diff --git a/develop/webhook/.gitignore b/develop/webhook/.gitignore
new file mode 100644
index 0000000..0ef4850
--- /dev/null
+++ b/develop/webhook/.gitignore
@@ -0,0 +1,5 @@
+certificates/*
+
+prepare-certificate.yaml
+validating-webhook-configuration.yaml
+launch.json
\ No newline at end of file
diff --git a/develop/webhook/0.prepare-certificates.yaml.tmpl b/develop/webhook/0.prepare-certificates.yaml.tmpl
new file mode 100644
index 0000000..bfea766
--- /dev/null
+++ b/develop/webhook/0.prepare-certificates.yaml.tmpl
@@ -0,0 +1,59 @@
+# Install cert-manager.io: https://cert-manager.io/docs/installation/
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-selfsigned-ca
+  namespace: kube-system
+spec:
+  isCA: true
+  commonName: my-selfsigned-ca
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+  namespace: kube-system
+spec:
+  ca:
+    secretName: root-secret
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: serving-cert
+  namespace: kube-system
+spec:
+  dnsNames:
+  - bigip-kubernetes-gateway-webhook.kube-system.svc
+  - bigip-kubernetes-gateway-webhook.kube-system.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+    - 0.0.0.0
+    - ${local_host_ipaddr}
+  issuerRef:
+    kind: Issuer
+    name: my-ca-issuer
+  secretName: webhook-server-cert
\ No newline at end of file
diff --git a/develop/webhook/1.validating-webhook-configuration.yaml.tmpl b/develop/webhook/1.validating-webhook-configuration.yaml.tmpl
new file mode 100644
index 0000000..f246975
--- /dev/null
+++ b/develop/webhook/1.validating-webhook-configuration.yaml.tmpl
@@ -0,0 +1,91 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: kube-system/my-selfsigned-ca
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      # service:
+        # name: webhook-service
+        # namespace: system
+      url: "https://${local_host_ipaddr}:9443/validate-gateway-networking-k8s-io-v1beta1-gatewayclass"
+    failurePolicy: Fail
+    name: vgwc.kb.io
+    rules:
+      - apiGroups:
+          - gateway.networking.k8s.io
+        apiVersions:
+        - v1beta1
+        operations: ["*"]
+        resources:
+          - gatewayclasses
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        # name: bigip-kubernetes-gateway
+        # namespace: kube-system
+        # path: /validate-gateway-networking-k8s-io-v1beta1-gateway
+        # port: 9443
+      url: "https://${local_host_ipaddr}:9443/validate-gateway-networking-k8s-io-v1beta1-gateway"
+    failurePolicy: Fail
+    name: vgw.kb.io
+    rules:
+      - apiGroups:
+          - gateway.networking.k8s.io
+        apiVersions:
+        - v1beta1
+        operations: ["*"]
+        resources:
+          - gateways
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      # service:
+      #   name: bigip-kubernetes-gateway
+      #   namespace: kube-system
+      #   path: /validate-gateway-networking-k8s-io-v1beta1-httproute
+      #   port: 9443
+      url: "https://${local_host_ipaddr}:9443/validate-gateway-networking-k8s-io-v1beta1-httproute"
+    failurePolicy: Fail
+    name: vhr.kb.io
+    rules:
+      - apiGroups:
+          - gateway.networking.k8s.io
+        apiVersions:
+        - v1beta1
+        operations: ["*"]
+        resources:
+          - httproutes
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      # service:
+      #   name: bigip-kubernetes-gateway
+      #   namespace: kube-system
+      #   path: /validate-gateway-networking-k8s-io-v1beta1-referencegrant
+      #   port: 9443
+      url: "https://${local_host_ipaddr}:9443/validate-gateway-networking-k8s-io-v1beta1-referencegrant"
+    failurePolicy: Fail
+    name: vrg.kb.io
+    rules:
+      - apiGroups:
+          - gateway.networking.k8s.io
+        apiVersions:
+        - v1beta1
+        operations: ["*"]
+        resources:
+          - referencegrants
+    sideEffects: None
diff --git a/develop/webhook/2.vscode-launch.json.tmpl b/develop/webhook/2.vscode-launch.json.tmpl
new file mode 100644
index 0000000..9989335
--- /dev/null
+++ b/develop/webhook/2.vscode-launch.json.tmpl
@@ -0,0 +1,19 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "GO: Launch webhook program",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "\${workspaceFolder}/cmd/webhook",
+            "args": [
+                "--controller-name",            "f5.io/gateway-controller-name",
+                "--log-level",                  "trace",
+                "--certificate-directory",      "\${workspaceFolder}/develop/webhook/certificates",
+                "--kubeconfig",                 "${kube_config}",
+                "--validates",                  "gateway.gatewayClassName,gateway.listeners.tls.certificateRefs,httproute.parentRefs,httproute.rules.backendRefs"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/develop/webhook/README.md b/develop/webhook/README.md
new file mode 100644
index 0000000..b98a848
--- /dev/null
+++ b/develop/webhook/README.md
@@ -0,0 +1,17 @@
+This guide aims to make it clear how to develop bigip-kubernetes-gateway-webhook program.
+
+Refer to `setup-webhook-dev.sh` for more details.
+
+Basically, it setup 3 things for developing webhook program:
+
+* create the webhook server crt/key via cert-manager.io, see `0.prepare-cerfitifcate.yaml.tmpl` for detail.
+
+* create the webhook validating configuration, see `1.validating-webhook-configuration.yaml.tmpl` for detail.
+
+* create the vscode `launch.json` for debugging.
+
+During the process, variables are needed:
+
+* `local_host_ipaddr`: the callback IP address for webhook API.
+
+* `kube_config`: the kubeconfig file for accessing kubernetes API.
\ No newline at end of file
diff --git a/develop/webhook/setup-webhook-dev.sh b/develop/webhook/setup-webhook-dev.sh
new file mode 100755
index 0000000..6da59a7
--- /dev/null
+++ b/develop/webhook/setup-webhook-dev.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+local_host_ipaddr=10.250.64.107
+kube_config=/Users/zong/.kube/config
+
+k="kubectl --kubeconfig $kube_config"
+
+eval "cat <<EOF
+$(< 0.prepare-certificates.yaml.tmpl)
+EOF
+" > prepare-certificate.yaml
+
+$k apply -f prepare-certificate.yaml
+if [ $? -ne 0 ]; then 
+    echo "Error: Failed to create certificate"
+    exit 1; 
+fi
+
+while true; do 
+    $k get secret/webhook-server-cert -n kube-system; 
+    if [ $? -eq 0 ]; then break; fi
+    echo "waiting for secret webhook-server-cert ready"; sleep 1; 
+done
+
+$k get secret webhook-server-cert -n kube-system -o json | jq '.data["tls.crt"]' | tr -d '"' | base64 -d > certificates/tls.crt
+$k get secret webhook-server-cert -n kube-system -o json | jq '.data["tls.key"]' | tr -d '"' | base64 -d > certificates/tls.key
+
+
+eval "cat <<EOF
+$(< 1.validating-webhook-configuration.yaml.tmpl)
+EOF
+" > validating-webhook-configuration.yaml
+
+$k apply -f validating-webhook-configuration.yaml
+
+
+eval "cat <<EOF
+$(< 2.vscode-launch.json.tmpl)
+EOF
+" > launch.json
+
+echo "Copy the launch.json to .vscode folder in the project root folder"
\ No newline at end of file