diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
index fd2d5a0d797..e73b6b04732 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testing/testcase.go
@@ -601,6 +601,31 @@ func NewNonMutatingTestCases(url *url.URL) []ValidatingTest {
 			ExpectAllow:       true,
 			ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
 		},
+		{
+			Name: "skip webhook whose objectSelector does not match CRD's labels",
+			Webhooks: []registrationv1beta1.ValidatingWebhook{{
+				Name:                    "allow.example.com",
+				ClientConfig:            ccfgSVC("allow"),
+				Rules:                   matchEverythingRules,
+				NamespaceSelector:       &metav1.LabelSelector{},
+				ObjectSelector:          &metav1.LabelSelector{},
+				AdmissionReviewVersions: []string{"v1beta1"},
+			}, {
+				Name:              "shouldNotBeCalled",
+				ClientConfig:      ccfgSVC("shouldNotBeCalled"),
+				NamespaceSelector: &metav1.LabelSelector{},
+				ObjectSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"label": "nonexistent",
+					},
+				},
+				Rules:                   matchEverythingRules,
+				AdmissionReviewVersions: []string{"v1beta1"},
+			}},
+			IsCRD:             true,
+			ExpectAllow:       true,
+			ExpectAnnotations: map[string]string{"allow.example.com/key1": "value1"},
+		},
 		// No need to test everything with the url case, since only the
 		// connection is different.
 	}
@@ -727,6 +752,37 @@ func NewMutatingTestCases(url *url.URL) []MutatingTest {
 			ExpectLabels:      map[string]string{"pod.name": "my-pod"},
 			ExpectAnnotations: map[string]string{"removelabel.example.com/key1": "value1"},
 		},
+		{
+			Name: "first webhook remove labels from CRD, second webhook shouldn't be called",
+			Webhooks: []registrationv1beta1.MutatingWebhook{{
+				Name:              "removelabel.example.com",
+				ClientConfig:      ccfgSVC("removeLabel"),
+				Rules:             matchEverythingRules,
+				NamespaceSelector: &metav1.LabelSelector{},
+				ObjectSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"remove": "me",
+					},
+				},
+				AdmissionReviewVersions: []string{"v1beta1"},
+			}, {
+				Name:              "shouldNotBeCalled",
+				ClientConfig:      ccfgSVC("shouldNotBeCalled"),
+				NamespaceSelector: &metav1.LabelSelector{},
+				ObjectSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"remove": "me",
+					},
+				},
+				Rules:                   matchEverythingRules,
+				AdmissionReviewVersions: []string{"v1beta1"},
+			}},
+			IsCRD:             true,
+			ExpectAllow:       true,
+			AdditionalLabels:  map[string]string{"remove": "me"},
+			ExpectLabels:      map[string]string{"crd.name": "my-test-crd"},
+			ExpectAnnotations: map[string]string{"removelabel.example.com/key1": "value1"},
+		},
 		// No need to test everything with the url case, since only the
 		// connection is different.
 		{