectAltName = DNS:kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc" \
+        -nodes -newkey rsa:4096 -keyout tls.key -out tls.crt 
+    ```
+    Now apply below command to create `secret`  
+    ```bash
+     ~$ kubectl create secret generic kyverno-envoy-sidecar-certs \
+        --from-file tls.crt=tls.crt \
+        --from-file tls.key=tls.key \
+        --dry-run=client -n kyverno-envoy-sidecar-injector -oyaml > secret.yaml 
+    ```  
+    Apply the secret
+    ```bash
+    ~$ kubectl apply -f secret.yaml
+    ```
+
+2. Run the script to Patch the `Mutating Webhook Configuration` with the CA bundle extracted from the `secret` created in the previous step and apply the MutatingWebhookConfiguration changes: 
+ 
+```bash
+ ~$ ./manifests/create-mutating-webhook.sh
+```
+3. To Inject the Kyverno Envoy Sidecar, Create this configmap of name `kyverno-envoy-sidecar` in `kyverno-envoy--sidecar-injector` namespace. If their is requirement of multiple policy files, you can add more `--policy` flags and then add them in the `policy-files` configmap.
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
+data:
+  sidecars.yaml: |
+    - name: kyverno-envoy-sidecar
+      containers:
+      - image: sanskardevops/plugin:0.0.25
+        imagePullPolicy: IfNotPresent
+        name: ext-authz
+        ports:
+        - containerPort: 8000
+        - containerPort: 9000
+        args:
+        - "serve"
+        - "--policy=/policies/policy.yaml"
+        volumeMounts:
+        - name: policy-files
+          mountPath: /policies
+      volumes:
+      - name: policy-files
+        configMap:
+          name: policy-files      
+EOF          
+```
+
+4. Deploy resources
+```bash
+ ~$ kubectl apply -f ./manifests/rbac.yaml
+ ~$ kubectl apply -f ./manifests/deployment.yaml
+ ~$ kubectl apply -f ./manifests/service.yaml
+```
+
+#### Verify Sidecar Injector Installation
+
+1. The sidecar injector should be deployed in the `kyverno-envoy-sidecar-injector` namespace:
+
+```bash
+ ~$ kubectl -n kyverno-envoy-sidecar-injector get all
+```
+```bash
+~$ kubectl -n  kyverno-envoy-sidecar-injector get all 
+NAME                                        READY   STATUS    RESTARTS   AGE
+pod/kyverno-envoy-sidecar-976c94445-2l66q   1/1     Running   0          46s
+
+NAME                            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+service/kyverno-envoy-sidecar   ClusterIP   10.96.137.93   <none>        443/TCP   3m11s
+
+NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/kyverno-envoy-sidecar   1/1     1            1           46s
+
+NAME                                              DESIRED   CURRENT   READY   AGE
+replicaset.apps/kyverno-envoy-sidecar-976c94445   1         1         1       46s
+
+```
+2. Now create a pod with the label `kyverno-envoy-sidecar/injection=enabled` in any namespace other than `kyverno-envoy-sidecar-injector`. But before we have to apply configmap `policy-files` in the same namespace where we will create the pod.
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-files
+  namespace: default
+data:
+  policy.yaml: |
+    apiVersion: json.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    metadata:
+      name: check-dockerfile
+    spec:
+      rules:
+        - name: deny-external-calls
+          assert:
+            all:
+            - message: "HTTP calls are not allowed"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (base64_decode(split(@, ' ')[1])): 
+                                    (split(@, ':')[0]): alice
+                        path: /foo    
+EOF          
+```
+
+Now create a pod with the label `kyverno-envoy-sidecar/injection=enabled` in the default namespace:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: default
+  labels:
+    app.kubernetes.io/name: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nginx
+  template:
+    metadata:
+      labels:
+        kyverno-envoy-sidecar/injection: enabled
+        app.kubernetes.io/name: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.20.2
+          ports:
+            - containerPort: 80
+```
+
+Apply the following command to creat above example deployment:
+```bash
+kubectl apply -f ./example-manifest/exampledeploy.yaml
+```
+
+Now check the pods, you should see the Kyverno Envoy Sidecar injected:
+
+```bash
+ ~$ kubectl get pods 
+```
+
+Two pods are runing
+```console 
+~$ kubectl get pods 
+NAME                     READY   STATUS    RESTARTS   AGE
+nginx-77b746455b-xntjn   2/2     Running   0          3m46s
+```
+
+3. Check the logs of the Kyverno-envoy-sidecar container to verify the sidecar is running:
+
+```bash
+sanskar@sanskar-HP-Laptop-15s-du1xxx:~$ kubectl logs -n kyverno-envoy-sidecar-injector kyverno-envoy-sidecar-976c94445-nf777 -f 
+time="2024-04-20T13:59:10Z" level=info msg="SimpleServer starting to listen in port 8443"
+time="2024-04-20T14:03:32Z" level=info msg="AdmissionReview for Kind=/v1, Kind=Pod, Namespace=default Name= UID=a57c5c0b-96c0-4c9c-b903-6aa75f635c17 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:replicaset-controller 9e6576d2-f5c3-4b44-9b9d-952a20b70da7 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}"
+time="2024-04-20T14:03:32Z" level=info msg="sideCar injection for kyverno-envoy-sidecar-injector/nginx-77b746455b-: sidecars: kyverno-envoy-sidecar"
+
+```
\ No newline at end of file
diff --git a/sidecar-injector/example-manifest/exampledeploy.yaml b/sidecar-injector/example-manifest/exampledeploy.yaml
new file mode 100644
index 00000000..d557dc29
--- /dev/null
+++ b/sidecar-injector/example-manifest/exampledeploy.yaml
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: default
+  labels:
+    app.kubernetes.io/name: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nginx
+  template:
+    metadata:
+      labels:
+        kyverno-envoy-sidecar/injection: enabled
+        app.kubernetes.io/name: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.20.2
+          ports:
+            - containerPort: 80
+        
\ No newline at end of file
diff --git a/sidecar-injector/example-manifest/policyfile-configmap.yaml b/sidecar-injector/example-manifest/policyfile-configmap.yaml
new file mode 100644
index 00000000..d56557ab
--- /dev/null
+++ b/sidecar-injector/example-manifest/policyfile-configmap.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-files
+  namespace: default
+data:
+  policy.yaml: |
+    apiVersion: json.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    metadata:
+      name: check-dockerfile
+    spec:
+      rules:
+        - name: deny-external-calls
+          assert:
+            all:
+            - message: "HTTP calls are not allowed"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (base64_decode(split(@, ' ')[1])): 
+                                    (split(@, ':')[0]): alice
+                        path: /foo        
+                     
\ No newline at end of file
diff --git a/sidecar-injector/go.mod b/sidecar-injector/go.mod
new file mode 100644
index 00000000..16f45e8f
--- /dev/null
+++ b/sidecar-injector/go.mod
@@ -0,0 +1,53 @@
+module github.com/kyverno/kyverno-envoy-plugin/sidecar-injector
+
+go 1.22.1
+
+require (
+	github.com/ghodss/yaml v1.0.0
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.8.0
+	k8s.io/api v0.29.3
+	k8s.io/apimachinery v0.29.3
+	k8s.io/client-go v0.29.3
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
diff --git a/sidecar-injector/go.sum b/sidecar-injector/go.sum
new file mode 100644
index 00000000..e4752463
--- /dev/null
+++ b/sidecar-injector/go.sum
@@ -0,0 +1,166 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
+github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
+github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
+golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw=
+k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80=
+k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU=
+k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU=
+k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg=
+k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
+k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
+k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
+k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/sidecar-injector/main.go b/sidecar-injector/main.go
new file mode 100644
index 00000000..070bac09
--- /dev/null
+++ b/sidecar-injector/main.go
@@ -0,0 +1,47 @@
+package main
+
+import (
+	"os"
+
+	"github.com/kyverno/kyverno-envoy-plugin/sidecar-injector/pkg/httpd"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+var (
+	httpdConf httpd.SimpleServer
+	debug     bool
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "sidecar-injector",
+	Short: "Responsible for injecting sidecars into pod containers",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if debug {
+			log.SetLevel(log.DebugLevel)
+		}
+		log.Infof("SimpleServer starting to listen in port %v", httpdConf.Port)
+		return httpdConf.Start()
+	},
+}
+
+// Execute Kicks off the application
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		log.Errorf("Failed to start server: %v", err)
+		os.Exit(1)
+	}
+}
+
+func init() {
+	rootCmd.Flags().IntVar(&httpdConf.Port, "port", 443, "server port.")
+	rootCmd.Flags().StringVar(&httpdConf.CertFile, "certFile", "/etc/mutator/certs/tls.crt", "File containing tls certificate")
+	rootCmd.Flags().StringVar(&httpdConf.KeyFile, "keyFile", "/etc/mutator/certs/tls.key", "File containing tls private key")
+	rootCmd.Flags().BoolVar(&httpdConf.Local, "local", false, "Local run mode")
+	rootCmd.Flags().StringVar(&(&httpdConf.Patcher).SidecarDataKey, "sidecarDataKey", "sidecars.yaml", "ConfigMap Sidecar Data Key")
+	rootCmd.Flags().BoolVar(&debug, "debug", false, "enable debug logs")
+}
+
+func main() {
+	Execute()
+}
diff --git a/sidecar-injector/manifests/certs/tls.crt b/sidecar-injector/manifests/certs/tls.crt
new file mode 100644
index 00000000..c27d9c57
--- /dev/null
+++ b/sidecar-injector/manifests/certs/tls.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFljCCA36gAwIBAgIUTSFKi449sacfQqxQ5gXXAju9J04wDQYJKoZIhvcNAQEL
+BQAwOzE5MDcGA1UEAwwwa3ViZXJuZXRlcy1zaWRlY2FyLWluamVjdG9yLnNpZGVj
+YXItaW5qZWN0b3Iuc3ZjMB4XDTI0MDQxNjExMTYwNVoXDTI1MDQxNjExMTYwNVow
+OzE5MDcGA1UEAwwwa3ViZXJuZXRlcy1zaWRlY2FyLWluamVjdG9yLnNpZGVjYXIt
+aW5qZWN0b3Iuc3ZjMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtSRx
+W1jFmbkMmF9fs+NrDF75AAC66h87Pdg8jJh10Z4FD9UjYCUHj/TnUX8wuwqUhY5f
+52MMlWP12/EZCPsiJ/uF205idlky5Qi/70mW6TPJLNAapzqkjRd0FnIWRYJ9ruq/
+d7D8v0hrmiBYPxZGEDTHVX0F1apE0gpFmDMoSm4f4XdGSk3nsswajmI0IbMZiDiG
+JreP9qR020SEqPJMBx4eGPIQDVkb2X0juweyclXGQgnYaaDXYwG3YCjrdWYKXpAy
+Bf5JK6VZ6CUYYnZjRwU9slRKLFD8b6ZbQr3BdtRjQD0axnZgL0kLJjk/IPlBNyxL
+rVpDo7UjBcQkUX/gY7R0kxTHpoFQVs9yGcs6Z/MxN05B+HiDc5Fr0aPE4VoWGq9O
+mhARbfn44jrovoKUM8W8dx61rxTwrIKz7JUmA8gJDQH/hUN1I2Q2CFW5zGaCGuPA
+0nHrs31vCCxu0rm367pgwtHl8KXA5ioa7VbkSifFw05Bj+k8qOJCCHWxdnHUSaIJ
+SdVinKipT9/H6gMDx8uLMFxS3kqVoNkXq2US91c7pvFOPv/GC0kMcfJCwIWh+rIt
+vT8csPNiuVXgD9x6B8JIA+J/W9Eu/enYO1w8hVw9quaQWD2/LbGMwMKAirQIAJDZ
+98cZEiQTrzSLgqL8sAdvy4l4nLQGP7iDYEfdlKkCAwEAAaOBkTCBjjAdBgNVHQ4E
+FgQUCw5GP9YU0/qgzDz1fp8tjXEuxAowHwYDVR0jBBgwFoAUCw5GP9YU0/qgzDz1
+fp8tjXEuxAowDwYDVR0TAQH/BAUwAwEB/zA7BgNVHREENDAygjBrdWJlcm5ldGVz
+LXNpZGVjYXItaW5qZWN0b3Iuc2lkZWNhci1pbmplY3Rvci5zdmMwDQYJKoZIhvcN
+AQELBQADggIBAJ0L1fskFTtVzpWeiAisqYQsNlLYHds3r4edG8bKL7mfmbnifYf9
+cnZaalUidkk57TZU0V+vW93dN4fwqvwkR3/n4WgilFQGtfzB6YDhftA6TeeB7cyQ
+fgJeBjDObwH33GT9fX9UdSZI2uuRQDfyEmfXGwhuRj2iu/WCs1Og/oMVS/W3UBoa
+J+8auPYEbI4krkARBo8BvHlJxlcudgN85maL1g89e9SK5YS6bk0kyJkRudSMgfon
+hFBGr4uzbkJjVbfsULbXfD90wezHzD84nNMXVLLkIOX2oRHVZ+28WB9O5JylNQie
+94QbUY1g2JOc6huCXKHu+7jBTQO7GafSlPGq0kyIxx8zmwyOXv3s69VIBCjmW0Jt
+NVja3CW5bKQfmOt84h8RnVbmVczotYqeI8cAVRB/Eu736RFsxcR/rExGrgpHdoHx
+P5Axm0INUABukf9Im+KIqN9LJG1y3xhplV702JlJXIEp1Nxj20iVh6egql6K/LNi
+78VGqtPp3QjUKH2DbpLlFynLgh6o33SGZ4e5kWmpxv7rRw+nRadJ4zDhkHdZ6uf2
+0Z2LoYVjLtLQLIcrTqpCU84RP89Z3xpQu7yGBZmUW69DHPUfroKgnTQ6r82XcmHQ
+JNEvM/wUyiuHlcQ+ojBgfRwc3F3dnVzTvx7Wk+5Z2GEmY84JzHOSBb/t
+-----END CERTIFICATE-----
diff --git a/sidecar-injector/manifests/certs/tls.key b/sidecar-injector/manifests/certs/tls.key
new file mode 100644
index 00000000..3788b30e
--- /dev/null
+++ b/sidecar-injector/manifests/certs/tls.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC1JHFbWMWZuQyY
+X1+z42sMXvkAALrqHzs92DyMmHXRngUP1SNgJQeP9OdRfzC7CpSFjl/nYwyVY/Xb
+8RkI+yIn+4XbTmJ2WTLlCL/vSZbpM8ks0BqnOqSNF3QWchZFgn2u6r93sPy/SGua
+IFg/FkYQNMdVfQXVqkTSCkWYMyhKbh/hd0ZKTeeyzBqOYjQhsxmIOIYmt4/2pHTb
+RISo8kwHHh4Y8hANWRvZfSO7B7JyVcZCCdhpoNdjAbdgKOt1ZgpekDIF/kkrpVno
+JRhidmNHBT2yVEosUPxvpltCvcF21GNAPRrGdmAvSQsmOT8g+UE3LEutWkOjtSMF
+xCRRf+BjtHSTFMemgVBWz3IZyzpn8zE3TkH4eINzkWvRo8ThWhYar06aEBFt+fji
+Oui+gpQzxbx3HrWvFPCsgrPslSYDyAkNAf+FQ3UjZDYIVbnMZoIa48DSceuzfW8I
+LG7SubfrumDC0eXwpcDmKhrtVuRKJ8XDTkGP6Tyo4kIIdbF2cdRJoglJ1WKcqKlP
+38fqAwPHy4swXFLeSpWg2RerZRL3Vzum8U4+/8YLSQxx8kLAhaH6si29Pxyw82K5
+VeAP3HoHwkgD4n9b0S796dg7XDyFXD2q5pBYPb8tsYzAwoCKtAgAkNn3xxkSJBOv
+NIuCovywB2/LiXictAY/uINgR92UqQIDAQABAoICAAhacqilYWyKI/3o2JmeAT6v
+cajYlqF236rcg0gEPLas/+bmpxfClokwcqs+X2BrB7NYttFWnKG6tyQjUMpzcuHa
+tCXmzhzhMgQkkRTAecvkkImgbkteE0xk7vx4kWLJpDn4+X4dT/TJYaxYgxJtIb2S
+3hPNg8y5IQhVLDe2goM3CCYNGEMTXjS9O4bZPlqgWD1utCYqNiu1pMkNNnwM39I+
+xxgcHZE+3vHWIAB6oQgZLqgkiIP5VsVqIFju8QDFTl73kcON/X6KRLtXygO6GcKi
+vryv4/gMNXbKDKLnEIyGOdLpeeNnx14pJV76PGuIWehWgqqcx8oq73Yqrr+A0zeh
+3qwDPFkaJda0gk1Zitq90sUkJrap1F8UhfSMer2FyZmiazs/Yv+1D6qZ/l972etY
+KHJbaNdDoQRUKaJMI4CyveaTBeIi/StfRgePXF2qtSHn4rc/Y3vI+TPoaEXxkA3+
+KBWYL8gXsmLAv92rVOI7PkUr/ZYeVK4M9FiKYQ+vXZhxyDspzuknB5itFyBn9nxa
+3iN8GHV/w7ma0LRA/ZuPP0rTfD3HMXIHPmrHX/s0RfglzdzOqW6Fa7ZZtUKVljR5
+tq427wGM5QzCcgSrLj/+VsH0nC+I7mI88jCQIoJlRzoDkSMd3/i1WzazqoDcukbj
+2Uwf0Usy9Jqih4YuRHKDAoIBAQDA5z2kSz5O6hGGX67YlGv8H9tkP7TSEWc/4A2w
+MeTFH73ZrAgKCDDQtS2Cd1d6FGRNw2g2YqHdrEIxtN00dO7HWylOkguqZ6WEO4G0
+x86kbyEgtQt7+lhqoSobdx9gQgtBl/FG3SwXcRcB7U5h0KDujAw5Mf3hfcqBgFHl
+3ps0Yqvx+/nQBmQL7H85pjlAE55Yx85eEGz+QM/Evh0y96AjYUnw/05pe8fQZNKo
+Kv9fjP5/AyCSVWigETCQjCmT8oijaesLB10jcEEZFQHtMagIbgZBhEcigz525Xei
+6gS+imiYNeJ2QcLaT+hbR4ePkwDBNWv6utHdSnE/DODJ1A6LAoIBAQDwZGaA3she
+cIhUxE52pUIilm3liB8k7UqB/q5q3UFtbKlMXjkBb15M5m/REHn1R3hojlCuj/JX
+p9by6L5PG6HGjOZgJyxt58LGrALp990m8iLozXJINYqjuzY/hDLC5swnmvJyVbMb
+t+Sf4c9Oy1Kecvi5vnFoQtUp8tGi+IC5wzdUq2QRmZy4xbjUqgBEy7MC5bH45Dqx
+NA8CItRXD/90CVUpGD1cTUtSIuLGhCEWTMI7TznSIboico8LujAJ/FG09B1W7sdC
+US/5TRqoEAXesI+yfDxVOOtMdDN3MTGtHGk2e1SC9iEvsaglmT9GYcwKIBF5GAPZ
+XsFaE/FcbaQbAoIBAHEOlhgWaVxC3yaMKaORyYApA6JLnCSKQqMzI5Kii1vk8JYE
+t2l5x3Jq3VNbso9AKFFTN164i/mpndoYEJVP+yooCZudCO1EdcN8RNa5TCkfYKEU
+urhczzkfX9hdBqyZyJMXBDfuJItQopVkic3WQpvMxNU4sX1ZBjjEBjvdLcWUFwZq
+Ec2UEUrTvvUAsQkW9nU+FXsX0WlqftrmOaLHcrmJqZZva3tzKna+wKADI0zTC81Q
+/eQF3p4BtR7ipvOo7+AmkbUTCcldXyneIBTuR3c5VL1NU4ustA1nC6kV0tYBtK+Q
+1TtN62+b6ail0ZOaKpUSREjc+Wbi3GCBobVobWUCggEBAI4WuiO4CvUPTPXVpo8o
+dSPeiIygXdBE1cJqmAugRfj4vkTeeJFpk3Kezj7jn0KkgP5ECFp1yQeYtEuV2E8I
+BSJHzC/PV8qKr60gpQRINpa7jnjOXpth0lWe5Zy7dgmPw+IxCtcb4qcilecO4Ksx
+MN9pE60ubPf0cOy/krviaKvkQIMyXw6sHl90tyA0b746LNAslnqH5E0zeR+JGLtx
+QEwE7CpDIpm5MikVZ7dxB+GXc0L9PC8BMnUEA5sp7RUp592uYN0ue+at+E5CDdyC
+xAVxlS4pkrvIzgO9t2HfWP56iZHjafuSoeEAAGRg5W6jhagCdnF+CWBlSqIEoahB
+QjsCggEAXNk8zAUyu5Xg5QencUyBV5sx/cPDIgZtafWMgmvb5RONrfzNPF/S27UV
+NmZe5nlS1xBsDnGFEkcg9iCNugaXZtUp1w9xQaja0ZjXR2Ng0OH6Q+QqZzjvsL4u
+uTHdx0Pn92mvdeRRig85IELwD5gSDH6mK2RyQJRgILqUHspm+7rkXg6j8oba5YNA
+EGb+JVnutmPh2sW0S3XAokskpzafk8I1bUcy8sWkMbYJ1yELKQhyD23Nh0c4C/+W
+53ieYOfgcdFTBoJUDty6sspIh9oPAGuN5tNBQA+eeDqPlKTBgZ9548Jo1+yqQZ0W
+oYXxm+PBNm6q+qfW2sCerB4ZcJqZAg==
+-----END PRIVATE KEY-----
diff --git a/sidecar-injector/manifests/create-mutating-webhook.sh b/sidecar-injector/manifests/create-mutating-webhook.sh
new file mode 100755
index 00000000..e8497dda
--- /dev/null
+++ b/sidecar-injector/manifests/create-mutating-webhook.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Get the base64 encoded tls.crt data
+CA_BUNDLE=$(kubectl get secret kyverno-envoy-sidecar-certs -n kyverno-envoy-sidecar-injector -o jsonpath='{.data.tls\.crt}')
+
+# Create the mutatingwebhook.yaml file
+cat <<EOF > mutatingwebhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: kyverno-envoy-sidecar
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+webhooks:
+  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
+    clientConfig:
+      service:
+        name: kyverno-envoy-sidecar
+        namespace: kyverno-envoy-sidecar-injector
+        path: "/mutate"
+      caBundle: $CA_BUNDLE
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - pods
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+        scope: '*'  
+    objectSelector:
+      matchExpressions:
+        - key: kyverno-envoy-sidecar/injection
+          operator: In
+          values:
+          - enabled
+EOF
+
+# Apply the mutatingwebhook.yaml file
+kubectl apply -f mutatingwebhook.yaml
\ No newline at end of file
diff --git a/sidecar-injector/manifests/deployment.yaml b/sidecar-injector/manifests/deployment.yaml
new file mode 100644
index 00000000..5536c0f4
--- /dev/null
+++ b/sidecar-injector/manifests/deployment.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: sidecar-injector
+      app.kubernetes.io/instance: sidecar-injector
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: sidecar-injector
+        app.kubernetes.io/instance: sidecar-injector
+    spec:
+      serviceAccountName: kyverno-envoy-sidecar
+      containers:
+        - name: kyverno-envoy-sidecar
+          image: "sanskardevops/sidecar-injector:0.0.6"
+          imagePullPolicy: IfNotPresent
+          args:
+            - --port=8443
+            - --certFile=/opt/kubernetes-sidecar-injector/certs/tls.crt
+            - --keyFile=/opt/kubernetes-sidecar-injector/certs/tls.key
+            - --sidecarDataKey=sidecars.yaml
+          volumeMounts:
+            - name: kyverno-envoy-sidecar-certs
+              mountPath: /opt/kubernetes-sidecar-injector/certs
+              readOnly: true
+          ports:
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 5
+            timeoutSeconds: 4
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 5
+            timeoutSeconds: 4
+      volumes:
+        - name: kyverno-envoy-sidecar-certs
+          secret:
+            secretName: kyverno-envoy-sidecar-certs
+      
\ No newline at end of file
diff --git a/sidecar-injector/manifests/mutatingwebhook.yaml b/sidecar-injector/manifests/mutatingwebhook.yaml
new file mode 100644
index 00000000..13db0956
--- /dev/null
+++ b/sidecar-injector/manifests/mutatingwebhook.yaml
@@ -0,0 +1,37 @@
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: kyverno-envoy-sidecar
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+webhooks:
+  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
+    clientConfig:
+      service:
+        name: kyverno-envoy-sidecar
+        namespace: kyverno-envoy-sidecar-injector
+        path: "/mutate"
+      caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsakNDQTM2Z0F3SUJBZ0lVVFNGS2k0NDlzYWNmUXF4UTVnWFhBanU5SjA0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd096RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWagpZWEl0YVc1cVpXTjBiM0l1YzNaak1CNFhEVEkwTURReE5qRXhNVFl3TlZvWERUSTFNRFF4TmpFeE1UWXdOVm93Ck96RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWallYSXQKYVc1cVpXTjBiM0l1YzNaak1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdFNSeApXMWpGbWJrTW1GOWZzK05yREY3NUFBQzY2aDg3UGRnOGpKaDEwWjRGRDlVallDVUhqL1RuVVg4d3V3cVVoWTVmCjUyTU1sV1AxMi9FWkNQc2lKL3VGMjA1aWRsa3k1UWkvNzBtVzZUUEpMTkFhcHpxa2pSZDBGbklXUllKOXJ1cS8KZDdEOHYwaHJtaUJZUHhaR0VEVEhWWDBGMWFwRTBncEZtRE1vU200ZjRYZEdTazNuc3N3YWptSTBJYk1aaURpRwpKcmVQOXFSMDIwU0VxUEpNQng0ZUdQSVFEVmtiMlgwanV3ZXljbFhHUWduWWFhRFhZd0czWUNqcmRXWUtYcEF5CkJmNUpLNlZaNkNVWVluWmpSd1U5c2xSS0xGRDhiNlpiUXIzQmR0UmpRRDBheG5aZ0wwa0xKamsvSVBsQk55eEwKclZwRG83VWpCY1FrVVgvZ1k3UjBreFRIcG9GUVZzOXlHY3M2Wi9NeE4wNUIrSGlEYzVGcjBhUEU0Vm9XR3E5TwptaEFSYmZuNDRqcm92b0tVTThXOGR4NjFyeFR3cklLejdKVW1BOGdKRFFIL2hVTjFJMlEyQ0ZXNXpHYUNHdVBBCjBuSHJzMzF2Q0N4dTBybTM2N3Bnd3RIbDhLWEE1aW9hN1Zia1NpZkZ3MDVCaitrOHFPSkNDSFd4ZG5IVVNhSUoKU2RWaW5LaXBUOS9INmdNRHg4dUxNRnhTM2txVm9Oa1hxMlVTOTFjN3B2Rk9Qdi9HQzBrTWNmSkN3SVdoK3JJdAp2VDhjc1BOaXVWWGdEOXg2QjhKSUErSi9XOUV1L2VuWU8xdzhoVnc5cXVhUVdEMi9MYkdNd01LQWlyUUlBSkRaCjk4Y1pFaVFUcnpTTGdxTDhzQWR2eTRsNG5MUUdQN2lEWUVmZGxLa0NBd0VBQWFPQmtUQ0JqakFkQmdOVkhRNEUKRmdRVUN3NUdQOVlVMC9xZ3pEejFmcDh0alhFdXhBb3dId1lEVlIwakJCZ3dGb0FVQ3c1R1A5WVUwL3FnekR6MQpmcDh0alhFdXhBb3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QTdCZ05WSFJFRU5EQXlnakJyZFdKbGNtNWxkR1Z6CkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNJdWMybGtaV05oY2kxcGJtcGxZM1J2Y2k1emRtTXdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0lCQUowTDFmc2tGVHRWenBXZWlBaXNxWVFzTmxMWUhkczNyNGVkRzhiS0w3bWZtYm5pZllmOQpjblphYWxVaWRrazU3VFpVMFYrdlc5M2RONGZ3cXZ3a1IzL240V2dpbEZRR3RmekI2WURoZnRBNlRlZUI3Y3lRCmZnSmVCakRPYndIMzNHVDlmWDlVZFNaSTJ1dVJRRGZ5RW1mWEd3aHVSajJpdS9XQ3MxT2cvb01WUy9XM1VCb2EKSis4YXVQWUViSTRrcmtBUkJvOEJ2SGxKeGxjdWRnTjg1bWFMMWc4OWU5U0s1WVM2Ymswa3lKa1J1ZFNNZ2ZvbgpoRkJHcjR1emJrSmpWYmZzVUxiWGZEOTB3ZXpIekQ4NG5OTVhWTExrSU9YMm9SSFZaKzI4V0I5TzVKeWxOUWllCjk0UWJVWTFnMkpPYzZodUNYS0h1KzdqQlRRTzdHYWZTbFBHcTBreUl4eDh6bXd5T1h2M3M2OVZJQkNqbVcwSnQKTlZqYTNDVzViS1FmbU90ODRoOFJuVmJtVmN6b3RZcWVJOGNBVlJCL0V1NzM2UkZzeGNSL3JFeEdyZ3BIZG9IeApQNUF4bTBJTlVBQnVrZjlJbStLSXFOOUxKRzF5M3hocGxWNzAySmxKWElFcDFOeGoyMGlWaDZlZ3FsNksvTE5pCjc4VkdxdFBwM1FqVUtIMkRicExsRnluTGdoNm8zM1NHWjRlNWtXbXB4djdyUncrblJhZEo0ekRoa0hkWjZ1ZjIKMFoyTG9ZVmpMdExRTEljclRxcENVODRSUDg5WjN4cFF1N3lHQlptVVc2OURIUFVmcm9LZ25UUTZyODJYY21IUQpKTkV2TS93VXlpdUhsY1Erb2pCZ2ZSd2MzRjNkblZ6VHZ4N1drKzVaMkdFbVk4NEp6SE9TQmIvdAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - pods
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+        scope: '*'  
+    objectSelector:
+      matchExpressions:
+        - key: kyverno-envoy-sidecar/injection
+          operator: In
+          values:
+          - enabled
+                  
+---
\ No newline at end of file
diff --git a/sidecar-injector/manifests/rbac.yaml b/sidecar-injector/manifests/rbac.yaml
new file mode 100644
index 00000000..d5a3e6b5
--- /dev/null
+++ b/sidecar-injector/manifests/rbac.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-envoy-sidecar
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-envoy-sidecar
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno-envoy-sidecar
+subjects:
+  - kind: ServiceAccount
+    name: kyverno-envoy-sidecar
+    namespace: kyverno-envoy-sidecar-injector
+---
diff --git a/sidecar-injector/manifests/secret.yaml b/sidecar-injector/manifests/secret.yaml
new file mode 100644
index 00000000..5b461234
--- /dev/null
+++ b/sidecar-injector/manifests/secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsakNDQTM2Z0F3SUJBZ0lVVFNGS2k0NDlzYWNmUXF4UTVnWFhBanU5SjA0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd096RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWagpZWEl0YVc1cVpXTjBiM0l1YzNaak1CNFhEVEkwTURReE5qRXhNVFl3TlZvWERUSTFNRFF4TmpFeE1UWXdOVm93Ck96RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWallYSXQKYVc1cVpXTjBiM0l1YzNaak1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdFNSeApXMWpGbWJrTW1GOWZzK05yREY3NUFBQzY2aDg3UGRnOGpKaDEwWjRGRDlVallDVUhqL1RuVVg4d3V3cVVoWTVmCjUyTU1sV1AxMi9FWkNQc2lKL3VGMjA1aWRsa3k1UWkvNzBtVzZUUEpMTkFhcHpxa2pSZDBGbklXUllKOXJ1cS8KZDdEOHYwaHJtaUJZUHhaR0VEVEhWWDBGMWFwRTBncEZtRE1vU200ZjRYZEdTazNuc3N3YWptSTBJYk1aaURpRwpKcmVQOXFSMDIwU0VxUEpNQng0ZUdQSVFEVmtiMlgwanV3ZXljbFhHUWduWWFhRFhZd0czWUNqcmRXWUtYcEF5CkJmNUpLNlZaNkNVWVluWmpSd1U5c2xSS0xGRDhiNlpiUXIzQmR0UmpRRDBheG5aZ0wwa0xKamsvSVBsQk55eEwKclZwRG83VWpCY1FrVVgvZ1k3UjBreFRIcG9GUVZzOXlHY3M2Wi9NeE4wNUIrSGlEYzVGcjBhUEU0Vm9XR3E5TwptaEFSYmZuNDRqcm92b0tVTThXOGR4NjFyeFR3cklLejdKVW1BOGdKRFFIL2hVTjFJMlEyQ0ZXNXpHYUNHdVBBCjBuSHJzMzF2Q0N4dTBybTM2N3Bnd3RIbDhLWEE1aW9hN1Zia1NpZkZ3MDVCaitrOHFPSkNDSFd4ZG5IVVNhSUoKU2RWaW5LaXBUOS9INmdNRHg4dUxNRnhTM2txVm9Oa1hxMlVTOTFjN3B2Rk9Qdi9HQzBrTWNmSkN3SVdoK3JJdAp2VDhjc1BOaXVWWGdEOXg2QjhKSUErSi9XOUV1L2VuWU8xdzhoVnc5cXVhUVdEMi9MYkdNd01LQWlyUUlBSkRaCjk4Y1pFaVFUcnpTTGdxTDhzQWR2eTRsNG5MUUdQN2lEWUVmZGxLa0NBd0VBQWFPQmtUQ0JqakFkQmdOVkhRNEUKRmdRVUN3NUdQOVlVMC9xZ3pEejFmcDh0alhFdXhBb3dId1lEVlIwakJCZ3dGb0FVQ3c1R1A5WVUwL3FnekR6MQpmcDh0alhFdXhBb3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QTdCZ05WSFJFRU5EQXlnakJyZFdKbGNtNWxkR1Z6CkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNJdWMybGtaV05oY2kxcGJtcGxZM1J2Y2k1emRtTXdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0lCQUowTDFmc2tGVHRWenBXZWlBaXNxWVFzTmxMWUhkczNyNGVkRzhiS0w3bWZtYm5pZllmOQpjblphYWxVaWRrazU3VFpVMFYrdlc5M2RONGZ3cXZ3a1IzL240V2dpbEZRR3RmekI2WURoZnRBNlRlZUI3Y3lRCmZnSmVCakRPYndIMzNHVDlmWDlVZFNaSTJ1dVJRRGZ5RW1mWEd3aHVSajJpdS9XQ3MxT2cvb01WUy9XM1VCb2EKSis4YXVQWUViSTRrcmtBUkJvOEJ2SGxKeGxjdWRnTjg1bWFMMWc4OWU5U0s1WVM2Ymswa3lKa1J1ZFNNZ2ZvbgpoRkJHcjR1emJrSmpWYmZzVUxiWGZEOTB3ZXpIekQ4NG5OTVhWTExrSU9YMm9SSFZaKzI4V0I5TzVKeWxOUWllCjk0UWJVWTFnMkpPYzZodUNYS0h1KzdqQlRRTzdHYWZTbFBHcTBreUl4eDh6bXd5T1h2M3M2OVZJQkNqbVcwSnQKTlZqYTNDVzViS1FmbU90ODRoOFJuVmJtVmN6b3RZcWVJOGNBVlJCL0V1NzM2UkZzeGNSL3JFeEdyZ3BIZG9IeApQNUF4bTBJTlVBQnVrZjlJbStLSXFOOUxKRzF5M3hocGxWNzAySmxKWElFcDFOeGoyMGlWaDZlZ3FsNksvTE5pCjc4VkdxdFBwM1FqVUtIMkRicExsRnluTGdoNm8zM1NHWjRlNWtXbXB4djdyUncrblJhZEo0ekRoa0hkWjZ1ZjIKMFoyTG9ZVmpMdExRTEljclRxcENVODRSUDg5WjN4cFF1N3lHQlptVVc2OURIUFVmcm9LZ25UUTZyODJYY21IUQpKTkV2TS93VXlpdUhsY1Erb2pCZ2ZSd2MzRjNkblZ6VHZ4N1drKzVaMkdFbVk4NEp6SE9TQmIvdAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQzFKSEZiV01XWnVReVkKWDErejQyc01YdmtBQUxycUh6czkyRHlNbUhYUm5nVVAxU05nSlFlUDlPZFJmekM3Q3BTRmpsL25Zd3lWWS9YYgo4UmtJK3lJbis0WGJUbUoyV1RMbENML3ZTWmJwTThrczBCcW5PcVNORjNRV2NoWkZnbjJ1NnI5M3NQeS9TR3VhCklGZy9Ga1lRTk1kVmZRWFZxa1RTQ2tXWU15aEtiaC9oZDBaS1RlZXl6QnFPWWpRaHN4bUlPSVltdDQvMnBIVGIKUklTbzhrd0hIaDRZOGhBTldSdlpmU083QjdKeVZjWkNDZGhwb05kakFiZGdLT3QxWmdwZWtESUYva2tycFZubwpKUmhpZG1OSEJUMnlWRW9zVVB4dnBsdEN2Y0YyMUdOQVBSckdkbUF2U1FzbU9UOGcrVUUzTEV1dFdrT2p0U01GCnhDUlJmK0JqdEhTVEZNZW1nVkJXejNJWnl6cG44ekUzVGtINGVJTnprV3ZSbzhUaFdoWWFyMDZhRUJGdCtmamkKT3VpK2dwUXp4YngzSHJXdkZQQ3NnclBzbFNZRHlBa05BZitGUTNValpEWUlWYm5NWm9JYTQ4RFNjZXV6Zlc4SQpMRzdTdWJmcnVtREMwZVh3cGNEbUtocnRWdVJLSjhYRFRrR1A2VHlvNGtJSWRiRjJjZFJKb2dsSjFXS2NxS2xQCjM4ZnFBd1BIeTRzd1hGTGVTcFdnMlJlclpSTDNWenVtOFU0Ky84WUxTUXh4OGtMQWhhSDZzaTI5UHh5dzgySzUKVmVBUDNIb0h3a2dENG45YjBTNzk2ZGc3WER5RlhEMnE1cEJZUGI4dHNZekF3b0NLdEFnQWtObjN4eGtTSkJPdgpOSXVDb3Z5d0IyL0xpWGljdEFZL3VJTmdSOTJVcVFJREFRQUJBb0lDQUFoYWNxaWxZV3lLSS8zbzJKbWVBVDZ2CmNhallscUYyMzZyY2cwZ0VQTGFzLytibXB4ZkNsb2t3Y3FzK1gyQnJCN05ZdHRGV25LRzZ0eVFqVU1wemN1SGEKdENYbXpoemhNZ1Fra1JUQWVjdmtrSW1nYmt0ZUUweGs3dng0a1dMSnBEbjQrWDRkVC9USllheFlneEp0SWIyUwozaFBOZzh5NUlRaFZMRGUyZ29NM0NDWU5HRU1UWGpTOU80YlpQbHFnV0QxdXRDWXFOaXUxcE1rTk5ud00zOUkrCnh4Z2NIWkUrM3ZIV0lBQjZvUWdaTHFna2lJUDVWc1ZxSUZqdThRREZUbDcza2NPTi9YNktSTHRYeWdPNkdjS2kKdnJ5djQvZ01OWGJLREtMbkVJeUdPZExwZWVObngxNHBKVjc2UEd1SVdlaFdncXFjeDhvcTczWXFycitBMHplaAozcXdEUEZrYUpkYTBnazFaaXRxOTBzVWtKcmFwMUY4VWhmU01lcjJGeVptaWF6cy9ZdisxRDZxWi9sOTcyZXRZCktISmJhTmREb1FSVUthSk1JNEN5dmVhVEJlSWkvU3RmUmdlUFhGMnF0U0huNHJjL1kzdkkrVFBvYUVYeGtBMysKS0JXWUw4Z1hzbUxBdjkyclZPSTdQa1VyL1pZZVZLNE05RmlLWVErdlhaaHh5RHNwenVrbkI1aXRGeUJuOW54YQozaU44R0hWL3c3bWEwTFJBL1p1UFAwclRmRDNITVhJSFBtckhYL3MwUmZnbHpkek9xVzZGYTdaWnRVS1ZsalI1CnRxNDI3d0dNNVF6Q2NnU3JMai8rVnNIMG5DK0k3bUk4OGpDUUlvSmxSem9Ea1NNZDMvaTFXemF6cW9EY3VrYmoKMlV3ZjBVc3k5SnFpaDRZdVJIS0RBb0lCQVFEQTV6MmtTejVPNmhHR1g2N1lsR3Y4SDl0a1A3VFNFV2MvNEEydwpNZVRGSDczWnJBZ0tDRERRdFMyQ2QxZDZGR1JOdzJnMllxSGRyRUl4dE4wMGRPN0hXeWxPa2d1cVo2V0VPNEcwCng4NmtieUVndFF0NytsaHFvU29iZHg5Z1FndEJsL0ZHM1N3WGNSY0I3VTVoMEtEdWpBdzVNZjNoZmNxQmdGSGwKM3BzMFlxdngrL25RQm1RTDdIODVwamxBRTU1WXg4NWVFR3orUU0vRXZoMHk5NkFqWVVudy8wNXBlOGZRWk5LbwpLdjlmalA1L0F5Q1NWV2lnRVRDUWpDbVQ4b2lqYWVzTEIxMGpjRUVaRlFIdE1hZ0liZ1pCaEVjaWd6NTI1WGVpCjZnUytpbWlZTmVKMlFjTGFUK2hiUjRlUGt3REJOV3Y2dXRIZFNuRS9ET0RKMUE2TEFvSUJBUUR3WkdhQTNzaGUKY0loVXhFNTJwVUlpbG0zbGlCOGs3VXFCL3E1cTNVRnRiS2xNWGprQmIxNU01bS9SRUhuMVIzaG9qbEN1ai9KWApwOWJ5Nkw1UEc2SEdqT1pnSnl4dDU4TEdyQUxwOTkwbThpTG96WEpJTllxanV6WS9oRExDNXN3bm12SnlWYk1iCnQrU2Y0YzlPeTFLZWN2aTV2bkZvUXRVcDh0R2krSUM1d3pkVXEyUVJtWnk0eGJqVXFnQkV5N01DNWJINDVEcXgKTkE4Q0l0UlhELzkwQ1ZVcEdEMWNUVXRTSXVMR2hDRVdUTUk3VHpuU0lib2ljbzhMdWpBSi9GRzA5QjFXN3NkQwpVUy81VFJxb0VBWGVzSSt5ZkR4Vk9PdE1kRE4zTVRHdEhHazJlMVNDOWlFdnNhZ2xtVDlHWWN3S0lCRjVHQVBaClhzRmFFL0ZjYmFRYkFvSUJBSEVPbGhnV2FWeEMzeWFNS2FPUnlZQXBBNkpMbkNTS1FxTXpJNUtpaTF2azhKWUUKdDJsNXgzSnEzVk5ic285QUtGRlROMTY0aS9tcG5kb1lFSlZQK3lvb0NadWRDTzFFZGNOOFJOYTVUQ2tmWUtFVQp1cmhjenprZlg5aGRCcXlaeUpNWEJEZnVKSXRRb3BWa2ljM1dRcHZNeE5VNHNYMVpCampFQmp2ZExjV1VGd1pxCkVjMlVFVXJUdnZVQXNRa1c5blUrRlhzWDBXbHFmdHJtT2FMSGNybUpxWlp2YTN0ektuYSt3S0FESTB6VEM4MVEKL2VRRjNwNEJ0UjdpcHZPbzcrQW1rYlVUQ2NsZFh5bmVJQlR1UjNjNVZMMU5VNHVzdEExbkM2a1YwdFlCdEsrUQoxVHRONjIrYjZhaWwwWk9hS3BVU1JFamMrV2JpM0dDQm9iVm9iV1VDZ2dFQkFJNFd1aU80Q3ZVUFRQWFZwbzhvCmRTUGVpSXlnWGRCRTFjSnFtQXVnUmZqNHZrVGVlSkZwazNLZXpqN2puMEtrZ1A1RUNGcDF5UWVZdEV1VjJFOEkKQlNKSHpDL1BWOHFLcjYwZ3BRUklOcGE3am5qT1hwdGgwbFdlNVp5N2RnbVB3K0l4Q3RjYjRxY2lsZWNPNEtzeApNTjlwRTYwdWJQZjBjT3kva3J2aWFLdmtRSU15WHc2c0hsOTB0eUEwYjc0NkxOQXNsbnFINUUwemVSK0pHTHR4ClFFd0U3Q3BESXBtNU1pa1ZaN2R4QitHWGMwTDlQQzhCTW5VRUE1c3A3UlVwNTkydVlOMHVlK2F0K0U1Q0RkeUMKeEFWeGxTNHBrcnZJemdPOXQySGZXUDU2aVpIamFmdVNvZUVBQUdSZzVXNmpoYWdDZG5GK0NXQmxTcUlFb2FoQgpRanNDZ2dFQVhOazh6QVV5dTVYZzVRZW5jVXlCVjVzeC9jUERJZ1p0YWZXTWdtdmI1Uk9OcmZ6TlBGL1MyN1VWCk5tWmU1bmxTMXhCc0RuR0ZFa2NnOWlDTnVnYVhadFVwMXc5eFFhamEwWmpYUjJOZzBPSDZRK1FxWnpqdnNMNHUKdVRIZHgwUG45Mm12ZGVSUmlnODVJRUx3RDVnU0RINm1LMlJ5UUpSZ0lMcVVIc3BtKzdya1hnNmo4b2JhNVlOQQpFR2IrSlZudXRtUGgyc1cwUzNYQW9rc2twemFmazhJMWJVY3k4c1drTWJZSjF5RUxLUWh5RDIzTmgwYzRDLytXCjUzaWVZT2ZnY2RGVEJvSlVEdHk2c3NwSWg5b1BBR3VONXROQlFBK2VlRHFQbEtUQmdaOTU0OEpvMSt5cVFaMFcKb1lYeG0rUEJObTZxK3FmVzJzQ2VyQjRaY0pxWkFnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: kyverno-envoy-sidecar-certs
+  namespace: kyverno-envoy-sidecar-injector
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
diff --git a/sidecar-injector/manifests/service.yaml b/sidecar-injector/manifests/service.yaml
new file mode 100644
index 00000000..d867da41
--- /dev/null
+++ b/sidecar-injector/manifests/service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+spec:
+  type: ClusterIP
+  ports:
+  - name: https
+    protocol: TCP
+    port: 443
+    targetPort: 8443
+  selector:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
\ No newline at end of file
diff --git a/sidecar-injector/manifests/sidecar-configmap.yaml b/sidecar-injector/manifests/sidecar-configmap.yaml
new file mode 100644
index 00000000..4b4f767b
--- /dev/null
+++ b/sidecar-injector/manifests/sidecar-configmap.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
+data:
+  sidecars.yaml: |
+    - name: kyverno-envoy-sidecar
+      containers:
+      - image: sanskardevops/plugin:0.0.25
+        imagePullPolicy: IfNotPresent
+        name: ext-authz
+        ports:
+        - containerPort: 8000
+        - containerPort: 9000
+        args:
+        - "serve"
+        - "--policy=/policies/policy.yaml"
+        volumeMounts:
+        - name: policy-files
+          mountPath: /policies
+      volumes:
+      - name: policy-files
+        configMap:
+          name: policy-files
+      
\ No newline at end of file
diff --git a/sidecar-injector/pkg/admission/admission.go b/sidecar-injector/pkg/admission/admission.go
new file mode 100644
index 00000000..1f3daab4
--- /dev/null
+++ b/sidecar-injector/pkg/admission/admission.go
@@ -0,0 +1,167 @@
+package admission
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	log "github.com/sirupsen/logrus"
+	admissionv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// PatchOperation JsonPatch struct http://jsonpatch.com/
+type PatchOperation struct {
+	Op    string      `json:"op"`
+	Path  string      `json:"path"`
+	Value interface{} `json:"value,omitempty"`
+}
+
+// RequestHandler AdmissionRequest handler
+type RequestHandler interface {
+	handleAdmissionCreate(ctx context.Context, request *admissionv1.AdmissionRequest) ([]PatchOperation, error)
+}
+
+// Handler Generic handler for Admission
+type Handler struct {
+	Handler RequestHandler
+}
+
+// HandleAdmission HttpServer function to handle Admissions
+func (handler *Handler) HandleAdmission(writer http.ResponseWriter, request *http.Request) {
+	if err := validateRequest(request); err != nil {
+		log.Error(err.Error())
+		handler.writeErrorAdmissionReview(http.StatusBadRequest, err.Error(), writer)
+		return
+	}
+
+	body, err := readRequestBody(request)
+	if err != nil {
+		log.Error(err.Error())
+		handler.writeErrorAdmissionReview(http.StatusInternalServerError, err.Error(), writer)
+		return
+	}
+
+	admReview := admissionv1.AdmissionReview{}
+
+	err = json.Unmarshal(body, &admReview)
+	if err != nil {
+		message := fmt.Sprintf("Could not decode body: %v", err)
+		log.Error(message)
+		handler.writeErrorAdmissionReview(http.StatusInternalServerError, message, writer)
+		return
+	}
+
+	ctx := context.Background()
+
+	req := admReview.Request
+	log.Infof("AdmissionReview for Kind=%v, Namespace=%v Name=%v UID=%v patchOperation=%v UserInfo=%v", req.Kind, req.Namespace, req.Name, req.UID, req.Operation, req.UserInfo)
+	if patchOperations, err := handler.Process(ctx, req); err != nil {
+		message := fmt.Sprintf("request for object '%s' with name '%s' in namespace '%s' denied: %v", req.Kind.String(), req.Name, req.Namespace, err)
+		log.Error(message)
+		handler.writeDeniedAdmissionResponse(&admReview, message, writer)
+	} else if patchBytes, err := json.Marshal(patchOperations); err != nil {
+		message := fmt.Sprintf("request for object '%s' with name '%s' in namespace '%s' denied: %v", req.Kind.String(), req.Name, req.Namespace, err)
+		log.Error(message)
+		handler.writeDeniedAdmissionResponse(&admReview, message, writer)
+	} else {
+		handler.writeAllowedAdmissionReview(&admReview, patchBytes, writer)
+	}
+}
+
+// Process Handles the AdmissionRequest via the handler
+func (handler *Handler) Process(ctx context.Context, request *admissionv1.AdmissionRequest) ([]PatchOperation, error) {
+
+	if request.Operation == admissionv1.Create {
+		return handler.Handler.handleAdmissionCreate(ctx, request)
+	}
+	return nil, fmt.Errorf("unhandled request operation %s", request.Operation)
+}
+
+func validateRequest(req *http.Request) error {
+	if req.Method != http.MethodPost {
+		return fmt.Errorf("wrong http verb. got %s", req.Method)
+	}
+	if req.Body == nil {
+		return errors.New("empty body")
+	}
+	contentType := req.Header.Get("Content-Type")
+	if contentType != "application/json" {
+		return fmt.Errorf("wrong content type. expected 'application/json', got: '%s'", contentType)
+	}
+	return nil
+}
+
+func readRequestBody(req *http.Request) ([]byte, error) {
+	body, err := ioutil.ReadAll(req.Body)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read Request Body: %v", err)
+	}
+	return body, nil
+}
+
+func (handler *Handler) writeAllowedAdmissionReview(ar *admissionv1.AdmissionReview, patch []byte, res http.ResponseWriter) {
+	ar.Response = handler.admissionResponse(http.StatusOK, "")
+	ar.Response.Allowed = true
+	ar.Response.UID = ar.Request.UID
+	if patch != nil {
+		pt := admissionv1.PatchTypeJSONPatch
+		ar.Response.Patch = patch
+		ar.Response.PatchType = &pt
+	}
+	handler.write(ar, res)
+}
+
+func (handler *Handler) writeDeniedAdmissionResponse(ar *admissionv1.AdmissionReview, message string, res http.ResponseWriter) {
+	ar.Response = handler.admissionResponse(http.StatusForbidden, message)
+	ar.Response.UID = ar.Request.UID
+	handler.write(ar, res)
+}
+
+func (handler *Handler) writeErrorAdmissionReview(status int, message string, res http.ResponseWriter) {
+	admResp := handler.errorAdmissionReview(status, message)
+	handler.write(admResp, res)
+}
+
+func (handler *Handler) errorAdmissionReview(httpErrorCode int, message string) *admissionv1.AdmissionReview {
+	r := baseAdmissionReview()
+	r.Response = handler.admissionResponse(httpErrorCode, message)
+	return r
+}
+
+func (handler *Handler) admissionResponse(httpErrorCode int, message string) *admissionv1.AdmissionResponse {
+	return &admissionv1.AdmissionResponse{
+		Result: &metav1.Status{
+			Code:    int32(httpErrorCode),
+			Message: message,
+		},
+	}
+}
+
+func baseAdmissionReview() *admissionv1.AdmissionReview {
+	gvk := admissionv1.SchemeGroupVersion.WithKind("AdmissionReview")
+	return &admissionv1.AdmissionReview{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+	}
+}
+
+func (handler *Handler) write(r *admissionv1.AdmissionReview, res http.ResponseWriter) {
+	resp, err := json.Marshal(r)
+	if err != nil {
+		log.Errorf("Error marshalling decision: %v", err)
+		res.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	_, err = res.Write(resp)
+	if err != nil {
+		log.Errorf("Error writing response: %v", err)
+		res.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+}
diff --git a/sidecar-injector/pkg/admission/podpatcher.go b/sidecar-injector/pkg/admission/podpatcher.go
new file mode 100644
index 00000000..01136884
--- /dev/null
+++ b/sidecar-injector/pkg/admission/podpatcher.go
@@ -0,0 +1,11 @@
+package admission
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+type PodPatcher interface {
+	PatchPodCreate(ctx context.Context, pod corev1.Pod) ([]PatchOperation, error)
+}
diff --git a/sidecar-injector/pkg/admission/podrequesthandler.go b/sidecar-injector/pkg/admission/podrequesthandler.go
new file mode 100644
index 00000000..21144baa
--- /dev/null
+++ b/sidecar-injector/pkg/admission/podrequesthandler.go
@@ -0,0 +1,29 @@
+package admission
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/pkg/errors"
+	admissionv1 "k8s.io/api/admission/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+// PodAdmissionRequestHandler PodAdmissionRequest handler
+type PodAdmissionRequestHandler struct {
+	PodHandler PodPatcher
+}
+
+func (handler *PodAdmissionRequestHandler) handleAdmissionCreate(ctx context.Context, request *admissionv1.AdmissionRequest) ([]PatchOperation, error) {
+	pod, err := unmarshalPod(request.Object.Raw)
+	if err != nil {
+		return nil, err
+	}
+	return handler.PodHandler.PatchPodCreate(ctx, pod)
+}
+
+func unmarshalPod(rawObject []byte) (corev1.Pod, error) {
+	var pod corev1.Pod
+	err := json.Unmarshal(rawObject, &pod)
+	return pod, errors.Wrapf(err, "error unmarshalling object")
+}
diff --git a/sidecar-injector/pkg/httpd/simpleserver.go b/sidecar-injector/pkg/httpd/simpleserver.go
new file mode 100644
index 00000000..32f7952b
--- /dev/null
+++ b/sidecar-injector/pkg/httpd/simpleserver.go
@@ -0,0 +1,76 @@
+package httpd
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/kyverno/kyverno-envoy-plugin/sidecar-injector/pkg/admission"
+	"github.com/kyverno/kyverno-envoy-plugin/sidecar-injector/pkg/webhook"
+	"github.com/pkg/errors"
+	log "github.com/sirupsen/logrus"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+/*SimpleServer is the required config to create httpd server*/
+type SimpleServer struct {
+	Local    bool
+	Port     int
+	CertFile string
+	KeyFile  string
+	Patcher  webhook.SidecarInjectorPatcher
+	Debug    bool
+}
+
+/*Start the simple http server supporting TLS*/
+func (simpleServer *SimpleServer) Start() error {
+	k8sClient, err := simpleServer.CreateClient()
+	if err != nil {
+		return err
+	}
+
+	simpleServer.Patcher.K8sClient = k8sClient
+	server := &http.Server{
+		Addr: fmt.Sprintf(":%d", simpleServer.Port),
+	}
+
+	mux := http.NewServeMux()
+	server.Handler = mux
+
+	admissionHandler := &admission.Handler{
+		Handler: &admission.PodAdmissionRequestHandler{
+			PodHandler: &simpleServer.Patcher,
+		},
+	}
+	mux.HandleFunc("/healthz", webhook.HealthCheckHandler)
+	mux.HandleFunc("/mutate", admissionHandler.HandleAdmission)
+
+	if simpleServer.Local {
+		return server.ListenAndServe()
+	}
+	return server.ListenAndServeTLS(simpleServer.CertFile, simpleServer.KeyFile)
+}
+
+// CreateClient Create the server
+func (simpleServer *SimpleServer) CreateClient() (*kubernetes.Clientset, error) {
+	config, err := simpleServer.buildConfig()
+
+	if err != nil {
+		return nil, errors.Wrapf(err, "error setting up cluster config")
+	}
+
+	return kubernetes.NewForConfig(config)
+}
+
+func (simpleServer *SimpleServer) buildConfig() (*rest.Config, error) {
+	if simpleServer.Local {
+		log.Debug("Using local kubeconfig.")
+		kubeconfig := filepath.Join(os.Getenv("HOME"), ".kube", "config")
+		return clientcmd.BuildConfigFromFlags("", kubeconfig)
+	}
+	log.Debug("Using in cluster kubeconfig.")
+	return rest.InClusterConfig()
+}
diff --git a/sidecar-injector/pkg/webhook/health.go b/sidecar-injector/pkg/webhook/health.go
new file mode 100644
index 00000000..4e8243fb
--- /dev/null
+++ b/sidecar-injector/pkg/webhook/health.go
@@ -0,0 +1,8 @@
+package webhook
+
+import "net/http"
+
+// HealthCheckHandler HttpServer function to handle Health check
+func HealthCheckHandler(writer http.ResponseWriter, _ *http.Request) {
+	writer.WriteHeader(http.StatusOK)
+}
diff --git a/sidecar-injector/pkg/webhook/sidecarhandler.go b/sidecar-injector/pkg/webhook/sidecarhandler.go
new file mode 100644
index 00000000..63058558
--- /dev/null
+++ b/sidecar-injector/pkg/webhook/sidecarhandler.go
@@ -0,0 +1,124 @@
+package webhook
+
+import (
+	"context"
+	"strings"
+
+	"github.com/ghodss/yaml"
+	"github.com/kyverno/kyverno-envoy-plugin/sidecar-injector/pkg/admission"
+	log "github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+// Sidecar Kubernetes Sidecar Injector schema
+type Sidecar struct {
+	Name             string                        `yaml:"name"`
+	InitContainers   []corev1.Container            `yaml:"initContainers"`
+	Containers       []corev1.Container            `yaml:"containers"`
+	Volumes          []corev1.Volume               `yaml:"volumes"`
+	ImagePullSecrets []corev1.LocalObjectReference `yaml:"imagePullSecrets"`
+	Annotations      map[string]string             `yaml:"annotations"`
+	Labels           map[string]string             `yaml:"labels"`
+}
+
+// SidecarInjectorPatcher Sidecar Injector patcher
+type SidecarInjectorPatcher struct {
+	K8sClient                kubernetes.Interface
+	SidecarDataKey           string
+	AllowAnnotationOverrides bool
+	AllowLabelOverrides      bool
+}
+
+func createArrayPatches[T any](newCollection []T, existingCollection []T, path string) []admission.PatchOperation {
+	var patches []admission.PatchOperation
+	for index, item := range newCollection {
+		indexPath := path
+		var value interface{}
+		first := index == 0 && len(existingCollection) == 0
+		if !first {
+			indexPath = indexPath + "/-"
+			value = item
+		} else {
+			value = []T{item}
+		}
+		patches = append(patches, admission.PatchOperation{
+			Op:    "add",
+			Path:  indexPath,
+			Value: value,
+		})
+	}
+	return patches
+}
+
+func createObjectPatches(newMap map[string]string, existingMap map[string]string, path string, override bool) []admission.PatchOperation {
+	var patches []admission.PatchOperation
+	if existingMap == nil {
+		patches = append(patches, admission.PatchOperation{
+			Op:    "add",
+			Path:  path,
+			Value: newMap,
+		})
+	} else {
+		for key, value := range newMap {
+			if _, ok := existingMap[key]; !ok || (ok && override) {
+				key = escapeJSONPath(key)
+				op := "add"
+				if ok {
+					op = "replace"
+				}
+				patches = append(patches, admission.PatchOperation{
+					Op:    op,
+					Path:  path + "/" + key,
+					Value: value,
+				})
+			}
+		}
+	}
+	return patches
+}
+
+// Escape keys that may contain `/`s or `~`s to have a valid patch
+// Order matters here, otherwise `/` --> ~01, instead of ~1
+func escapeJSONPath(k string) string {
+	k = strings.ReplaceAll(k, "~", "~0")
+	return strings.ReplaceAll(k, "/", "~1")
+}
+
+// PatchPodCreate Handle Pod Create Patch
+func (patcher *SidecarInjectorPatcher) PatchPodCreate(ctx context.Context, pod corev1.Pod) ([]admission.PatchOperation, error) {
+	namespace := "kyverno-envoy-sidecar-injector"
+	podName := pod.GetName()
+	if podName == "" {
+		podName = pod.GetGenerateName()
+	}
+	var patches []admission.PatchOperation
+	configmapSidecarName := "kyverno-envoy-sidecar"
+	log.Infof("sideCar injection for %v/%v: sidecars: %v", namespace, podName, configmapSidecarName)
+	configmapSidecar, err := patcher.K8sClient.CoreV1().ConfigMaps(namespace).Get(ctx, configmapSidecarName, metav1.GetOptions{})
+	if k8serrors.IsNotFound(err) {
+		log.Warnf("sidecar configmap %s/%s was not found", namespace, configmapSidecarName)
+	} else if err != nil {
+		log.Errorf("error fetching sidecar configmap %s/%s - %v", namespace, configmapSidecarName, err)
+	} else if sidecarsStr, ok := configmapSidecar.Data[patcher.SidecarDataKey]; ok {
+		var sidecars []Sidecar
+		if err := yaml.Unmarshal([]byte(sidecarsStr), &sidecars); err != nil {
+			log.Errorf("error unmarshalling %s from configmap %s/%s", patcher.SidecarDataKey, pod.GetNamespace(), configmapSidecarName)
+		}
+		if sidecars != nil {
+			for _, sidecar := range sidecars {
+				patches = append(patches, createArrayPatches(sidecar.InitContainers, pod.Spec.InitContainers, "/spec/initContainers")...)
+				patches = append(patches, createArrayPatches(sidecar.Containers, pod.Spec.Containers, "/spec/containers")...)
+				patches = append(patches, createArrayPatches(sidecar.Volumes, pod.Spec.Volumes, "/spec/volumes")...)
+				patches = append(patches, createArrayPatches(sidecar.ImagePullSecrets, pod.Spec.ImagePullSecrets, "/spec/imagePullSecrets")...)
+				patches = append(patches, createObjectPatches(sidecar.Annotations, pod.Annotations, "/metadata/annotations", patcher.AllowAnnotationOverrides)...)
+				patches = append(patches, createObjectPatches(sidecar.Labels, pod.Labels, "/metadata/labels", patcher.AllowLabelOverrides)...)
+			}
+			log.Debugf("sidecar patches being applied for %v/%v: patches: %v", namespace, podName, patches)
+		}
+	}
+
+	return patches, nil
+}