diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml
new file mode 100644
index 00000000..d17f9ef2
--- /dev/null
+++ b/config/openshift/kustomization.yaml
@@ -0,0 +1,43 @@
+# Adds namespace to all resources.
+namespace: openshift-kubevirt-ipam-controller-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: kubevirt-ipam-controller-
+
+labels:
+- includeSelectors: true
+  pairs:
+    app: ipam-virt-workloads
+
+resources:
+- ../rbac
+- ../manager
+- ../webhook
+
+patches:
+- path: manager_webhook_patch.yaml
+- path: webhookcainjection_patch.yaml
+- patch: |-
+    - op: add
+      path: /webhooks/0/objectSelector
+      value:
+        matchLabels:
+          kubevirt.io: virt-launcher
+  target:
+    kind: MutatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+    version: v1
+    name: mutating-webhook-configuration
+- patch: |-
+    - op: add
+      path: /metadata/annotations
+      value:
+        service.beta.openshift.io/serving-cert-secret-name: webhook-service
+  target:
+    kind: Service
+    version: v1
+    name: webhook-service
diff --git a/config/openshift/manager_webhook_patch.yaml b/config/openshift/manager_webhook_patch.yaml
new file mode 100644
index 00000000..8f257d22
--- /dev/null
+++ b/config/openshift/manager_webhook_patch.yaml
@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+          - --leader-elect
+          - --certificates-dir=/etc/ipam-controller/certificates
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /etc/ipam-controller/certificates
+          name: cert
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
diff --git a/config/openshift/webhookcainjection_patch.yaml b/config/openshift/webhookcainjection_patch.yaml
new file mode 100644
index 00000000..a37e6a5d
--- /dev/null
+++ b/config/openshift/webhookcainjection_patch.yaml
@@ -0,0 +1,16 @@
+# This patch add annotation to admission webhook config and
+# CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  labels:
+    app.kubernetes.io/name: mutatingwebhookconfiguration
+    app.kubernetes.io/instance: mutating-webhook-configuration
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: kubevirt-ipam-controller
+    app.kubernetes.io/part-of: kubevirt-ipam-controller
+    app.kubernetes.io/managed-by: kustomize
+  name: mutating-webhook-configuration
+  namespace: openshift-kubevirt-ipam-controller-system
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"