Building a mutating webhook for Kubernetes is easy in tutorials, but brutal in production. You immediately hit the reality of volume permissions, security contexts, and zombie sidecars. I recently released v2.0.0 of the PII-Shield Operator . It’s a Go-based tool that injects a sidecar into your pods to mask sensitive data (PII) before the logs hit Datadog or ELK. Getting the core Shannon entropy logic to work was step one. Making it bulletproof for strict SOC2 environments was step two. Here are the three K8s edge cases we solved for this release: Dropping the Shell (Moving to Distroless) Security teams hate sidecars with shell access. In earlier versions, we used Alpine. Now, the agent is compiled with CGO_ENABLED=0 and deployed on gcr.io/distroless/static:nonroot . There is no /bin/sh and zero attack surface. It just tails the log files directly using native Go. The "Immortal Sidecar" Problem If you have ever injected sidecars into a K8s Job , you know it breaks the lifecycle.…