diff --git a/api/accurate/v2alpha1/subnamespace_types.go b/api/accurate/v2alpha1/subnamespace_types.go
index b6fe285..73cfeb2 100644
--- a/api/accurate/v2alpha1/subnamespace_types.go
+++ b/api/accurate/v2alpha1/subnamespace_types.go
@@ -31,8 +31,6 @@ type SubNamespaceSpec struct {
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
-// Keeping this version un-served for now
-//+kubebuilder:unservedversion
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+genclient
diff --git a/charts/accurate/templates/generated/crds.yaml b/charts/accurate/templates/generated/crds.yaml
index 53d354a..df07db7 100644
--- a/charts/accurate/templates/generated/crds.yaml
+++ b/charts/accurate/templates/generated/crds.yaml
@@ -3,14 +3,25 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ template "accurate.fullname" . }}-serving-cert'
     controller-gen.kubebuilder.io/version: v0.12.0
   labels:
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/name: accurate
+    app.kubernetes.io/name: '{{ include "accurate.name" . }}'
     app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
     helm.sh/chart: '{{ include "accurate.chart" . }}'
   name: subnamespaces.accurate.cybozu.com
 spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: '{{ template "accurate.fullname" . }}-webhook-service'
+          namespace: '{{ .Release.Namespace }}'
+          path: /convert
+      conversionReviewVersions:
+        - v1
   group: accurate.cybozu.com
   names:
     kind: SubNamespace
@@ -138,7 +149,7 @@ spec:
                   type: integer
               type: object
           type: object
-      served: false
+      served: true
       storage: false
       subresources:
         status: {}
diff --git a/cmd/accurate-controller/sub/run.go b/cmd/accurate-controller/sub/run.go
index a2025b3..2a45a4e 100644
--- a/cmd/accurate-controller/sub/run.go
+++ b/cmd/accurate-controller/sub/run.go
@@ -9,6 +9,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	accuratev1 "github.com/cybozu-go/accurate/api/accurate/v1"
+	accuratev2alpha1 "github.com/cybozu-go/accurate/api/accurate/v2alpha1"
 	"github.com/cybozu-go/accurate/controllers"
 	"github.com/cybozu-go/accurate/hooks"
 	"github.com/cybozu-go/accurate/pkg/config"
@@ -35,7 +36,10 @@ func subMain(ns, addr string, port int) error {
 		return fmt.Errorf("unable to add client-go objects: %w", err)
 	}
 	if err := accuratev1.AddToScheme(scheme); err != nil {
-		return fmt.Errorf("unable to add Accurate objects: %w", err)
+		return fmt.Errorf("unable to add Accurate v1 objects: %w", err)
+	}
+	if err := accuratev2alpha1.AddToScheme(scheme); err != nil {
+		return fmt.Errorf("unable to add Accurate v2alpha1 objects: %w", err)
 	}
 
 	cfgData, err := os.ReadFile(options.configFile)
diff --git a/cmd/kubectl-accurate/sub/util.go b/cmd/kubectl-accurate/sub/util.go
index 134a803..dba79eb 100644
--- a/cmd/kubectl-accurate/sub/util.go
+++ b/cmd/kubectl-accurate/sub/util.go
@@ -2,6 +2,7 @@ package sub
 
 import (
 	accuratev1 "github.com/cybozu-go/accurate/api/accurate/v1"
+	accuratev2alpha1 "github.com/cybozu-go/accurate/api/accurate/v2alpha1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -21,6 +22,9 @@ func makeClient(config *genericclioptions.ConfigFlags) (client.Client, error) {
 	if err := accuratev1.AddToScheme(scheme); err != nil {
 		return nil, err
 	}
+	if err := accuratev2alpha1.AddToScheme(scheme); err != nil {
+		return nil, err
+	}
 
 	return client.New(cfg, client.Options{Scheme: scheme})
 }
diff --git a/config/crd/bases/accurate.cybozu.com_subnamespaces.yaml b/config/crd/bases/accurate.cybozu.com_subnamespaces.yaml
index 34dfb01..e957791 100644
--- a/config/crd/bases/accurate.cybozu.com_subnamespaces.yaml
+++ b/config/crd/bases/accurate.cybozu.com_subnamespaces.yaml
@@ -155,7 +155,7 @@ spec:
                 type: integer
             type: object
         type: object
-    served: false
+    served: true
     storage: false
     subresources:
       status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
index 1df68b4..6c2cb71 100644
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@@ -6,4 +6,10 @@ resources:
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
+- patches/cainjection_in_subnamespaces.yaml
 - patches/fix-crd.yaml
+- patches/webhook_in_subnamespaces.yaml
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+- kustomizeconfig.yaml
diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml
new file mode 100644
index 0000000..c1418dd
--- /dev/null
+++ b/config/crd/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+  - kind: Service
+    version: v1
+    fieldSpecs:
+      - kind: CustomResourceDefinition
+        version: v1
+        group: apiextensions.k8s.io
+        path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+  - kind: CustomResourceDefinition
+    version: v1
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhook/clientConfig/service/namespace
+    create: false
+
+varReference:
+  - path: metadata/annotations
diff --git a/config/crd/patches/cainjection_in_subnamespaces.yaml b/config/crd/patches/cainjection_in_subnamespaces.yaml
new file mode 100644
index 0000000..d76d577
--- /dev/null
+++ b/config/crd/patches/cainjection_in_subnamespaces.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: subnamespaces.accurate.cybozu.com
diff --git a/config/crd/patches/webhook_in_subnamespaces.yaml b/config/crd/patches/webhook_in_subnamespaces.yaml
new file mode 100644
index 0000000..cb421b6
--- /dev/null
+++ b/config/crd/patches/webhook_in_subnamespaces.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: subnamespaces.accurate.cybozu.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: webhook-service
+          namespace: system
+          path: /convert
+      conversionReviewVersions:
+        - v1
diff --git a/config/kustomize-to-helm/overlays/crds/crd_conversion_patch.yaml b/config/kustomize-to-helm/overlays/crds/crd_conversion_patch.yaml
new file mode 100644
index 0000000..aef196b
--- /dev/null
+++ b/config/kustomize-to-helm/overlays/crds/crd_conversion_patch.yaml
@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ template "accurate.fullname" . }}-serving-cert'
+  name: subnamespaces.accurate.cybozu.com
+spec:
+  conversion:
+    webhook:
+      clientConfig:
+        service:
+          name: '{{ template "accurate.fullname" . }}-webhook-service'
+          namespace: '{{ .Release.Namespace }}'
diff --git a/config/kustomize-to-helm/overlays/crds/kustomization.yaml b/config/kustomize-to-helm/overlays/crds/kustomization.yaml
index c85884a..d06365a 100644
--- a/config/kustomize-to-helm/overlays/crds/kustomization.yaml
+++ b/config/kustomize-to-helm/overlays/crds/kustomization.yaml
@@ -1,8 +1,8 @@
 resources:
   - ../../../crd
 
-commonLabels:
-  app.kubernetes.io/name: accurate
+patchesStrategicMerge:
+  - crd_conversion_patch.yaml
 
 components:
   - ../../components/common-labels
diff --git a/controllers/suite_test.go b/controllers/suite_test.go
index ef54451..fa7c640 100644
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@@ -19,6 +19,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	accuratev1 "github.com/cybozu-go/accurate/api/accurate/v1"
+	accuratev2alpha1 "github.com/cybozu-go/accurate/api/accurate/v2alpha1"
 	"github.com/cybozu-go/accurate/pkg/config"
 	"github.com/cybozu-go/accurate/pkg/constants"
 	"github.com/cybozu-go/accurate/pkg/feature"
@@ -70,6 +71,8 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	err = accuratev1.AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())
+	err = accuratev2alpha1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
 
 	//+kubebuilder:scaffold:scheme
 
diff --git a/hooks/subnamespace.go b/hooks/subnamespace.go
index 3525f43..d6f4086 100644
--- a/hooks/subnamespace.go
+++ b/hooks/subnamespace.go
@@ -8,6 +8,7 @@ import (
 	"regexp"
 
 	accuratev1 "github.com/cybozu-go/accurate/api/accurate/v1"
+	accuratev2alpha1 "github.com/cybozu-go/accurate/api/accurate/v2alpha1"
 	"github.com/cybozu-go/accurate/pkg/config"
 	"github.com/cybozu-go/accurate/pkg/constants"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -15,7 +16,9 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	v1annotationvalidation "k8s.io/apimachinery/pkg/api/validation"
 	v1labelvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -137,6 +140,15 @@ func (v *subNamespaceValidator) notMatchingNamingPolicy(ctx context.Context, ns,
 
 // SetupSubNamespaceWebhook registers the webhooks for SubNamespace
 func SetupSubNamespaceWebhook(mgr manager.Manager, dec *admission.Decoder, namingPolicyRegexps []config.NamingPolicyRegexp) error {
+	for _, s := range []runtime.Object{&accuratev1.SubNamespace{}, &accuratev2alpha1.SubNamespace{}} {
+		err := ctrl.NewWebhookManagedBy(mgr).
+			For(s).
+			Complete()
+		if err != nil {
+			return err
+		}
+	}
+
 	serv := mgr.GetWebhookServer()
 
 	m := &subNamespaceMutator{
diff --git a/hooks/suite_test.go b/hooks/suite_test.go
index 37a1365..196e4f4 100644
--- a/hooks/suite_test.go
+++ b/hooks/suite_test.go
@@ -15,6 +15,7 @@ import (
 	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	//+kubebuilder:scaffold:imports
 	accuratev1 "github.com/cybozu-go/accurate/api/accurate/v1"
+	accuratev2alpha1 "github.com/cybozu-go/accurate/api/accurate/v2alpha1"
 	"github.com/cybozu-go/accurate/pkg/config"
 	"github.com/cybozu-go/accurate/pkg/indexing"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -64,6 +65,8 @@ var _ = BeforeSuite(func() {
 	scheme := runtime.NewScheme()
 	err = accuratev1.AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())
+	err = accuratev2alpha1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
 	err = clientgoscheme.AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())