If I have an existing cluster with existing resources and I create a new mutating webhook that needs to patch resources (e.g., adding a label to a namespace), once I create the mutating webhook all future resources get modified, but the ones already existing in the cluster do not. What is the best way of passing off existing resources (e.g., kube-system namespace) to the mutating webhook to get patched?
As I know, you are not able to pass already deployed resources to MutatingAdmissionWebhook.
As an option that you most probably wont like, you can path existing resources.
In addition I would like to quote you Avoiding operating on the kube-system namespace doc, as you mentioned kube-system namespace:
The
kube-systemnamespace contains objects created by the Kubernetes system, e.g. service accounts for the control plane components, pods likekube-dns. Accidentally mutating or rejecting requests in thekube-systemnamespace may cause the control plane components to stop functioning or introduce unknown behavior. If your admission webhooks don't intend to modify the behavior of the Kubernetes control plane, exclude thekube-systemnamespace from being intercepted using a namespaceSelector.