diff --git a/class/defaults.yml b/class/defaults.yml
index b54eb88..1043d7c 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -17,7 +17,7 @@ parameters:
       agent:
         registry: ghcr.io
         repository: appuio/appuio-cloud-agent
-        tag: v0.17.3
+        tag: v0.18.0
 
     secrets: {}
 
@@ -54,6 +54,11 @@ parameters:
           matchExpressions:
             - key: appuio.io/organization
               operator: Exists
+        patches:
+          pod-run-once-active-deadline-mutator.appuio.io:
+            _objectSelector:
+              matchExpressions: ${appuio_cloud:runOnceActiveDeadlineSeconds:podMatchExpressions}
+
       config:
         QuotaOverrideNamespace: ${appuio_cloud:namespace}
         MemoryPerCoreLimit: ${appuio_cloud:agent:resourceRatio:memoryPerCore}
@@ -80,6 +85,9 @@ parameters:
         _allowedAnnotations: ${appuio_cloud:allowedNamespaceAnnotations}
         _allowedLabels: ${appuio_cloud:allowedNamespaceLabels}
 
+        PodRunOnceActiveDeadlineSecondsOverrideAnnotation: ${appuio_cloud:runOnceActiveDeadlineSeconds:overrideAnnotationKey}
+        PodRunOnceActiveDeadlineSecondsDefault: ${appuio_cloud:runOnceActiveDeadlineSeconds:defaultActiveDeadlineSeconds}
+
     clusterRoles:
       namespace-owner:
         rules:
diff --git a/component/agent.jsonnet b/component/agent.jsonnet
index 6f4699b..4ba566d 100644
--- a/component/agent.jsonnet
+++ b/component/agent.jsonnet
@@ -184,6 +184,25 @@ local admissionWebhookTlsSecret =
     },
   };
 
+local formatWebhookObjectSelector = function(obj)
+  if std.objectHas(obj, '_objectSelector') then
+    local me = obj._objectSelector.matchExpressions;
+    obj {
+      objectSelector+: {
+        matchExpressions: std.prune([
+          if me[name] != null then
+            {
+              key: name,
+            } + me[name]
+          for name in std.objectFields(me)
+        ]),
+      },
+      _objectSelector:: null,
+    }
+  else
+    obj
+;
+
 local admissionWebhook = std.map(function(webhook) webhook {
   metadata+: {
     name: '%s-%s' % [ params.namespace, webhook.metadata.name ],
@@ -210,7 +229,7 @@ local admissionWebhook = std.map(function(webhook) webhook {
           )
         ) > 0
       ) then 'namespaceSelector']: params.agent.webhook.namespaceSelector,
-    }
+    } + com.makeMergeable(formatWebhookObjectSelector(std.get(params.agent.webhook.patches, w.name, {})))
     for w in super.webhooks
   ],
 }, loadManifests('webhook/manifests.yaml'));
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml
index 1499626..d0a7e27 100644
--- a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml
@@ -29,6 +29,8 @@ data:
     "LegacyNamespaceQuota": 25
     "MemoryPerCoreLimit": "4Gi"
     "OrganizationLabel": "appuio.io/organization"
+    "PodRunOnceActiveDeadlineSecondsDefault": 1800
+    "PodRunOnceActiveDeadlineSecondsOverrideAnnotation": "appuio.io/active-deadline-seconds-override"
     "PrivilegedClusterRoles":
     - "cluster-admin"
     - "cluster-image-registry-operator"
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml
index eb6d001..888772a 100644
--- a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml
@@ -13,7 +13,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 7121f7e20ceae49ec13aed1a3ddd0472
+        checksum/config: ae18fd44fae34c4d84d9d3599cfa6a84
         kubectl.kubernetes.io/default-container: agent
       labels:
         control-plane: appuio-cloud-agent
@@ -26,7 +26,7 @@ spec:
           command:
             - appuio-cloud-agent
           env: []
-          image: ghcr.io/appuio/appuio-cloud-agent:v0.17.3
+          image: ghcr.io/appuio/appuio-cloud-agent:v0.18.0
           livenessProbe:
             httpGet:
               path: /healthz
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/10_webhook_config.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/10_webhook_config.yaml
index c188e54..107f72f 100644
--- a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/10_webhook_config.yaml
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/10_webhook_config.yaml
@@ -51,6 +51,36 @@ webhooks:
         resources:
           - namespaces
     sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZlRENDQTJDZ0F3SUJBZ0lVSCt4V3hxTWNBWXAydDlqbVJaOFNsWjNta05zd0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URXZNQzBHQTFVRUF3d21kMlZpYUc5dmF5MXpaWEoyYVdObExtRndjSFZwYnkxamIyNTBjbTlzTFdGdwphUzV6ZG1Nd0hoY05Nakl3TXpJNU1Ea3lOVE0xV2hjTk16SXdNekkyTURreU5UTTFXakF4TVM4d0xRWURWUVFECkRDWjNaV0pvYjI5ckxYTmxjblpwWTJVdVlYQndkV2x2TFdOdmJuUnliMnd0WVhCcExuTjJZekNDQWlJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTnVMWGpoQzFZeU80QWpLUmRyS2E0YVlJcjkzd3RRVQpGaEdhdlpVNStOc0Q0RGFldUJ0QXlsblEyaTJ5Nmx0VWxYOExXVHdES0dZYTJ6TGlXT05YZFpNWFhhZCtoWXo2CmZWVEo2ODFHSDQva28yZE1jVTdJQUlSS0RROGNMOHJiM0dVWHNPR1JMUU0xRTRmTkNiR2k2b1VSeXhjQUdScVEKWW0xOFBmR2ZxalhDMEhVVmprV0FQUXVjOWxHektqRlRSNThwVkVvNXBvNGdTaHJHN1FPZFpvc1Z4VnJJOHFIWQpaVGdLZVpzZW9EV280SWVIcGtlOXVaZzIwSy9tUFlTV3lBNFExQzFiaFh5dmJBb25oejBlRTBqelJveU5sUmZnCjBnSkZEbzhIY2FQTGdTM3hHTnhJUXRIWEY0Z1p2OFZoVmpNNENBTEVwNE00ajNiTkoyTU4rdEJvRXZ5N2VhYTUKSERuRlJic2tUcmdhU082R1ZkSDJRTmVZUXcxd3hmMVd6QkwvR2Z0QVJuOG1hUnl6SmU0L3BpS3lreDYrVTUxUwpvend2RXh2YzdVT251QUxGS2h6Wk1aeWlTUkRSK3J5aE1za3ZrNHpQemxZcTI0NnNzQ1NuZmRvczJDaE1pdmhxCi9IZnM1N1I2VWpDM0gyYUx5cGR5eDNhaWZBSndaaUR3WjBMaWpjb1dmWGZIc2prK0Y5YTErdnRHQXhGZnQ1QW8KZERzd2NldDRnbnpSMmxEcEloYTBmNlE3MDY1c0VnV1FBL1h6MGdoaUdnOTRVc0JKVGs4VTZxR3JzbmdhZnhIaApybUNGWk9PZXhuMnY2RnBrWWFORkhTdko4ZmNrV1lSN01sVFppM2lodjJPZFpVUzhNdG5acWd6ckRmaldaL29oCnlyNlY3SGoxcjF0dEFnTUJBQUdqZ1ljd2dZUXdIUVlEVlIwT0JCWUVGQ2ZEQ0R3eFlzM1hlZVc0NWpFVStCNksKSDNNME1COEdBMVVkSXdRWU1CYUFGQ2ZEQ0R3eFlzM1hlZVc0NWpFVStCNktIM00wTUE4R0ExVWRFd0VCL3dRRgpNQU1CQWY4d01RWURWUjBSQkNvd0tJSW1kMlZpYUc5dmF5MXpaWEoyYVdObExtRndjSFZwYnkxamIyNTBjbTlzCkxXRndhUzV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJZVo5bEpoUHlBN0ZJOThaOGJMUDNrQy9hNm4KcGJ6dDlleGt6YytFUmlObVV5OW4zUTF5a0lEcE1NbERtdHpjaTNFZWp1SEw4MmkvQTRKdHVqK0IvaVJnSWtHWQpMM1BoOEJzSk5TWmhzdkV2aHFKVTAyL05yMDRTWWlmeTRkcWU0U2paTG52ZDQ1d2RITmFDbWxvUmNLdHowUVROCkUwdG5iSklTdnBUbFI4cGF0ZnRFTjRydTFhbWQrR01VUHVub3lrRVJaVGZ0SHcwU08vbFZPbFZBVERqTHBOSlAKMElXYkJyWkpUTFNGN3Voa0dmcFIyYUl1a3FVaTBRdkRSUUo0RDc3VmEzRHF3ZXRtV1NFQUJsZzFyZnh1dlAwawoza2JEMS9KWDFJM0EyNlNxczlYNWxTcVhUcTFzVEt6ZCsyZ3RFdWxJSjV6MEV0Mnkwck9XblB2WHhKNExkNEMvCnpBY3JvOWFNMTF5cVAvQmptZEwrbDNyWVJqOE4zOHMzOUV6aEFZM012WW5TeTFQMlJtTC9wNEJzck9Fdk41TXEKL0U5ektFWHNUUVh2aVpjNTZKK2lDck1BdVJmUUhYRElrd3RJRDJvUnVQMHQ0eHRhdFFvcmY0SlYvUFJNQXcwaQpadnJHTXpYNjFyMGVxbjF0M2JFSjQ5UCtZdnphd0VySC9sM3pkSVRNYzEzc09XWlExTmF5ZWt4ZVZJT2E2aHlkClNGT2JNZExWSkNVV2NkejUyRUFrNGpscU4wdk44aU1TRm5COG1CVDRYKzhyZWF1b3BmV0FuRkg4VldmTjh0eU4KbTJqNkw3TGIydXdCQ3EyTmFPWTlITlNpNTJOL0o2RG5RWmVnb2dReENVaVQ3WUpyNFh0a2Fidjk5YzZtbjIzMAphbCtMOSsxVmNkZmFac1BJCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+      service:
+        name: webhook-service
+        namespace: appuio-cloud
+        path: /mutate-pod-run-once-active-deadline
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: pod-run-once-active-deadline-mutator.appuio.io
+    namespaceSelector:
+      matchExpressions:
+        - key: appuio.io/organization
+          operator: Exists
+    objectSelector:
+      matchExpressions:
+        - key: acme.cert-manager.io/http01-solver
+          operator: DoesNotExist
+    reinvocationPolicy: IfNeeded
+    rules:
+      - apiGroups:
+          - ''
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig: