From 5eb5a2af9082cb12f566fdad9ddf819ea120fc7b Mon Sep 17 00:00:00 2001
From: cyclinder <qifeng.guo@daocloud.io>
Date: Thu, 17 Oct 2024 19:01:14 +0800
Subject: [PATCH] Add a pod mutating webhook to auto inject the pod network
 resources

Signed-off-by: cyclinder <qifeng.guo@daocloud>
---
 charts/spiderpool/templates/deployment.yaml   |   4 +
 charts/spiderpool/values.yaml                 |   3 +
 cmd/spiderpool-controller/cmd/config.go       |  21 +-
 cmd/spiderpool-controller/cmd/daemon.go       |  14 ++
 docs/reference/spiderpool-controller.md       |   1 +
 .../install/ai/get-started-macvlan-zh_CN.md   |  72 +++---
 docs/usage/install/ai/get-started-macvlan.md  |  72 +++---
 .../install/ai/get-started-sriov-zh_CN.md     | 101 ++++----
 docs/usage/install/ai/get-started-sriov.md    | 100 ++++----
 pkg/constant/k8s.go                           |   7 +-
 pkg/multuscniconfig/utils.go                  |  26 +++
 pkg/podmanager/pod_manager.go                 |   6 +-
 pkg/podmanager/pod_webhook.go                 |  77 +++++++
 pkg/podmanager/utils.go                       | 217 ++++++++++++++++++
 pkg/podmanager/utils_test.go                  | 104 +++++++++
 test/Makefile                                 |   1 +
 test/doc/podwebhook.md                        |   5 +
 test/e2e/podwebhook/podwebhook_suite_test.go  |  26 +++
 test/e2e/podwebhook/podwebhook_test.go        | 107 +++++++++
 19 files changed, 789 insertions(+), 175 deletions(-)
 create mode 100644 pkg/podmanager/pod_webhook.go
 create mode 100644 test/doc/podwebhook.md
 create mode 100644 test/e2e/podwebhook/podwebhook_suite_test.go
 create mode 100644 test/e2e/podwebhook/podwebhook_test.go

diff --git a/charts/spiderpool/templates/deployment.yaml b/charts/spiderpool/templates/deployment.yaml
index d78ce1b080..350381dba7 100644
--- a/charts/spiderpool/templates/deployment.yaml
+++ b/charts/spiderpool/templates/deployment.yaml
@@ -187,6 +187,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: SPIDERPOOL_DEPLOYMENT_NAME
+          value: {{ .Values.spiderpoolController.name | quote }}
+        - name: SPIDERPOOL_ENABLE_POD_NETWORK_RESOURCE_INJECT
+          value: {{ .Values.spiderpoolController.enablePodNetworkResourceInject | quote }}
         {{- with .Values.spiderpoolController.extraEnv }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
diff --git a/charts/spiderpool/values.yaml b/charts/spiderpool/values.yaml
index a51d96b488..10f3734f6e 100644
--- a/charts/spiderpool/values.yaml
+++ b/charts/spiderpool/values.yaml
@@ -669,6 +669,9 @@ spiderpoolController:
   ## @param spiderpoolController.webhookPort the http port for spiderpoolController webhook
   webhookPort: 5722
 
+  ## @param spiderpoolController.enablePodNetworkResourceInject inject network resource to pod 
+  enablePodNetworkResourceInject: false
+
   prometheus:
     ## @param spiderpoolController.prometheus.enabled enable spiderpool Controller to collect metrics
     enabled: false
diff --git a/cmd/spiderpool-controller/cmd/config.go b/cmd/spiderpool-controller/cmd/config.go
index 276c5cebe0..6d76438a93 100644
--- a/cmd/spiderpool-controller/cmd/config.go
+++ b/cmd/spiderpool-controller/cmd/config.go
@@ -99,6 +99,7 @@ var envInfo = []envConf{
 	{"SPIDERPOOL_MULTUS_CONFIG_INFORMER_RESYNC_PERIOD", "60", false, nil, nil, &controllerContext.Cfg.MultusConfigInformerResyncPeriod},
 	{"SPIDERPOOL_CILIUM_CONFIGMAP_NAMESPACE_NAME", "kube-system/cilium-config", false, &controllerContext.Cfg.CiliumConfigName, nil, nil},
 
+	{"SPIDERPOOL_ENABLE_POD_NETWORK_RESOURCE_INJECT", "false", false, nil, &controllerContext.Cfg.InjectPodNetworkResource, nil},
 	{"SPIDERPOOL_IPPOOL_INFORMER_RESYNC_PERIOD", "300", false, nil, nil, &controllerContext.Cfg.IPPoolInformerResyncPeriod},
 	{"SPIDERPOOL_IPPOOL_INFORMER_WORKERS", "3", true, nil, nil, &controllerContext.Cfg.IPPoolInformerWorkers},
 	{"SPIDERPOOL_AUTO_IPPOOL_HANDLER_MAX_WORKQUEUE_LENGTH", "10000", true, nil, nil, &controllerContext.Cfg.IPPoolInformerMaxWorkQueueLength},
@@ -128,16 +129,20 @@ type Config struct {
 	GopsListenPort    string
 	PyroscopeAddress  string
 	DefaultCniConfDir string
-	// CiliumConfigName is formatted by namespace and name,default is kube-system/cilium-config
+	// CiliumConfigName is formatted by namespace and name
+	// default is kube-system/cilium-config
 	CiliumConfigName string
 
-	ControllerPodNamespace string
-	ControllerPodName      string
-	DefaultCoordinatorName string
-	LeaseDuration          int
-	LeaseRenewDeadline     int
-	LeaseRetryPeriod       int
-	LeaseRetryGap          int
+	InjectPodNetworkResource bool
+
+	ControllerDeploymentName string
+	ControllerPodNamespace   string
+	ControllerPodName        string
+	DefaultCoordinatorName   string
+	LeaseDuration            int
+	LeaseRenewDeadline       int
+	LeaseRetryPeriod         int
+	LeaseRetryGap            int
 
 	IPPoolMaxAllocatedIPs int
 
diff --git a/cmd/spiderpool-controller/cmd/daemon.go b/cmd/spiderpool-controller/cmd/daemon.go
index 88023c0565..b42aa944e9 100644
--- a/cmd/spiderpool-controller/cmd/daemon.go
+++ b/cmd/spiderpool-controller/cmd/daemon.go
@@ -268,6 +268,20 @@ func initControllerServiceManagers(ctx context.Context) {
 	}
 	controllerContext.PodManager = podManager
 
+	if controllerContext.Cfg.InjectPodNetworkResource {
+		logger.Debug("Begin to init Pod MutatingWebhook")
+		if err := podmanager.InitPodWebhook(controllerContext.CRDManager.GetClient(),
+			controllerContext.CRDManager, controllerContext.Cfg.ControllerDeploymentName); err != nil {
+			logger.Fatal(err.Error())
+		}
+	} else {
+		logger.Debug("InjectPodNetworkResource is disabled, try to remove the pod part in the MutatingWebhook")
+		if err := podmanager.RemovePodMutatingWebhook(controllerContext.CRDManager.GetClient(),
+			controllerContext.Cfg.ControllerDeploymentName); err != nil {
+			logger.Fatal(err.Error())
+		}
+	}
+
 	logger.Info("Begin to initialize StatefulSet manager")
 	statefulSetManager, err := statefulsetmanager.NewStatefulSetManager(
 		controllerContext.CRDManager.GetClient(),
diff --git a/docs/reference/spiderpool-controller.md b/docs/reference/spiderpool-controller.md
index 847ff3f572..60ef921d52 100644
--- a/docs/reference/spiderpool-controller.md
+++ b/docs/reference/spiderpool-controller.md
@@ -32,6 +32,7 @@ Run the spiderpool controller daemon.
 | SPIDERPOOL_CNI_CONFIG_DIR                                         | /etc/cni/net.d    | The host path of the cni config directory.                                                       |
 | SPIDERPOOL_CILIUM_CONFIGMAP_NAMESPACE_NAME                        | kube-system/cilium-config.    | The cilium's configMap, default is kube-system/cilium-config.                                    |
 | SPIDERPOOL_COORDINATOR_DEFAULT_NAME                               | default | the name of default spidercoordinator CR |
+| SPIDERPOOL_ENABLE_POD_NETWORK_RESOURCE_INJECT                       | false   | Enable/disable inject network resources for pod.                                                    | 
 
 ## spiderpool-controller shutdown
 
diff --git a/docs/usage/install/ai/get-started-macvlan-zh_CN.md b/docs/usage/install/ai/get-started-macvlan-zh_CN.md
index 426be7471a..78bfae3ebd 100644
--- a/docs/usage/install/ai/get-started-macvlan-zh_CN.md
+++ b/docs/usage/install/ai/get-started-macvlan-zh_CN.md
@@ -214,7 +214,9 @@
 
 3. 创建 CNI 配置和对应的 ippool 资源
 
-    对于 Ethernet 网络，请为所有的 GPU 亲和的 macvlan 网卡配置，并创建对应的 IP 地址池。如下例子，配置了 GPU1 亲和的网卡和 IP 地址池。
+    对于 Ethernet 网络，请为所有的 GPU 亲和的 macvlan 网卡配置，并创建对应的 IP 地址池。Spiderpool 为了简化 AI 应用配置多网卡的复杂度，支持通过 labels 对一组网卡配置分类，用户只需要为 Pod 注入特定的标签，这样 Spiderpool 会通过 webhook 自动为 Pod 注入对应的网卡和网络资源。
+
+    如下例子，配置了 GPU1 亲和的网卡和 IP 地址池:
 
     ```shell
     $ cat <<EOF | kubectl apply -f -
@@ -223,29 +225,35 @@
     metadata:
       name: gpu1-net11
     spec:
-          gateway: 172.16.11.254
-          subnet: 172.16.11.0/16
-          ips:
-            - 172.16.11.1-172.16.11.200
+      gateway: 172.16.11.254
+      subnet: 172.16.11.0/16
+      ips:
+        - 172.16.11.1-172.16.11.200
     ---
     apiVersion: spiderpool.spidernet.io/v2beta1
     kind: SpiderMultusConfig
     metadata:
       name: gpu1-macvlan
       namespace: spiderpool
+      labels:
+        macvlan-rdma-gpu: ""
     spec:
-          cniType: macvlan
-          macvlan:
-            master: ["enp11s0f0np0"]
-            ippools:
-              ipv4: ["gpu1-net11"]
+      cniType: macvlan
+      macvlan:
+        master: ["enp11s0f0np0"]
+        enableRdma: true
+        rdmaResourceName: "spidernet.io/shared_cx5_gpu1"
+        ippools:
+          ipv4: ["gpu1-net11"]
     EOF
     ```
 
+    如上配置，为 8 张网卡对应的 SpiderMultusConfig 资源，添加了 `auto-spiderpool-inject: ""` 标签。 LabelKey 为用户自定义的值，该值需要与向 Pod 添加的 Label: `network.spidernet.io/inject-network-resources` 的 value 保持一致。
+
 ## 创建测试应用
 
 1. 在指定节点上创建一组 DaemonSet 应用
-   如下例子，通过 annotations `v1.multus-cni.io/default-network` 指定使用 calico 的缺省网卡，用于进行控制面通信，annotations `k8s.v1.cni.cncf.io/networks` 接入 8 个 GPU 亲和网卡的网卡，用于 RDMA 通信，并配置 8 种 RDMA resources 资源
+   如下例子，通过 annotations `v1.multus-cni.io/default-network` 指定使用 calico 的缺省网卡，用于进行控制面通信，指定 labels `network.spidernet.io/inject-network-resources: auto-spiderpool-inject`，Spiderpool 将会自动向 Pod 注入 8 个 GPU 亲和网卡的网卡，用于 RDMA 通信，并配置 8 种 RDMA resources 资源。
 
     ```shell
     $ helm repo add spiderchart https://spidernet-io.github.io/charts
@@ -271,29 +279,8 @@
                   - worker2
 
     # macvlan interfaces
-    extraAnnotations:
-      k8s.v1.cni.cncf.io/networks: |-
-                       [{"name":"gpu1-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu2-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu3-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu4-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu5-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu6-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu7-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu8-macvlan","namespace":"spiderpool"}]
-
-    # macvlan resource
-    resources:
-      limits:
-            spidernet.io/shared_cx5_gpu1: 1
-            spidernet.io/shared_cx5_gpu2: 1
-            spidernet.io/shared_cx5_gpu3: 1
-            spidernet.io/shared_cx5_gpu4: 1
-            spidernet.io/shared_cx5_gpu5: 1
-            spidernet.io/shared_cx5_gpu6: 1
-            spidernet.io/shared_cx5_gpu7: 1
-            spidernet.io/shared_cx5_gpu8: 1
-            #nvidia.com/gpu: 1
+    extraLabels:
+      network.spidernet.io/inject-network-resources: auto-spiderpool-inject
     EOF
 
     $ helm install rdma-tools spiderchart/rdma-tools -f ./values.yaml
@@ -301,6 +288,23 @@
 
     在容器的网络命名空间创建过程中，Spiderpool 会对 macvlan 接口上的网关进行连通性测试，如果如上应用的所有 POD 都启动成功，说明了每个节点上的 VF 设备的连通性成功，可进行正常的 RDMA 通信。
 
+    当 Pod 成功 Running， 可检查 Pod 的 RDMA Resources 是否成功注入:
+
+    ```shell
+    # macvlan resource
+    resources:
+      requests:
+        spidernet.io/shared_cx5_gpu1: 1
+        spidernet.io/shared_cx5_gpu2: 1
+        spidernet.io/shared_cx5_gpu3: 1
+        spidernet.io/shared_cx5_gpu4: 1
+        spidernet.io/shared_cx5_gpu5: 1
+        spidernet.io/shared_cx5_gpu6: 1
+        spidernet.io/shared_cx5_gpu7: 1
+        spidernet.io/shared_cx5_gpu8: 1
+        #nvidia.com/gpu: 1
+    ```
+
 2. 查看容器的网络命名空间状态
 
     可进入任一一个 POD 的网络命名空间中，确认具备 9 个网卡：
diff --git a/docs/usage/install/ai/get-started-macvlan.md b/docs/usage/install/ai/get-started-macvlan.md
index 1c86c32510..253038c291 100644
--- a/docs/usage/install/ai/get-started-macvlan.md
+++ b/docs/usage/install/ai/get-started-macvlan.md
@@ -215,7 +215,9 @@ The network planning for the cluster is as follows:
 
 3. Create CNI configuration and proper IP pool resources
 
-    For Ethernet networks, please configure the Macvlan network interfaces associated with all GPUs and create corresponding IP address pools. The example below shows the configuration for the network interface and IP address pool associated with GPU1.
+    For Ethernet networks, please configure macvlan interfaces for all GPU-affined network cards and create corresponding IP address pools. To simplify the complexity of configuring multiple network interfaces for AI applications, Spiderpool supports classifying a group of network interface configurations through labels. Users only need to inject specific labels for Pods, and Spiderpool will automatically inject corresponding network interfaces and network resources for Pods through webhooks.
+    
+    The example below shows the configuration for the network interface and IP address pool associated with GPU1.
 
     ```shell
     $ cat <<EOF | kubectl apply -f -
@@ -224,29 +226,33 @@ The network planning for the cluster is as follows:
     metadata:
       name: gpu1-net11
     spec:
-          gateway: 172.16.11.254
-          subnet: 172.16.11.0/16
-          ips:
-            - 172.16.11.1-172.16.11.200
+      gateway: 172.16.11.254
+      subnet: 172.16.11.0/16
+      ips:
+        - 172.16.11.1-172.16.11.200
     ---
     apiVersion: spiderpool.spidernet.io/v2beta1
     kind: SpiderMultusConfig
     metadata:
       name: gpu1-macvlan
       namespace: spiderpool
+      labels:
+        macvlan-rdma-gpu: ""
     spec:
-          cniType: macvlan
-          macvlan:
-            master: ["enp11s0f0np0"]
-            ippools:
-              ipv4: ["gpu1-net11"]
+      cniType: macvlan
+      macvlan:
+        master: ["enp11s0f0np0"]
+        ippools:
+          ipv4: ["gpu1-net11"]
     EOF
     ```
 
+    The above configuration adds the `auto-spiderpool-inject: ""` label to the SpiderMultusConfig resources corresponding to the 8 network cards. The LabelKey is a user-defined value that needs to match the value of the `network.spidernet.io/inject-network-resources` label added to the Pod.
+
 ## Create a Test Application
 
 1. Create a DaemonSet application on specified nodes.
-   In the following example, the annotation field `v1.multus-cni.io/default-network` specifies the use of the default Calico network card for control plane communication. The annotation field `k8s.v1.cni.cncf.io/networks` connects to the 8 network cards affinitized to the GPU for RDMA communication, and configures 8 types of RDMA resources.
+   In the following example, the annotation field `v1.multus-cni.io/default-network` specifies the use of the default Calico network card for control plane communication. and specifies the label `network.spidernet.io/inject-network-resources: auto-spiderpool-inject`. Spiderpool will automatically inject 8 GPU-affinity network interfaces into the Pod for RDMA communication, and configure 8 types of RDMA resources.
 
     ```shell
     $ helm repo add spiderchart https://spidernet-io.github.io/charts
@@ -271,30 +277,9 @@ The network planning for the cluster is as follows:
                   - worker1
                   - worker2
 
-    # interfaces
-    extraAnnotations:
-      k8s.v1.cni.cncf.io/networks: |-
-                       [{"name":"gpu1-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu2-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu3-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu4-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu5-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu6-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu7-macvlan","namespace":"spiderpool"},
-                        {"name":"gpu8-macvlan","namespace":"spiderpool"}]
-
-    # resource
-    resources:
-      limits:
-            spidernet.io/shared_cx5_gpu1: 1
-            spidernet.io/shared_cx5_gpu2: 1
-            spidernet.io/shared_cx5_gpu3: 1
-            spidernet.io/shared_cx5_gpu4: 1
-            spidernet.io/shared_cx5_gpu5: 1
-            spidernet.io/shared_cx5_gpu6: 1
-            spidernet.io/shared_cx5_gpu7: 1
-            spidernet.io/shared_cx5_gpu8: 1
-            #nvidia.com/gpu: 1
+    # macvlan interfaces
+    extraLabels:
+      network.spidernet.io/inject-network-resources: auto-spiderpool-inject
     EOF
 
     $ helm install rdma-tools spiderchart/rdma-tools -f ./values.yaml
@@ -303,6 +288,23 @@ The network planning for the cluster is as follows:
     During the creation of the network namespace for the container, Spiderpool will perform connectivity tests on the gateway of the macvlan interface.
     If all PODs of the above application start successfully, it indicates successful connectivity of the network cards on each node, allowing normal RDMA communication.
 
+    When the Pod is successfully Running, you can check if the RDMA Resources have been successfully injected into the Pod:
+
+    ```shell
+    # macvlan resource
+    resources:
+      requests:
+        spidernet.io/shared_cx5_gpu1: 1
+        spidernet.io/shared_cx5_gpu2: 1
+        spidernet.io/shared_cx5_gpu3: 1
+        spidernet.io/shared_cx5_gpu4: 1
+        spidernet.io/shared_cx5_gpu5: 1
+        spidernet.io/shared_cx5_gpu6: 1
+        spidernet.io/shared_cx5_gpu7: 1
+        spidernet.io/shared_cx5_gpu8: 1
+        #nvidia.com/gpu: 1
+    ```
+
 2. Check the network namespace status of the container.
 
     You can enter the network namespace of any POD to confirm that it has 9 network cards.
diff --git a/docs/usage/install/ai/get-started-sriov-zh_CN.md b/docs/usage/install/ai/get-started-sriov-zh_CN.md
index ea571a6ade..8e69948710 100644
--- a/docs/usage/install/ai/get-started-sriov-zh_CN.md
+++ b/docs/usage/install/ai/get-started-sriov-zh_CN.md
@@ -305,7 +305,11 @@ Spiderpool 使用了 [sriov-network-operator](https://github.com/k8snetworkplumb
 
 3. 创建 CNI 配置和对应的 ippool 资源
 
-   (1) 对于 Infiniband 网络，请为所有的 GPU 亲和的 SR-IOV 网卡配置 [IB-SRIOV CNI](https://github.com/k8snetworkplumbingwg/ib-sriov-cni) 配置，并创建对应的 IP 地址池 。 如下例子，配置了 GPU1 亲和的网卡和 IP 地址池
+   (1) 对于 Infiniband 网络，请为所有的 GPU 亲和的 SR-IOV 网卡配置 [IB-SRIOV CNI](https://github.com/k8snetworkplumbingwg/ib-sriov-cni) 配置，并创建对应的 IP 地址池 。 
+
+   Spiderpool 为了简化 AI 场景下：应用配置多网卡的复杂度，支持通过向 SpiderMultusConfig 注入 labels, 而对一组网卡配置分类。用户创建 Pod 时再注入特定的标签，这样 Spiderpool 会通过 webhook 自动为 Pod 注入对应的网卡和网络资源。
+
+   如下例子，配置了 GPU1 亲和的网卡和 IP 地址池
 
     ```
     $ cat <<EOF | kubectl apply -f -
@@ -314,27 +318,33 @@ Spiderpool 使用了 [sriov-network-operator](https://github.com/k8snetworkplumb
     metadata:
       name: gpu1-net11
     spec:
-          gateway: 172.16.11.254
-          subnet: 172.16.11.0/16
-          ips:
-            - 172.16.11.1-172.16.11.200
+      gateway: 172.16.11.254
+      subnet: 172.16.11.0/16
+      ips:
+        - 172.16.11.1-172.16.11.200
     ---
     apiVersion: spiderpool.spidernet.io/v2beta1
     kind: SpiderMultusConfig
     metadata:
       name: gpu1-sriov
       namespace: spiderpool
+      labels:
+        ib-sriov-config-gpu: ""
     spec:
-          cniType: ib-sriov
-          ibsriov:
-            resourceName: spidernet.io/gpu1sriov
-            rdmaIsolation: true
-            ippools:
-              ipv4: ["gpu1-net91"]
+      cniType: ib-sriov
+      ibsriov:
+        resourceName: spidernet.io/gpu1sriov
+        rdmaIsolation: true
+        ippools:
+          ipv4: ["gpu1-net91"]
     EOF
     ```
 
-   (2) 对于 Ethernet 网络，请为所有的 GPU 亲和的 SR-IOV 网卡配置 [SR-IOV CNI](https://github.com/k8snetworkplumbingwg/sriov-cni) 配置，并创建对应的 IP 地址池 。 如下例子，配置了 GPU1 亲和的网卡和 IP 地址池
+   (2) 对于 Ethernet 网络，请为所有的 GPU 亲和的 SR-IOV 网卡配置 [SR-IOV CNI](https://github.com/k8snetworkplumbingwg/sriov-cni) 配置，并创建对应的 IP 地址池 。 
+
+   Spiderpool 为了简化 AI 场景下：应用配置多网卡的复杂度，支持通过向 SpiderMultusConfig 注入 labels, 而对一组网卡配置分类。用户创建 Pod 时再注入特定的标签，这样 Spiderpool 会通过 webhook 自动为 Pod 注入对应的网卡和网络资源。
+   
+   如下例子，配置了 GPU1 亲和的网卡和 IP 地址池
 
     ```   
     $ cat <<EOF | kubectl apply -f -
@@ -343,30 +353,32 @@ Spiderpool 使用了 [sriov-network-operator](https://github.com/k8snetworkplumb
     metadata:
       name: gpu1-net11
     spec:
-          gateway: 172.16.11.254
-          subnet: 172.16.11.0/16
-          ips:
-            - 172.16.11.1-172.16.11.200
+      gateway: 172.16.11.254
+      subnet: 172.16.11.0/16
+      ips:
+        - 172.16.11.1-172.16.11.200
     ---
     apiVersion: spiderpool.spidernet.io/v2beta1
     kind: SpiderMultusConfig
     metadata:
       name: gpu1-sriov
       namespace: spiderpool
+      labels:
+        sriov-config-gpu: ""
     spec:
-          cniType: sriov
-          sriov:
-            resourceName: spidernet.io/gpu1sriov
-            enableRdma: true
-            ippools:
-              ipv4: ["gpu1-net11"]
+      cniType: sriov
+      sriov:
+        resourceName: spidernet.io/gpu1sriov
+        enableRdma: true
+        ippools:
+          ipv4: ["gpu1-net11"]
     EOF
     ```
 
 ## 创建测试应用
 
 1. 在指定节点上创建一组 DaemonSet 应用，测试指定节点上的 SR-IOV 设备的可用性
-    如下例子，通过 annotations `v1.multus-cni.io/default-network` 指定使用 calico 的缺省网卡，用于进行控制面通信，annotations `k8s.v1.cni.cncf.io/networks` 接入 8 个 GPU 亲和网卡的 VF 网卡，用于 RDMA 通信，并配置 8 种 RDMA resources 资源
+    如下例子，通过 annotations `v1.multus-cni.io/default-network` 指定使用 calico 的缺省网卡，用于进行控制面通信，指定 labels `network.spidernet.io/inject-network-resources: sriov-config-gpu`，Spiderpool 将会自动向 Pod 注入 8 个 GPU 亲和网卡的网卡(根据 label sriov-config-gpu 获取)，用于 RDMA 通信，并配置 8 种 RDMA resources 资源。
 
     ```
     $ helm repo add spiderchart https://spidernet-io.github.io/charts
@@ -392,37 +404,32 @@ Spiderpool 使用了 [sriov-network-operator](https://github.com/k8snetworkplumb
                   - worker2
 
     # sriov interfaces
-    extraAnnotations:
-      k8s.v1.cni.cncf.io/networks: |-
-                       [{"name":"gpu1-sriov","namespace":"spiderpool"},
-                        {"name":"gpu2-sriov","namespace":"spiderpool"},
-                        {"name":"gpu3-sriov","namespace":"spiderpool"},
-                        {"name":"gpu4-sriov","namespace":"spiderpool"},
-                        {"name":"gpu5-sriov","namespace":"spiderpool"},
-                        {"name":"gpu6-sriov","namespace":"spiderpool"},
-                        {"name":"gpu7-sriov","namespace":"spiderpool"},
-                        {"name":"gpu8-sriov","namespace":"spiderpool"}]
-
-    # sriov resource
-    resources:
-      limits:
-            spidernet.io/gpu1sriov: 1
-            spidernet.io/gpu2sriov: 1
-            spidernet.io/gpu3sriov: 1
-            spidernet.io/gpu4sriov: 1
-            spidernet.io/gpu5sriov: 1
-            spidernet.io/gpu6sriov: 1
-            spidernet.io/gpu7sriov: 1
-            spidernet.io/gpu8sriov: 1
-            #nvidia.com/gpu: 1
+    labels:
+      network.spidernet.io/inject-network-resources: sriov-config-gpu
     EOF
 
     $ helm install rdma-tools spiderchart/rdma-tools -f ./values.yaml
-    
     ```
    
     在容器的网络命名空间创建过程中，Spiderpool 会对 sriov 接口上的网关进行连通性测试，如果如上应用的所有 POD 都启动成功，说明了每个节点上的 VF 设备的连通性成功，可进行正常的 RDMA 通信。
 
+    当 Pod 为 Running 状态，检查 Pod 的 resources 是否成功注入 8 个 RDMA 资源:
+
+    ```shell
+    # sriov resource
+    resources:
+      requests:
+        spidernet.io/gpu1sriov: 1
+        spidernet.io/gpu2sriov: 1
+        spidernet.io/gpu3sriov: 1
+        spidernet.io/gpu4sriov: 1
+        spidernet.io/gpu5sriov: 1
+        spidernet.io/gpu6sriov: 1
+        spidernet.io/gpu7sriov: 1
+        spidernet.io/gpu8sriov: 1
+        #nvidia.com/gpu: 1
+    ```
+
 2. 查看容器的网络命名空间状态
 
     可进入任一一个 POD 的网络命名空间中，确认具备 9 个网卡
diff --git a/docs/usage/install/ai/get-started-sriov.md b/docs/usage/install/ai/get-started-sriov.md
index af4ad0bd8c..ad5569fe0b 100644
--- a/docs/usage/install/ai/get-started-sriov.md
+++ b/docs/usage/install/ai/get-started-sriov.md
@@ -308,7 +308,11 @@ The network planning for the cluster is as follows:
 
 3. Create CNI Configuration and Corresponding IP Pool Resources
 
-    a. For Infiniband Networks, configure [the IB-SRIOV CNI](https://github.com/k8snetworkplumbingwg/ib-sriov-cni)  for all GPU-affinitized SR-IOV network cards and create the corresponding IP address pool. The following example configures the network card and IP address pool for GPU1
+    a. For Infiniband Networks, configure [the IB-SRIOV CNI](https://github.com/k8snetworkplumbingwg/ib-sriov-cni)  for all GPU-affinitized SR-IOV network cards and create the corresponding IP address pool.
+    
+    To simplify the complexity of configuring multiple network interfaces for AI applications, Spiderpool supports classifying a group of network interface configurations through labels. Users only need to inject specific labels for Pods, and Spiderpool will automatically inject corresponding network interfaces and network resources for Pods through webhooks.
+
+    The following example configures the network card and IP address pool for GPU1
 
     ```
     $ cat <<EOF | kubectl apply -f -
@@ -327,12 +331,14 @@ The network planning for the cluster is as follows:
     metadata:
       name: gpu1-sriov
       namespace: spiderpool
+      labels:
+        ib-sriov-config-gpu: ""
     spec:
-          cniType: ib-sriov
-          ibsriov:
-            resourceName: spidernet.io/gpu1sriov
-            ippools:
-              ipv4: ["gpu1-net91"]
+      cniType: ib-sriov
+      ibsriov:
+        resourceName: spidernet.io/gpu1sriov
+        ippools:
+          ipv4: ["gpu1-net91"]
     EOF
     ```
 
@@ -345,30 +351,32 @@ The network planning for the cluster is as follows:
     metadata:
       name: gpu1-net11
     spec:
-          gateway: 172.16.11.254
-          subnet: 172.16.11.0/16
-          ips:
-            - 172.16.11.1-172.16.11.200
+      gateway: 172.16.11.254
+      subnet: 172.16.11.0/16
+      ips:
+        - 172.16.11.1-172.16.11.200
     ---
     apiVersion: spiderpool.spidernet.io/v2beta1
     kind: SpiderMultusConfig
     metadata:
       name: gpu1-sriov
       namespace: spiderpool
+      labels:
+        sriov-config-gpu: ""
     spec:
-          cniType: sriov
-          sriov:
-            resourceName: spidernet.io/gpu1sriov
-            enableRdma: true
-            ippools:
-              ipv4: ["gpu1-net11"]
+      cniType: sriov
+      sriov:
+        resourceName: spidernet.io/gpu1sriov
+        enableRdma: true
+        ippools:
+          ipv4: ["gpu1-net11"]
     EOF
     ```
 
 ## Create a Test Application
 
 1. Create a DaemonSet application on a specified node to test the availability of SR-IOV devices on that node. 
-    In the following example, the annotation field `v1.multus-cni.io/default-network` specifies the use of the default Calico network card for control plane communication. The annotation field `k8s.v1.cni.cncf.io/networks` connects to the 8 VF network cards affinitized to the GPU for RDMA communication, and configures 8 types of RDMA resources.
+    In the following example, the annotation field `v1.multus-cni.io/default-network` specifies the use of the default Calico network card for control plane communication.  and specifies the label `network.spidernet.io/inject-network-resources: sriov-config-gpu`. Spiderpool will automatically inject 8 GPU-affinity network interfaces into the Pod for RDMA communication, and configure 8 types of RDMA resources.
 
     ```shell
     $ helm repo add spiderchart https://spidernet-io.github.io/charts
@@ -384,39 +392,18 @@ The network planning for the cluster is as follows:
     # just run daemonset in nodes 'worker1' and 'worker2'
     affinity:
       nodeAffinity:
-            requiredDuringSchedulingIgnoredDuringExecution:
-              nodeSelectorTerms:
-              - matchExpressions:
-                - key: kubernetes.io/hostname
-                  operator: In
-                  values:
-                  - worker1
-                  - worker2
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+              - worker1
+              - worker2
 
     # sriov interfaces
-    extraAnnotations:
-      k8s.v1.cni.cncf.io/networks: |-
-                       [{"name":"gpu1-sriov","namespace":"spiderpool"},
-                        {"name":"gpu2-sriov","namespace":"spiderpool"},
-                        {"name":"gpu3-sriov","namespace":"spiderpool"},
-                        {"name":"gpu4-sriov","namespace":"spiderpool"},
-                        {"name":"gpu5-sriov","namespace":"spiderpool"},
-                        {"name":"gpu6-sriov","namespace":"spiderpool"},
-                        {"name":"gpu7-sriov","namespace":"spiderpool"},
-                        {"name":"gpu8-sriov","namespace":"spiderpool"}]
-
-    # sriov resource
-    resources:
-      limits:
-            spidernet.io/gpu1sriov: 1
-            spidernet.io/gpu2sriov: 1
-            spidernet.io/gpu3sriov: 1
-            spidernet.io/gpu4sriov: 1
-            spidernet.io/gpu5sriov: 1
-            spidernet.io/gpu6sriov: 1
-            spidernet.io/gpu7sriov: 1
-            spidernet.io/gpu8sriov: 1
-            #nvidia.com/gpu: 1
+    extraLabels:
+      network.spidernet.io/inject-network-resources: sriov-config-gpu
     EOF
 
     $ helm install rdma-tools spiderchart/rdma-tools -f ./values.yaml
@@ -425,6 +412,23 @@ The network planning for the cluster is as follows:
     During the creation of the network namespace for the container, Spiderpool will perform connectivity tests on the gateway of the SR-IOV interface. 
     If all PODs of the above application start successfully, it indicates successful connectivity of the VF devices on each node, allowing normal RDMA communication.
 
+    When the Pod is successfully Running, you can check if the RDMA Resources have been successfully injected into the Pod:
+
+    ```shell
+    # macvlan resource
+    resources:
+      requests:
+        spidernet.io/shared_cx5_gpu1: 1
+        spidernet.io/shared_cx5_gpu2: 1
+        spidernet.io/shared_cx5_gpu3: 1
+        spidernet.io/shared_cx5_gpu4: 1
+        spidernet.io/shared_cx5_gpu5: 1
+        spidernet.io/shared_cx5_gpu6: 1
+        spidernet.io/shared_cx5_gpu7: 1
+        spidernet.io/shared_cx5_gpu8: 1
+        #nvidia.com/gpu: 1
+    ```
+
 2. Check the network namespace status of the container.
 
     You can enter the network namespace of any POD to confirm that it has 9 network cards.
diff --git a/pkg/constant/k8s.go b/pkg/constant/k8s.go
index 1e06cc774c..f96802c933 100644
--- a/pkg/constant/k8s.go
+++ b/pkg/constant/k8s.go
@@ -51,7 +51,8 @@ const (
 )
 
 const (
-	AnnotationPre = "ipam.spidernet.io"
+	AnnotationPre        = "ipam.spidernet.io"
+	AnnotationSpinderPre = "network.spidernet.io"
 
 	AnnoPodIPPool       = AnnotationPre + "/ippool"
 	AnnoPodIPPools      = AnnotationPre + "/ippools"
@@ -100,6 +101,10 @@ const (
 	//dra
 	DraAnnotationPre  = "dra.spidernet.io"
 	AnnoDraCdiVersion = AnnotationPre + "/cdi-version"
+
+	// webhook
+	PodMutatingWebhookName  = "pods.spiderpool.spidernet.io"
+	LabelMutatingPodWebhook = AnnotationSpinderPre + "/inject-network-resources"
 )
 
 const (
diff --git a/pkg/multuscniconfig/utils.go b/pkg/multuscniconfig/utils.go
index afa3ece680..5aad1b5140 100644
--- a/pkg/multuscniconfig/utils.go
+++ b/pkg/multuscniconfig/utils.go
@@ -30,6 +30,7 @@ import (
 
 	coordinatorcmd "github.com/spidernet-io/spiderpool/cmd/coordinator/cmd"
 	spiderpoolcmd "github.com/spidernet-io/spiderpool/cmd/spiderpool/cmd"
+	"github.com/spidernet-io/spiderpool/pkg/constant"
 	spiderpoolv2beta1 "github.com/spidernet-io/spiderpool/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1"
 )
 
@@ -220,3 +221,28 @@ func ParsePodNetworkObjectName(podnetwork string) (string, string, string, error
 
 	return netNsName, networkName, netIfName, nil
 }
+
+// resourceName returns the appropriate resource name based on the CNI type and configuration
+// of the given SpiderMultusConfig.
+func ResourceName(smc *spiderpoolv2beta1.SpiderMultusConfig) string {
+	switch *smc.Spec.CniType {
+	case constant.MacvlanCNI:
+		// For Macvlan CNI, return RDMA resource name if RDMA is enabled
+		if smc.Spec.MacvlanConfig != nil && smc.Spec.MacvlanConfig.EnableRdma {
+			return smc.Spec.MacvlanConfig.RdmaResourceName
+		}
+	case constant.IPVlanCNI:
+		if smc.Spec.IPVlanConfig != nil && smc.Spec.IPVlanConfig.EnableRdma {
+			return smc.Spec.IPVlanConfig.RdmaResourceName
+		}
+	case constant.SriovCNI:
+		if smc.Spec.SriovConfig != nil {
+			return smc.Spec.SriovConfig.ResourceName
+		}
+	case constant.IBSriovCNI:
+		if smc.Spec.IbSriovConfig != nil {
+			return smc.Spec.IbSriovConfig.ResourceName
+		}
+	}
+	return ""
+}
diff --git a/pkg/podmanager/pod_manager.go b/pkg/podmanager/pod_manager.go
index 016e864b38..600454e125 100644
--- a/pkg/podmanager/pod_manager.go
+++ b/pkg/podmanager/pod_manager.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 
+	crdclientset "github.com/spidernet-io/spiderpool/pkg/k8s/client/clientset/versioned"
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -27,8 +28,9 @@ type PodManager interface {
 }
 
 type podManager struct {
-	client    client.Client
-	apiReader client.Reader
+	client       client.Client
+	apiReader    client.Reader
+	SpiderClient crdclientset.Interface
 }
 
 func NewPodManager(client client.Client, apiReader client.Reader) (PodManager, error) {
diff --git a/pkg/podmanager/pod_webhook.go b/pkg/podmanager/pod_webhook.go
new file mode 100644
index 0000000000..1dc370f5df
--- /dev/null
+++ b/pkg/podmanager/pod_webhook.go
@@ -0,0 +1,77 @@
+// Copyright 2022 Authors of spidernet-io
+// SPDX-License-Identifier: Apache-2.0
+package podmanager
+
+import (
+	"context"
+
+	crdclientset "github.com/spidernet-io/spiderpool/pkg/k8s/client/clientset/versioned"
+	"github.com/spidernet-io/spiderpool/pkg/logutils"
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+type PodWebhook interface {
+	admission.CustomDefaulter
+	admission.CustomValidator
+}
+
+type podWebhook struct {
+	client       client.Client
+	SpiderClient crdclientset.Interface
+}
+
+func InitPodWebhook(client client.Client,
+	mgr ctrl.Manager,
+	mutatingWebhookName string) error {
+	spiderClient, err := crdclientset.NewForConfig(ctrl.GetConfigOrDie())
+	if err != nil {
+		return err
+	}
+
+	pw := &podWebhook{
+		client:       client,
+		SpiderClient: spiderClient,
+	}
+
+	if err = addPodMutatingWebhook(client, mutatingWebhookName); err != nil {
+		return err
+	}
+
+	// setup mutating webhook for pods
+	if err = ctrl.NewWebhookManagedBy(mgr).
+		For(&corev1.Pod{}).
+		WithDefaulter(pw).
+		Complete(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (pw *podWebhook) Default(ctx context.Context, obj runtime.Object) error {
+	logger := logutils.FromContext(ctx)
+	pod := obj.(*corev1.Pod)
+	mutateLogger := logger.Named("Mutating").With(
+		zap.String("Pod", pod.Name))
+	mutateLogger.Sugar().Debugf("Request Pod: %+v", *pod)
+
+	// TODO: add mutating logic for pods here
+	podNetworkMutatingWebhook(pw.client, pod)
+	return nil
+}
+
+func (pw *podWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (pw *podWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (pw *podWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
diff --git a/pkg/podmanager/utils.go b/pkg/podmanager/utils.go
index eaf4712295..01d4ff14ae 100644
--- a/pkg/podmanager/utils.go
+++ b/pkg/podmanager/utils.go
@@ -4,12 +4,22 @@
 package podmanager
 
 import (
+	"context"
+	"fmt"
+
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	k8s_resource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	kubevirtv1 "kubevirt.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/spidernet-io/spiderpool/pkg/constant"
+	"github.com/spidernet-io/spiderpool/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1"
+	"github.com/spidernet-io/spiderpool/pkg/multuscniconfig"
 )
 
 func IsPodAlive(pod *corev1.Pod) bool {
@@ -53,3 +63,210 @@ func IsStaticIPPod(enableStatefulSet, enableKubevirtStaticIP bool, pod *corev1.P
 
 	return false
 }
+
+// podNetworkMutatingWebhook handles the mutating webhook for pod networks.
+// It checks if the pod has the required label for mutation, retrieves the corresponding
+// SpiderMultusConfigs, and injects the network configuration into the pod.
+//
+// Parameters:
+//   - apiReader: A client.Reader interface for accessing Kubernetes API objects
+//   - pod: A pointer to the corev1.Pod object to be mutated
+//
+// Returns:
+//   - An error if any step in the process fails, nil otherwise
+func podNetworkMutatingWebhook(apiClient client.Client, pod *corev1.Pod) error {
+	labelValue, ok := pod.Labels[constant.LabelMutatingPodWebhook]
+	if !ok {
+		return nil
+	}
+
+	var multusConfigs v2beta1.SpiderMultusConfigList
+	err := apiClient.List(context.TODO(), &multusConfigs, client.HasLabels{
+		labelValue,
+	})
+	if err != nil {
+		return err
+	}
+
+	return InjectPodNetwork(pod, multusConfigs)
+}
+
+// injectPodNetwork injects network configurations into the pod based on the provided SpiderMultusConfigs.
+// It checks for CNI type consistency, updates the pod's network attachment annotations,
+// and prepares a map of resources to be injected.
+//
+// Parameters:
+//   - pod: A pointer to the corev1.Pod object to be updated
+//   - multusConfigs: A list of SpiderMultusConfig objects to be applied to the pod
+//
+// Returns:
+//   - An error if there's an inconsistency in CNI types, nil otherwise
+func InjectPodNetwork(pod *corev1.Pod, multusConfigs v2beta1.SpiderMultusConfigList) error {
+	var cniType string
+	resourcesMap := make(map[string]bool, len(multusConfigs.Items))
+	for _, mc := range multusConfigs.Items {
+		// Check the consistency of CNI type
+		if cniType != "" && cniType != *mc.Spec.CniType {
+			return fmt.Errorf("spidermultusconfig %s/%s cniType %s is not consistent with %s", mc.Namespace, mc.Name, *mc.Spec.CniType, cniType)
+		} else {
+			// If it's the first time setting, or consistent with the previous
+			// type, update cniType
+			cniType = *mc.Spec.CniType
+		}
+
+		// Update the pod's network attachment
+		if networks, ok := pod.Annotations[constant.MultusNetworkAttachmentAnnot]; !ok {
+			pod.Annotations[constant.MultusNetworkAttachmentAnnot] = fmt.Sprintf("%s/%s", mc.Namespace, mc.Name)
+		} else {
+			pod.Annotations[constant.MultusNetworkAttachmentAnnot] = networks + "," + fmt.Sprintf("%s/%s", mc.Namespace, mc.Name)
+		}
+
+		resourceName := multuscniconfig.ResourceName(&mc)
+		if _, ok := resourcesMap[resourceName]; !ok {
+			resourcesMap[resourceName] = false
+		}
+	}
+	InjectRdmaResourceToPod(resourcesMap, pod)
+	return nil
+}
+
+// injectRdmaResourceToPod injects RDMA resources into the pod's containers.
+// It checks each container for existing resource requests/limits and updates
+// the resourceMap accordingly. If a resource is not found in any container,
+// it is injected into the first container's resource requests.
+//
+// Parameters:
+//   - resourceMap: A map of resource names to boolean values indicating if they've been found
+//   - pod: A pointer to the corev1.Pod object to be updated
+func InjectRdmaResourceToPod(resourceMap map[string]bool, pod *corev1.Pod) {
+	for _, c := range pod.Spec.Containers {
+		for resource := range resourceMap {
+			if resourceMap[resource] {
+				// the resource has found in pod, skip
+				continue
+			}
+
+			// try to find the resource in container resources.requests
+			if _, ok := c.Resources.Requests[corev1.ResourceName(resource)]; ok {
+				resourceMap[resource] = true
+			} else {
+				if _, ok := c.Resources.Limits[corev1.ResourceName(resource)]; ok {
+					resourceMap[resource] = true
+				}
+			}
+		}
+	}
+
+	for resource, found := range resourceMap {
+		if !found {
+			// inject the resource to the pod.containers[0].resources.requests
+			pod.Spec.Containers[0].Resources.Requests[corev1.ResourceName(resource)] = k8s_resource.MustParse("1")
+		}
+	}
+}
+
+// initPodMutatingWebhook initializes a mutating webhook for pods based on a template webhook.
+// It sets up the webhook configuration including name, admission review versions, failure policy,
+// object selector, client config, and rules for pod creation and update operations.
+//
+// Parameters:
+//   - from: An admissionregistrationv1.MutatingWebhook object to use as a template
+//
+// Returns:
+//   - A new admissionregistrationv1.MutatingWebhook object configured for pod mutation
+func initPodMutatingWebhook(from admissionregistrationv1.MutatingWebhook) admissionregistrationv1.MutatingWebhook {
+	wb := admissionregistrationv1.MutatingWebhook{
+		Name:                    constant.PodMutatingWebhookName,
+		AdmissionReviewVersions: from.AdmissionReviewVersions,
+		FailurePolicy:           ptr.To(admissionregistrationv1.Fail),
+		ObjectSelector: &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      constant.LabelMutatingPodWebhook,
+					Operator: metav1.LabelSelectorOpExists,
+				},
+			},
+		},
+		ClientConfig: admissionregistrationv1.WebhookClientConfig{
+			CABundle: from.ClientConfig.CABundle,
+		},
+		Rules: []admissionregistrationv1.RuleWithOperations{
+			{
+				Operations: []admissionregistrationv1.OperationType{
+					admissionregistrationv1.Create,
+					admissionregistrationv1.Update,
+				},
+				Rule: admissionregistrationv1.Rule{
+					APIGroups:   []string{""},
+					APIVersions: []string{"v1"},
+					Resources:   []string{"pods"},
+				},
+			},
+		},
+	}
+
+	if from.ClientConfig.Service != nil {
+		wb.ClientConfig.Service = &admissionregistrationv1.ServiceReference{
+			Name:      from.ClientConfig.Service.Name,
+			Namespace: from.ClientConfig.Service.Namespace,
+			Port:      from.ClientConfig.Service.Port,
+			// format: /mutate-<group>-<apiVersion>-<resource>
+			Path: ptr.To("/mutate--v1-pod"),
+		}
+	}
+	return wb
+}
+
+// addPodMutatingWebhook updates the MutatingWebhookConfiguration for pods.
+// It retrieves the existing configuration, adds a new webhook for pods,
+// and updates the configuration in the Kubernetes API server.
+func addPodMutatingWebhook(client client.Client, mutatingWebhookName string) error {
+	var mwc admissionregistrationv1.MutatingWebhookConfiguration
+	err := client.Get(context.TODO(), types.NamespacedName{Name: mutatingWebhookName}, &mwc)
+	if err != nil {
+		return fmt.Errorf("failed to get MutatingWebhookConfiguration: %v", err)
+	}
+
+	if len(mwc.Webhooks) == 0 {
+		return fmt.Errorf("no any mutating webhook found in MutatingWebhookConfiguration %s", mutatingWebhookName)
+	}
+
+	podWebhook := initPodMutatingWebhook(*mwc.Webhooks[0].DeepCopy())
+	mwc.Webhooks = append(mwc.Webhooks, podWebhook)
+
+	err = client.Update(context.TODO(), &mwc)
+	if err != nil {
+		return fmt.Errorf("failed to update MutatingWebhookConfiguration %s: %v", mutatingWebhookName, err)
+	}
+
+	return nil
+}
+
+// RemovePodMutatingWebhook removes the mutating webhook for pods.
+// It retrieves the existing configuration, removes the webhook for pods,
+// and updates the configuration in the Kubernetes API server.
+func RemovePodMutatingWebhook(client client.Client, mutatingWebhookName string) error {
+	var mwc admissionregistrationv1.MutatingWebhookConfiguration
+	err := client.Get(context.TODO(), types.NamespacedName{Name: mutatingWebhookName}, &mwc)
+	if err != nil {
+		return fmt.Errorf("failed to get MutatingWebhookConfiguration: %v", err)
+	}
+
+	var newWebhooks []admissionregistrationv1.MutatingWebhook
+	for _, wb := range mwc.Webhooks {
+		if wb.Name != constant.PodMutatingWebhookName {
+			newWebhooks = append(newWebhooks, wb)
+		}
+	}
+
+	if len(newWebhooks) == len(mwc.Webhooks) {
+		return nil
+	}
+
+	mwc.Webhooks = newWebhooks
+	err = client.Update(context.TODO(), &mwc)
+	if err != nil {
+		return fmt.Errorf("failed to update MutatingWebhookConfiguration %s: %v", mutatingWebhookName, err)
+	}
+	return nil
+}
diff --git a/pkg/podmanager/utils_test.go b/pkg/podmanager/utils_test.go
index b91c7f8c50..1e7b2b833d 100644
--- a/pkg/podmanager/utils_test.go
+++ b/pkg/podmanager/utils_test.go
@@ -6,6 +6,8 @@ package podmanager_test
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"github.com/spidernet-io/spiderpool/pkg/constant"
+	"github.com/spidernet-io/spiderpool/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
@@ -75,4 +77,106 @@ var _ = Describe("PodManager utils", Label("pod_manager_utils_test"), func() {
 			Expect(isAlive).To(BeTrue())
 		})
 	})
+
+	Describe("Test injectPodNetwork", func() {
+		var pod *corev1.Pod
+		var multusConfigs v2beta1.SpiderMultusConfigList
+
+		BeforeEach(func() {
+			pod = &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-pod",
+					Namespace:   "default",
+					Annotations: make(map[string]string),
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "test-container",
+							Resources: corev1.ResourceRequirements{
+								Requests: corev1.ResourceList{},
+								Limits:   corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			}
+		})
+
+		It("should successfully inject network configuration", func() {
+			multusConfigs = v2beta1.SpiderMultusConfigList{
+				Items: []v2beta1.SpiderMultusConfig{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "config1",
+							Namespace: "default",
+						},
+						Spec: v2beta1.MultusCNIConfigSpec{
+							CniType: ptr.To("macvlan"),
+							MacvlanConfig: &v2beta1.SpiderMacvlanCniConfig{
+								EnableRdma:       true,
+								RdmaResourceName: "spidernet.io/rdma-resource1",
+							},
+						},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "config2",
+							Namespace: "default",
+						},
+						Spec: v2beta1.MultusCNIConfigSpec{
+							CniType: ptr.To("macvlan"),
+							MacvlanConfig: &v2beta1.SpiderMacvlanCniConfig{
+								EnableRdma:       true,
+								RdmaResourceName: "spidernet.io/rdma-resource2",
+							},
+						},
+					},
+				},
+			}
+			err := podmanager.InjectPodNetwork(pod, multusConfigs)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(pod.Annotations[constant.MultusNetworkAttachmentAnnot]).To(Equal("default/config1,default/config2"))
+
+			Expect(pod.Spec.Containers[0].Resources.Requests).To(HaveKey(corev1.ResourceName("spidernet.io/rdma-resource1")))
+			Expect(pod.Spec.Containers[0].Resources.Requests).To(HaveKey(corev1.ResourceName("spidernet.io/rdma-resource2")))
+		})
+
+		It("should return an error when CNI types are inconsistent", func() {
+			multusConfigs = v2beta1.SpiderMultusConfigList{
+				Items: []v2beta1.SpiderMultusConfig{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "config1",
+							Namespace: "default",
+						},
+						Spec: v2beta1.MultusCNIConfigSpec{
+							CniType: ptr.To("macvlan"),
+							MacvlanConfig: &v2beta1.SpiderMacvlanCniConfig{
+								EnableRdma:       true,
+								RdmaResourceName: "spidernet.io/rdma-resource1",
+							},
+						},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "config2",
+							Namespace: "default",
+						},
+						Spec: v2beta1.MultusCNIConfigSpec{
+							CniType: ptr.To("ipvlan"),
+							IPVlanConfig: &v2beta1.SpiderIPvlanCniConfig{
+								EnableRdma:       true,
+								RdmaResourceName: "spidernet.io/rdma-resource2",
+							},
+						},
+					},
+				},
+			}
+
+			err := podmanager.InjectPodNetwork(pod, multusConfigs)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("cniType ipvlan is not consistent with macvlan"))
+		})
+	})
 })
diff --git a/test/Makefile b/test/Makefile
index ae3323cdb7..e8eee205db 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -338,6 +338,7 @@ setup_spiderpool:
 			HELM_OPTION+=" --set clusterDefaultPool.ipv4IPRanges={$${ipv4_ip_range}} --set clusterDefaultPool.ipv6IPRanges={$${ipv6_ip_range}}" ; \
 			HELM_OPTION+=" --set ipam.enableIPv4=true --set ipam.enableIPv6=true" ; \
 		fi ; \
+		HELM_OPTION+=" --set spiderpoolController.enablePodNetworkResource=true " ; \
 		HELM_OPTION+=" --set spiderpoolAgent.prometheus.enabled=true --set spiderpoolController.prometheus.enabled=true " ; \
 		HELM_OPTION+=" --set spiderpoolAgent.prometheus.enabledDebugMetric=true --set spiderpoolController.prometheus.enabledDebugMetric=true " ; \
 		if [ -n "$(PYROSCOPE_LOCAL_PORT)" ] ; then \
diff --git a/test/doc/podwebhook.md b/test/doc/podwebhook.md
new file mode 100644
index 0000000000..e3c9ed63e9
--- /dev/null
+++ b/test/doc/podwebhook.md
@@ -0,0 +1,5 @@
+# E2E Cases for Pod Webhook
+
+| Case ID | Title                                                                             | Priority | Smoke | Status | Other |
+| ------- | --------------------------------------------------------------------------------- | -------- | ----- | ------ | ----- |
+| H00001  | test pod webhook auto inject resource to pod                                     | p1       | true  |  done  |       |
diff --git a/test/e2e/podwebhook/podwebhook_suite_test.go b/test/e2e/podwebhook/podwebhook_suite_test.go
new file mode 100644
index 0000000000..66cd0363b6
--- /dev/null
+++ b/test/e2e/podwebhook/podwebhook_suite_test.go
@@ -0,0 +1,26 @@
+package podwebhook_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	e2e "github.com/spidernet-io/e2eframework/framework"
+	spiderpool "github.com/spidernet-io/spiderpool/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func TestPodwebhook(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Podwebhook Suite")
+}
+
+var frame *e2e.Framework
+
+var _ = BeforeSuite(func() {
+	defer GinkgoRecover()
+	var e error
+	frame, e = e2e.NewFramework(GinkgoT(), []func(*runtime.Scheme) error{spiderpool.AddToScheme})
+	Expect(e).NotTo(HaveOccurred())
+})
diff --git a/test/e2e/podwebhook/podwebhook_test.go b/test/e2e/podwebhook/podwebhook_test.go
new file mode 100644
index 0000000000..b0153ca247
--- /dev/null
+++ b/test/e2e/podwebhook/podwebhook_test.go
@@ -0,0 +1,107 @@
+package podwebhook_test
+
+import (
+	"fmt"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/spidernet-io/spiderpool/pkg/constant"
+	"github.com/spidernet-io/spiderpool/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1"
+	"github.com/spidernet-io/spiderpool/test/e2e/common"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+)
+
+var _ = Describe("Podwebhook", func() {
+	var namespace string
+
+	BeforeEach(func() {
+		// create namespace
+		namespace = "ns-" + common.GenerateString(10, true)
+		err := frame.CreateNamespaceUntilDefaultServiceAccountReady(namespace, common.ServiceAccountReadyTimeout)
+		Expect(err).NotTo(HaveOccurred())
+
+		DeferCleanup(func() {
+			if CurrentSpecReport().Failed() {
+				GinkgoWriter.Println("If the use case fails, the cleanup step will be skipped")
+				return
+			}
+
+			err := frame.DeleteNamespace(namespace)
+			Expect(err).NotTo(HaveOccurred(), "Failed to delete namespace %v")
+		})
+	})
+
+	Context("Test inject pod network resources", func() {
+		It("Test inject pod network resources", Label("H00001"), func() {
+
+			// Define multus cni NetworkAttachmentDefinition and create
+			createNad := func(name string) *v2beta1.SpiderMultusConfig {
+				return &v2beta1.SpiderMultusConfig{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      name,
+						Namespace: namespace,
+						Labels: map[string]string{
+							"multus.spidernet.io/auto-inject1": "",
+						},
+					},
+					Spec: v2beta1.MultusCNIConfigSpec{
+						CniType: ptr.To(constant.MacvlanCNI),
+						MacvlanConfig: &v2beta1.SpiderMacvlanCniConfig{
+							Master:           []string{common.NIC1},
+							EnableRdma:       true,
+							RdmaResourceName: "spidernet.io/rdma_resource" + "_" + name,
+						},
+					},
+				}
+			}
+
+			By("Create spiderMultusConfig: nad1 for testing")
+			Expect(frame.CreateSpiderMultusInstance(createNad("nad1"))).NotTo(HaveOccurred())
+			By("Create spiderMultusConfig: nad2 for testing")
+			Expect(frame.CreateSpiderMultusInstance(createNad("nad2"))).NotTo(HaveOccurred())
+
+			pod := &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-pod",
+					Namespace: namespace,
+					Labels: map[string]string{
+						constant.LabelMutatingPodWebhook: "multus.spidernet.io/auto-inject1",
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:            "samplepod",
+							Image:           "alpine",
+							ImagePullPolicy: "IfNotPresent",
+							Command:         []string{"/bin/ash", "-c", "while true; do echo 'HTTP/1.1 200 OK Hello, World!' | nc -l -p 80; done"},
+							Ports: []corev1.ContainerPort{
+								{
+									Name:          "samplepod",
+									ContainerPort: 80,
+								},
+							},
+						},
+					},
+				},
+			}
+
+			By("Create Pod for testing network resources inject")
+			err := frame.CreatePod(pod)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Check pod network annotations and resources")
+			p, err := frame.GetPod(pod.Name, pod.Namespace)
+			Expect(err).NotTo(HaveOccurred(), "failed to get pod: %v", err)
+
+			GinkgoWriter.Printf("Pod annotations: %v\n", p.Annotations)
+			GinkgoWriter.Printf("Pod resources: %v\n", p.Spec.Containers[0].Resources.Requests)
+			Expect(p.Annotations[constant.MultusNetworkAttachmentAnnot]).To(Equal(fmt.Sprintf("%s/%s,%s/%s", namespace, "nad1", namespace, "nad2")))
+			Expect(p.Spec.Containers[0].Resources.Requests).To(HaveKey(corev1.ResourceName("spidernet.io/rdma_resource_nad1")))
+			Expect(p.Spec.Containers[0].Resources.Requests).To(HaveKey(corev1.ResourceName("spidernet.io/rdma_resource_nad2")))
+		})
+	})
+})