diff --git a/webhooks/assign-class-label-prod/certificate.yaml b/webhooks/assign-class-label-prod/certificate.yaml
new file mode 100644
index 0000000..fb48405
--- /dev/null
+++ b/webhooks/assign-class-label-prod/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: assign-class-label-tls
+spec:
+  secretName: assign-class-label-tls
+  issuerRef:
+    name: assign-class-label-issuer
+    kind: Issuer
+  commonName: "rhods-notebooks.svc"
+  dnsNames:
+    - assign-class-label-webhook.rhods-notebooks.svc
diff --git a/webhooks/assign-class-label-prod/deployment.yaml b/webhooks/assign-class-label-prod/deployment.yaml
new file mode 100644
index 0000000..d51a2c8
--- /dev/null
+++ b/webhooks/assign-class-label-prod/deployment.yaml
@@ -0,0 +1,40 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: assign-class-label-webhook
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: assign-class-label-webhook
+        webhook: "true"
+    spec:
+      containers:
+        - name: assign-class-label
+          image: quay.io/rh-ee-istaplet/ope-webhooks:assign-class-label-webhook
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: tls
+              mountPath: /certs/webhook.crt
+              subPath: tls.crt
+              readOnly: true
+            - name: tls
+              mountPath: /certs/webhook.key
+              subPath: tls.key
+              readOnly: true
+          resources:
+            limits:
+              cpu: 500m
+              memory: 512Mi
+          env:
+            # EDIT VALUE HERE BEFORE RUNNING, must be comma separated
+            - name: RHOAI_CLASS_GROUPS
+              value: "cs210,ds100"
+      serviceAccountName: webhook-sa
+      volumes:
+        - name: tls
+          secret:
+            secretName: assign-class-label-tls
diff --git a/webhooks/assign-class-label-prod/issuer.yaml b/webhooks/assign-class-label-prod/issuer.yaml
new file mode 100644
index 0000000..1efd34c
--- /dev/null
+++ b/webhooks/assign-class-label-prod/issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: assign-class-label-issuer
+spec:
+  selfSigned: {}
diff --git a/webhooks/assign-class-label-prod/kustomization.yaml b/webhooks/assign-class-label-prod/kustomization.yaml
new file mode 100644
index 0000000..efd305c
--- /dev/null
+++ b/webhooks/assign-class-label-prod/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: rhods-notebooks
+commonLabels:
+  app: assign-class-label-webhook
+
+resources:
+  - issuer.yaml
+  - certificate.yaml
+  - deployment.yaml
+  - service.yaml
+  - webhook-config.yaml
+  - serviceaccount.yaml
+  - role.yaml
+  - rolebinding.yaml
diff --git a/webhooks/assign-class-label-prod/role.yaml b/webhooks/assign-class-label-prod/role.yaml
new file mode 100644
index 0000000..5640af6
--- /dev/null
+++ b/webhooks/assign-class-label-prod/role.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ope-webhook-role
+rules:
+- apiGroups: ["user.openshift.io"]
+  resources: ["pods", "groups"]
+  verbs: ["get", "list", "watch", "patch"]
diff --git a/webhooks/assign-class-label-prod/rolebinding.yaml b/webhooks/assign-class-label-prod/rolebinding.yaml
new file mode 100644
index 0000000..48cebf2
--- /dev/null
+++ b/webhooks/assign-class-label-prod/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ope-webhook-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ope-webhook-role
+subjects:
+- kind: ServiceAccount
+  name: webhook-sa
+  namespace: rhods-notebooks
diff --git a/webhooks/assign-class-label-prod/service.yaml b/webhooks/assign-class-label-prod/service.yaml
new file mode 100644
index 0000000..06bd0d1
--- /dev/null
+++ b/webhooks/assign-class-label-prod/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: assign-class-label-webhook
+spec:
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 5000
diff --git a/webhooks/assign-class-label-prod/serviceaccount.yaml b/webhooks/assign-class-label-prod/serviceaccount.yaml
new file mode 100644
index 0000000..86983aa
--- /dev/null
+++ b/webhooks/assign-class-label-prod/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: webhook-sa
+  namespace: rhods-notebooks
diff --git a/webhooks/assign-class-label-prod/webhook-config.yaml b/webhooks/assign-class-label-prod/webhook-config.yaml
new file mode 100644
index 0000000..978be1c
--- /dev/null
+++ b/webhooks/assign-class-label-prod/webhook-config.yaml
@@ -0,0 +1,32 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: assign-class-label-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: rhods-notebooks/assign-class-label-tls
+webhooks:
+- name: assign-class-label-webhook.rhods-notebooks.svc
+  clientConfig:
+    service:
+      namespace: rhods-notebooks
+      name: assign-class-label-webhook
+      path: /mutate
+  rules:
+    - operations: ["CREATE"]
+      apiGroups: [""]
+      apiVersions: ["v1"]
+      resources: ["pods"]
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          - rhods-notebooks
+  objectSelector:
+    matchExpressions:
+      - key: webhook
+        operator: NotIn
+        values:
+          - "true"
+  sideEffects: None
+  admissionReviewVersions: ["v1"]