diff --git a/helm/git-clone-operator/templates/mutatingwebhookconfiguration.yaml b/helm/git-clone-operator/templates/mutatingwebhookconfiguration.yaml
index b36c12b..4b7ac35 100644
--- a/helm/git-clone-operator/templates/mutatingwebhookconfiguration.yaml
+++ b/helm/git-clone-operator/templates/mutatingwebhookconfiguration.yaml
@@ -13,7 +13,7 @@ metadata:
         {{- include "git-clone-operator.labels" . | nindent 8 }}
 webhooks:
     - name: {{ include "git-clone-operator.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
-      failurePolicy: Ignore  # do not block whole cluster
+      failurePolicy: {{ .Value.webhook.failurePolicy }}
       {{- if .Values.onlyLabelledNamespaces }}
       namespaceSelector:
           matchLabels:
diff --git a/helm/git-clone-operator/values.yaml b/helm/git-clone-operator/values.yaml
index 6959bf9..263c31b 100644
--- a/helm/git-clone-operator/values.yaml
+++ b/helm/git-clone-operator/values.yaml
@@ -19,6 +19,9 @@ podSecurityContext:
     fsGroup: 65161
     runAsNonRoot: true
 
+webhook:
+    failurePolicy: Fail
+
 serviceAccount:
     create: true
     name: git-clone-operator-sa