// the find
slok/kubewebhook
Go framework to create Kubernetes mutating and validating webhooks
kubewebhook is a Go framework that wraps the Kubernetes admission webhook machinery so you can focus on the mutation or validation logic instead of HTTP handling, admission review parsing, and API version negotiation. It targets platform engineers writing policy enforcement or resource injection webhooks. At 631 stars it's not widely adopted, but it's actively maintained against current Kubernetes releases.
The static/dynamic webhook split is genuinely useful — dynamic mode lets a single webhook handler act on multiple or unknown resource types without per-type boilerplate. Built-in Prometheus metrics (RED method) and OpenTelemetry tracing are first-class, not afterthoughts, and the Grafana dashboard ID is included so you don't have to build one. The compatibility matrix is clear and honest about which Kubernetes versions are actually integration-tested rather than just claimed to work. The production-ready example repo (k8s-webhook-example) is a real app with deployment manifests, not a toy.
631 stars for a project that's been around this long suggests it never broke out of a niche — controller-runtime's built-in webhook support has absorbed most of this use case for anyone already using kubebuilder or operator-sdk. Certificate management is entirely your problem; the examples use a shell script to generate self-signed certs, which is fine for getting started but the README doesn't even acknowledge cert-manager as the production path. The logger interface is a custom abstraction with only a logrus adapter provided — if you're on slog or zap you're writing your own wrapper. Documentation lives entirely in GoDoc and example code; there's no prose guide explaining the admission review lifecycle for someone new to webhooks.