diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml
index 665715d3031..4f3a9920cbe 100644
--- a/cmd/build/helmify/static/templates/namespace-post-install.yaml
+++ b/cmd/build/helmify/static/templates/namespace-post-install.yaml
@@ -46,9 +46,6 @@ spec:
             - label
             - ns
             - {{ .Release.Namespace }}
-            {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
-            - {{ . }}
-            {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
             {{- range .Values.postInstall.labelNamespace.podSecurity }}
             - {{ . }}
@@ -62,6 +59,27 @@ spec:
               type: RuntimeDefault
             {{- end }}
             {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+        {{- if .Values.postInstall.labelNamespace.extraNamespaces }}
+        - name: kubectl-label-extra
+          image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
+            - {{ . }}
+            {{- end }}
+            - admission.gatekeeper.sh/ignore=extra-namespaces
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postInstall.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+        {{- end }}
       {{- with .Values.postInstall }}
       nodeSelector:
         {{- toYaml .nodeSelector | nindent 8 }}
diff --git a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml
index 2d864829f8b..28d223bf452 100644
--- a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml
+++ b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml
@@ -38,13 +38,30 @@ spec:
             - label
             - ns
             - {{ .Release.Namespace }}
-            {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postUpgrade.labelNamespace.podSecurity }}
             - {{ . }}
             {{- end }}
-            - admission.gatekeeper.sh/ignore=no-self-managing
-            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+        {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }}
+        - name: kubectl-label-extra
+          image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
             - {{ . }}
             {{- end }}
+            - admission.gatekeeper.sh/ignore=extra-namespaces
             - --overwrite
           resources:
             {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
@@ -54,6 +71,7 @@ spec:
               type: RuntimeDefault
             {{- end }}
             {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+        {{- end }}
       {{- with .Values.postUpgrade }}
       affinity:
         {{- toYaml .affinity | nindent 8 }}
diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml
index 665715d3031..4f3a9920cbe 100644
--- a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml
+++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml
@@ -46,9 +46,6 @@ spec:
             - label
             - ns
             - {{ .Release.Namespace }}
-            {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
-            - {{ . }}
-            {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
             {{- range .Values.postInstall.labelNamespace.podSecurity }}
             - {{ . }}
@@ -62,6 +59,27 @@ spec:
               type: RuntimeDefault
             {{- end }}
             {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+        {{- if .Values.postInstall.labelNamespace.extraNamespaces }}
+        - name: kubectl-label-extra
+          image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
+            - {{ . }}
+            {{- end }}
+            - admission.gatekeeper.sh/ignore=extra-namespaces
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postInstall.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+        {{- end }}
       {{- with .Values.postInstall }}
       nodeSelector:
         {{- toYaml .nodeSelector | nindent 8 }}
diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml
index 2d864829f8b..28d223bf452 100644
--- a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml
+++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml
@@ -38,13 +38,30 @@ spec:
             - label
             - ns
             - {{ .Release.Namespace }}
-            {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postUpgrade.labelNamespace.podSecurity }}
             - {{ . }}
             {{- end }}
-            - admission.gatekeeper.sh/ignore=no-self-managing
-            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+        {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }}
+        - name: kubectl-label-extra
+          image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
             - {{ . }}
             {{- end }}
+            - admission.gatekeeper.sh/ignore=extra-namespaces
             - --overwrite
           resources:
             {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
@@ -54,6 +71,7 @@ spec:
               type: RuntimeDefault
             {{- end }}
             {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+        {{- end }}
       {{- with .Values.postUpgrade }}
       affinity:
         {{- toYaml .affinity | nindent 8 }}