diff --git a/config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml b/config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml
index a1f4022..a4bc8bc 100644
--- a/config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml
+++ b/config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   enabled: true
   initContainers:
-  - name: busybox
+  - name: busybox-chmod
     image: busybox:latest
     command:
       - sh
@@ -24,15 +24,30 @@ spec:
     terminationMessagePath: /dev/termination-log
     terminationMessagePolicy: File
     imagePullPolicy: IfNotPresent
+  - name: busybox-chown
+    image: busybox:latest
+    command:
+      - sh
+      - '-c'
+      - chown -R 1001:0 $PVC_1_MOUNT_PATH
+    resources:
+      limits:
+        cpu: 500m
+        memory: 100Mi
+      requests:
+        cpu: 100m
+        memory: 100Mi
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    imagePullPolicy: IfNotPresent
   pvcMatchers:
-  - name: local
+  - name: local-1
     storageClass:
       fieldSelector:
         - key: name
           operator: In
           values:
             - local-path
-            - local-path2
     namespace:
       labelSelector:
         - key: "kubernetes.io/metadata.name"
@@ -46,8 +61,17 @@ spec:
           operator: NotIn
           values:
             - ws1
+  - name: local-2
+    storageClass:
+      fieldSelector:
+        - key: name
+          operator: In
+          values:
+            - local-path2
   pvcInitializers:
-  - pvcMatcherName: local
-    initContainerName: busybox
+  - pvcMatcherName: local-1
+    initContainerName: busybox-chmod
+  - pvcMatcherName: local-2
+    initContainerName: busybox-chown
     mountPathRoot: "/pvc"
 status: {}
diff --git a/deploy/webhook-deployment-template.yaml b/deploy/webhook-deployment-template.yaml
index 808eaab..5b3955f 100644
--- a/deploy/webhook-deployment-template.yaml
+++ b/deploy/webhook-deployment-template.yaml
@@ -43,7 +43,7 @@ rules:
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
+  - apiGroups: ["storage.k8s.io"]
     resources: ["storageclasses"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["tenant.kubesphere.io"]
diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go
index 5b1e469..2d52003 100644
--- a/pkg/webhook/pod.go
+++ b/pkg/webhook/pod.go
@@ -143,6 +143,7 @@ func (a *Admitter) Decide(ctx context.Context, reqInfo *ReqInfo) *admissionv1.Ad
 				return toV1AdmissionResponse(err)
 			}
 			if pvcInitContainer == nil {
+				klog.Infof("no initContainer found for pvc %s", pvc.Name)
 				continue
 			}
 			if pvcInitContainer.MountPathRoot == "" {
@@ -153,8 +154,10 @@ func (a *Admitter) Decide(ctx context.Context, reqInfo *ReqInfo) *admissionv1.Ad
 
 			// check if the container already exists
 			if slices.Contains(containerNames, container.Name) {
+				klog.Warningf("initContainer %s already exists in pod or patch", container.Name)
 				continue
 			}
+			containerNames = append(containerNames, container.Name)
 
 			mountPath := path.Join(pvcInitContainer.MountPathRoot, volume.Name)
 			volumeMount := corev1.VolumeMount{
@@ -204,6 +207,9 @@ type PVCInitContainer struct {
 	MountPathRoot string
 }
 
+// getPVCInitContainer returns a PVInitContainer that matches the pvc.
+// If pvc does not match any pvcMatcher, nil will be returned.
+// If pvc matches multiple pvcMatchers, the first one will be used and the corresponding initContainer will be returned.
 func (a *Admitter) getPVCInitContainer(ctx context.Context, pvc *corev1.PersistentVolumeClaim, initializerList *v1alpha1.InitializerList) (*PVCInitContainer, error) {
 	getPvcMatcherByName := func(matcherName string, pvcMatchers []v1alpha1.PVCMatcher) *v1alpha1.PVCMatcher {
 		for _, m := range pvcMatchers {
@@ -225,6 +231,7 @@ func (a *Admitter) getPVCInitContainer(ctx context.Context, pvc *corev1.Persiste
 
 	for _, initializer := range initializerList.Items {
 		if !initializer.Spec.Enabled {
+			klog.Infof("initializer %s not enabled", initializer.Name)
 			continue
 		}
 		for _, pvcInitializer := range initializer.Spec.PVCInitializers {
@@ -236,6 +243,7 @@ func (a *Admitter) getPVCInitContainer(ctx context.Context, pvc *corev1.Persiste
 			if match {
 				container := getContainerByName(pvcInitializer.InitContainerName, initializer.Spec.InitContainers)
 				if container == nil {
+					klog.Warningf("initContainer %s not found in initializer %s", pvcInitializer.InitContainerName, initializer.Name)
 					continue
 				}
 				pvcInitContainer := &PVCInitContainer{