diff --git a/cmd/fpga_admissionwebhook/README.md b/cmd/fpga_admissionwebhook/README.md
index b4f79565..16451f67 100644
--- a/cmd/fpga_admissionwebhook/README.md
+++ b/cmd/fpga_admissionwebhook/README.md
@@ -39,6 +39,14 @@ Then run the script `scripts/webhook-deploy.sh`.
     Register webhook
     mutatingwebhookconfiguration "fpga-mutator-webhook-cfg" created
 
+By default the script deploys the webhook in the preprogrammed mode (when
+requested FPGA resources get translated to AF resources, e.g.
+"intel.com/fpga-arria10-nlb0" -> "intel.com/fpga-af-d8424dc4a4a3c413f89e433683f9040b").
+You can command the script to deploy the webhook in the orchestrated mode with
+the option `--mode`.
+
+    $ ./scripts/webhook-deploy.sh --mode orchestrated
+
 Please note that the script needs the CA bundle used for signing cerificate
 requests in your cluster. By default it fetches the bundle stored
 in the configmap `extension-apiserver-authentication`. But it may differ from
diff --git a/deployments/fpga_admissionwebhook/deployment.yaml b/deployments/fpga_admissionwebhook/deployment-tpl.yaml
similarity index 97%
rename from deployments/fpga_admissionwebhook/deployment.yaml
rename to deployments/fpga_admissionwebhook/deployment-tpl.yaml
index 058695d6..05549a1b 100644
--- a/deployments/fpga_admissionwebhook/deployment.yaml
+++ b/deployments/fpga_admissionwebhook/deployment-tpl.yaml
@@ -20,6 +20,7 @@ spec:
           args:
             - -tls-cert-file=/etc/webhook/certs/cert.pem
             - -tls-private-key-file=/etc/webhook/certs/key.pem
+            - -mode={MODE}
             - -alsologtostderr
             - -v=2
             - 2>&1
diff --git a/scripts/webhook-deploy.sh b/scripts/webhook-deploy.sh
index ba05813a..cc1d3f1a 100755
--- a/scripts/webhook-deploy.sh
+++ b/scripts/webhook-deploy.sh
@@ -16,11 +16,21 @@ while [[ $# -gt 0 ]]; do
 	    cabundlepath="$2"
             shift
             ;;
+	--mode)
+	    mode="$2"
+            shift
+            ;;
     esac
     shift
 done
 
 [ -z ${kubectl} ] && kubectl="kubectl"
+[ -z ${mode} ] && mode="preprogrammed"
+
+if [ "x${mode}" != "xpreprogrammed" -a "x${mode}" != "xorchestrated" ]; then
+    echo "ERROR: supported modes are 'preprogrammed' and 'orchestrated'"
+    exit 1
+fi
 
 if [ -z ${cabundlepath} ]; then
     CA_BUNDLE=$(${kubectl} get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 -w 0)
@@ -32,7 +42,7 @@ echo "Create secret including signed key/cert pair for the webhook"
 ${srcroot}/scripts/webhook-create-signed-cert.sh --kubectl ${kubectl}
 
 echo "Create webhook deployment"
-kubectl create -f ${srcroot}/deployments/fpga_admissionwebhook/deployment.yaml
+cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" | ${kubectl} create -f -
 
 echo "Create webhook service"
 kubectl create -f ${srcroot}/deployments/fpga_admissionwebhook/service.yaml