diff --git a/pkg/webhook/operatingsystemconfig/webhook.go b/pkg/webhook/operatingsystemconfig/webhook.go
index 8b94bf6dd..c087907c0 100644
--- a/pkg/webhook/operatingsystemconfig/webhook.go
+++ b/pkg/webhook/operatingsystemconfig/webhook.go
@@ -22,6 +22,10 @@ import (
 const (
 	// Name is the webhook name.
 	Name = "gardenlinux-operatingsystemconfig-webhook"
+	// AnnotationKey is the annotation key that controls the webhook
+	AnnotationKey = "extensions.gardener.cloud/os-garden-linux"
+	// IgnoreAnnotationValue is the annotation value that tells the webhook to ignore an OSC
+	IgnoreAnnotationValue = "Ignore"
 )
 
 var logger = log.Log.WithName(Name)
@@ -45,7 +49,7 @@ func AddToManager(mgr manager.Manager) (*extensionswebhook.Webhook, error) {
 		{Obj: &extensionsv1alpha1.OperatingSystemConfig{}},
 	}
 
-	handler, err := extensionswebhook.NewBuilder(mgr, logger).WithPredicates(isGardenLinuxOsc()).WithMutator(mutator, types...).Build()
+	handler, err := extensionswebhook.NewBuilder(mgr, logger).WithPredicates(isGardenLinuxOsc(), hasNoIgnoreAnnotation()).WithMutator(mutator, types...).Build()
 	if err != nil {
 		return nil, err
 	}
@@ -71,3 +75,17 @@ func isGardenLinuxOsc() predicate.Predicate {
 		return osc.Spec.Type == gardenlinux.OSTypeGardenLinux
 	})
 }
+
+func hasNoIgnoreAnnotation() predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(obj client.Object) bool {
+		osc, ok := obj.(*extensionsv1alpha1.OperatingSystemConfig)
+		if !ok {
+			return false
+		}
+		annotation, ok := osc.Annotations[AnnotationKey]
+		if ok {
+			return annotation != IgnoreAnnotationValue
+		}
+		return true
+	})
+}