diff --git a/cmd/webhook/app/BUILD.bazel b/cmd/webhook/app/BUILD.bazel
index 298a5786d..fa9509908 100644
--- a/cmd/webhook/app/BUILD.bazel
+++ b/cmd/webhook/app/BUILD.bazel
@@ -16,6 +16,7 @@ go_library(
         "//pkg/webhook/server/tls:go_default_library",
         "@com_github_go_logr_logr//:go_default_library",
         "@com_github_spf13_cobra//:go_default_library",
+        "@io_k8s_client_go//kubernetes:go_default_library",
         "@io_k8s_client_go//tools/clientcmd:go_default_library",
     ],
 )
diff --git a/cmd/webhook/app/options/options.go b/cmd/webhook/app/options/options.go
index 60f756d1a..ac4381398 100644
--- a/cmd/webhook/app/options/options.go
+++ b/cmd/webhook/app/options/options.go
@@ -46,7 +46,8 @@ type WebhookOptions struct {
 	// Optional path to the kubeconfig used to connect to the apiserver when
 	// using the 'dynamic serving' certificate sources.
 	// If not specified, in cluster config will be used.
-	Kubeconfig string
+	Kubeconfig    string
+	APIServerHost string
 
 	// TLSCipherSuites is the list of allowed cipher suites for the server.
 	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
@@ -67,6 +68,9 @@ func (o *WebhookOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.DynamicServingCASecretName, "dynamic-serving-ca-secret-name", "", "name of the secret used to store the CA that signs serving certificates certificates")
 	fs.StringSliceVar(&o.DynamicServingDNSNames, "dynamic-serving-dns-names", []string{""}, "DNS names that should be present on certificates generated by the dynamic serving CA")
 	fs.StringVar(&o.Kubeconfig, "kubeconfig", "", "optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used")
+	fs.StringVar(&o.APIServerHost, "master", "", ""+
+		"Optional apiserver host address to connect to. If not specified, autoconfiguration "+
+		"will be attempted.")
 
 	tlsCipherPossibleValues := cliflag.TLSCipherPossibleValues()
 	fs.StringSliceVar(&o.TLSCipherSuites, "tls-cipher-suites", o.TLSCipherSuites,
diff --git a/cmd/webhook/app/webhook.go b/cmd/webhook/app/webhook.go
index bb6497399..008726959 100644
--- a/cmd/webhook/app/webhook.go
+++ b/cmd/webhook/app/webhook.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/jetstack/cert-manager/cmd/webhook/app/options"
@@ -39,6 +40,18 @@ var mutationHook handlers.MutatingAdmissionHook = handlers.NewRegistryBackedMuta
 var conversionHook handlers.ConversionHook = handlers.NewSchemeBackedConverter(logf.Log, webhook.Scheme)
 
 func NewServerWithOptions(log logr.Logger, opts options.WebhookOptions) (*server.Server, error) {
+	restcfg, err := clientcmd.BuildConfigFromFlags(opts.APIServerHost, opts.Kubeconfig)
+	if err != nil {
+		return nil, err
+	}
+
+	cl, err := kubernetes.NewForConfig(restcfg)
+	if err != nil {
+		return nil, fmt.Errorf("error creating kubernetes client: %s", err)
+	}
+
+	webhook.ValidationRegistry = webhook.ValidationRegistry.WithSubjectAccessReviewClient(cl.AuthorizationV1().SubjectAccessReviews())
+
 	var source tls.CertificateSource
 	switch {
 	case options.FileTLSSourceEnabled(opts):