Admission controller doesn't work well with other admission controllers

[mikebryant]

Output of the info page (if this is a bug)

(Paste the output of the info page here)

Describe what happened:
I set up a Kyverno hook to add the tags.datadoghq.com/service label to some Pods
The datadog admission control did not add the environment variable

It looks like this is because the datadog hook was called first, and not seeing the label, did nothing.

Describe what you expected:
For it to add the environment variable

As the datadog hook is idempotent, I think it should have reinvocationPolicy: IfNeeded, not reinvocationPolicy: Never. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy for more details

Steps to reproduce the issue:
Add a kyverno policy like:

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-datadog-labels
  annotations:
    policies.kyverno.io/category: Bulb Defaults
    policies.kyverno.io/description: Automatically set datadog labels from standard app labels.
    policies.kyverno.io/severity: low
spec:
  rules:
    - name: add-datadog-labels
      match:
        resources:
          kinds:
            - Pod
          selector:
            matchExpressions:
              - {key: app.kubernetes.io/instance, operator: Exists}
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              +(tags.datadoghq.com/service): "{{ request.object.metadata.labels.\"app.kubernetes.io/instance\" }}"
              #+(tags.datadoghq.com/service): "$(../app.kubernetes.io\\/instance)"

Additional environment details (Operating System, Cloud provider, etc):