diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go
index 8748ba62433..2e541911564 100644
--- a/cmd/build/helmify/replacements.go
+++ b/cmd/build/helmify/replacements.go
@@ -172,6 +172,7 @@ var replacements = map[string]string{
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale
@@ -256,6 +257,7 @@ var replacements = map[string]string{
     - 'pods/proxy'
     - 'pods/attach'
     - 'pods/binding'
+    - 'pods/resize'
     - 'deployments/scale'
     - 'replicasets/scale'
     - 'statefulsets/scale'
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
index 9c89134b2d5..1c46e68553a 100644
--- a/config/webhook/manifests.yaml
+++ b/config/webhook/manifests.yaml
@@ -25,6 +25,22 @@ webhooks:
     - UPDATE
     resources:
     - '*'
+    - pods/ephemeralcontainers
+    - pods/exec
+    - pods/log
+    - pods/eviction
+    - pods/portforward
+    - pods/proxy
+    - pods/attach
+    - pods/binding
+    - pods/resize
+    - deployments/scale
+    - replicasets/scale
+    - statefulsets/scale
+    - replicationcontrollers/scale
+    - services/proxy
+    - nodes/proxy
+    - services/status
   sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
@@ -83,6 +99,7 @@ webhooks:
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale
diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
index 6b4821181f1..313e6672b75 100644
--- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
+++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
@@ -72,6 +72,7 @@ webhooks:
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale
diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
index d2cdd775a18..dbd2c06257b 100644
--- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
+++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -79,6 +79,7 @@ webhooks:
     - 'pods/proxy'
     - 'pods/attach'
     - 'pods/binding'
+    - 'pods/resize'
     - 'deployments/scale'
     - 'replicasets/scale'
     - 'statefulsets/scale'
diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml
index 0e2da7d3598..db5bca310d5 100644
--- a/manifest_staging/deploy/gatekeeper.yaml
+++ b/manifest_staging/deploy/gatekeeper.yaml
@@ -5332,6 +5332,22 @@ webhooks:
     - UPDATE
     resources:
     - '*'
+    - pods/ephemeralcontainers
+    - pods/exec
+    - pods/log
+    - pods/eviction
+    - pods/portforward
+    - pods/proxy
+    - pods/attach
+    - pods/binding
+    - pods/resize
+    - deployments/scale
+    - replicasets/scale
+    - statefulsets/scale
+    - replicationcontrollers/scale
+    - services/proxy
+    - nodes/proxy
+    - services/status
   sideEffects: None
   timeoutSeconds: 1
 ---
@@ -5379,6 +5395,7 @@ webhooks:
     - pods/proxy
     - pods/attach
     - pods/binding
+    - pods/resize
     - deployments/scale
     - replicasets/scale
     - statefulsets/scale
diff --git a/pkg/webhook/mutation.go b/pkg/webhook/mutation.go
index 91a07fb6973..4748c014098 100644
--- a/pkg/webhook/mutation.go
+++ b/pkg/webhook/mutation.go
@@ -49,7 +49,7 @@ func init() {
 	}
 }
 
-// +kubebuilder:webhook:verbs=create;update,path=/v1/mutate,mutating=true,failurePolicy=ignore,groups=*,resources=*,versions=*,name=mutation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact
+// +kubebuilder:webhook:verbs=create;update,path=/v1/mutate,mutating=true,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;pods/resize;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=mutation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact
 // +kubebuilder:rbac:resourceNames=gatekeeper-mutating-webhook-configuration,groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch
 
 // AddMutatingWebhook registers the mutating webhook server with the manager.
diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go
index 48af84aa08c..d245fe76926 100644
--- a/pkg/webhook/policy.go
+++ b/pkg/webhook/policy.go
@@ -80,7 +80,7 @@ func init() {
 
 // Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). But include "services/status" for constraints that mitigate CVE-2020-8554.
 // You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("'
-// +kubebuilder:webhook:verbs=create;update,path=/v1/admit,mutating=false,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=validation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact
+// +kubebuilder:webhook:verbs=create;update,path=/v1/admit,mutating=false,failurePolicy=ignore,groups=*,resources=*;pods/ephemeralcontainers;pods/exec;pods/log;pods/eviction;pods/portforward;pods/proxy;pods/attach;pods/binding;pods/resize;deployments/scale;replicasets/scale;statefulsets/scale;replicationcontrollers/scale;services/proxy;nodes/proxy;services/status,versions=*,name=validation.gatekeeper.sh,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Exact
 // +kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch
 
 // AddPolicyWebhook registers the policy webhook server with the manager.