diff --git a/assets/dns/namespace.yaml b/assets/dns/namespace.yaml
index c4be812a8..e886ac094 100644
--- a/assets/dns/namespace.yaml
+++ b/assets/dns/namespace.yaml
@@ -10,3 +10,8 @@ metadata:
     openshift.io/run-level: "0"
     # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
     openshift.io/cluster-monitoring: "true"
+    # allow node-resolver daemonset to pass baseline pod security admission.
+    # It uses host networking, host path volumes, and is a privileged.
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go
index 75b39a079..18dfefdc9 100644
--- a/pkg/manifests/bindata.go
+++ b/pkg/manifests/bindata.go
@@ -7,7 +7,7 @@
 // assets/dns/metrics/cluster-role.yaml (246B)
 // assets/dns/metrics/role-binding.yaml (293B)
 // assets/dns/metrics/role.yaml (284B)
-// assets/dns/namespace.yaml (417B)
+// assets/dns/namespace.yaml (713B)
 // assets/dns/service-account.yaml (85B)
 // assets/dns/service.yaml (520B)
 // assets/node-resolver/service-account.yaml (95B)
@@ -220,7 +220,7 @@ func assetsDnsMetricsRoleYaml() (*asset, error) {
 	return a, nil
 }
 
-var _assetsDnsNamespaceYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x64\x90\x41\x6e\xeb\x30\x0c\x44\xf7\x3e\xc5\x40\x7f\x9d\xfc\x76\xab\x3b\xb4\x9b\x02\xdd\x33\x16\x93\xb0\x96\x48\x43\xa4\x9d\xeb\x17\x4e\x82\x36\x45\x96\x02\x1f\xe6\xcd\x68\x12\x2d\x19\xef\xd4\xd8\x67\x1a\x79\xa0\x59\x3e\xb9\xbb\x98\x66\xac\xaf\x43\xe3\xa0\x42\x41\x79\x00\x48\xd5\x82\x42\x4c\x7d\x7b\x02\x36\xb3\xfa\x59\x8e\xb1\x17\xfb\xaf\x56\x78\xe7\x5c\x79\x0c\xeb\x19\x29\x5d\x91\x8b\xf5\xa9\x1a\x95\xfd\x1f\x96\x6a\xb5\x0b\x97\x8c\xd4\x48\xe9\xc4\x8d\x35\x36\x5e\xa9\x71\xfe\x8d\xdd\x15\xf5\x01\xa8\x74\xe0\x7a\x57\xfe\x83\x73\x60\xa5\xba\x30\xc2\x40\xab\x49\x41\xe1\x99\xb5\x88\x9e\x60\x8a\x69\x39\x30\xa8\x34\xf1\x6d\x04\xe2\x4c\x71\x07\x7c\x3b\xff\x84\x83\x66\xf1\xe7\x19\x7d\xd1\x5d\xe5\x95\x6b\x46\x7a\x49\x77\xe7\xb5\xef\x43\xaf\x66\x2a\x61\x7d\x33\x86\xa1\x9a\x4d\x38\x5a\xc7\x07\xf7\x55\x46\x7e\xbb\x5d\x61\x87\x2f\x1e\xc3\x21\x5b\x0b\xf1\xeb\xba\xdb\x27\x3f\x59\xc7\xba\x78\x70\x7f\x08\xce\x48\xd1\x17\x4e\xc3\x77\x00\x00\x00\xff\xff\xc8\x85\x12\x2a\xa1\x01\x00\x00")
+var _assetsDnsNamespaceYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x94\x51\xbd\xd2\xd2\x50\x10\xed\x79\x8a\x33\xb1\xfd\x40\x6d\xf3\x06\x16\xda\x38\x63\xbf\xe4\x1e\x60\xe5\x66\x37\x73\x77\x13\xc6\xb7\x77\x02\xe8\x07\x43\xe1\x58\x26\x7b\xfe\xef\x59\xad\xf4\xf8\x26\x23\x63\x92\x81\x1b\x99\xf4\x07\x5b\xa8\x5b\x8f\xe5\xf3\x66\x64\x4a\x91\x94\x7e\x03\x88\x99\xa7\xa4\xba\xc5\xfa\x09\xf8\x44\x8b\x93\x1e\x72\xa7\xfe\xd1\xbc\x70\x1b\xac\x1c\xd2\x5b\x8f\xae\xbb\x42\x2e\xde\xce\xd5\xa5\xec\x9e\xb0\x52\xab\x5f\x58\x7a\x74\xa3\x98\x1c\x39\xd2\x72\xc5\x9b\x8c\xec\xdf\x65\xb7\xc5\x62\x03\x54\xd9\xb3\xde\x2d\x3f\x20\x98\x58\xa4\xce\x44\x3a\x64\x71\x2d\x28\x9c\x68\x45\xed\x08\x37\x9c\xe7\x3d\x21\x65\xd4\x58\x4b\x20\x4f\x92\x77\x40\xac\xe7\xbf\xe2\x90\x49\xe3\xb5\x46\x9b\x6d\x5b\xb9\xb0\xf6\xe8\x3e\x75\x77\xcf\x6b\xde\x87\x5c\xa3\x9b\xa6\xb7\xd5\x31\x1d\xd5\xfd\x8c\x83\x37\x7c\x67\x5b\x74\xe0\xd7\xdb\x15\xbe\xff\xc9\x21\x03\xba\xa6\xd0\xb8\xb6\xbb\x8d\xfc\xe2\x3a\xd4\x39\x92\xed\x41\xb8\x47\x97\x6d\xe6\x73\x82\xeb\xc6\x8d\xe1\x75\x61\x43\x11\x8e\x6e\xeb\x1e\xe9\x98\x24\x02\x7b\x09\x56\x35\x62\xf2\x82\xe0\x30\x37\xcd\x5f\xef\x63\xec\xee\x62\x5f\x12\x73\x30\x70\xf2\x48\x18\x73\x7d\x24\xb5\xe3\xdb\xed\xc7\x24\x79\xc2\xe2\x75\x1e\x19\x6f\x10\x2b\xd0\x80\x60\x6a\xba\x68\xe5\x91\xe5\x26\x33\x79\xd9\xfe\xb1\xd8\xad\xa3\x37\x63\x32\xd6\x36\xb4\x83\xb7\x81\xfd\x03\xe7\x5f\x14\x99\x8b\xe6\xff\x10\x2e\xd2\xec\x09\xff\x3b\x00\x00\xff\xff\x32\x31\x6a\x26\xc9\x02\x00\x00")
 
 func assetsDnsNamespaceYamlBytes() ([]byte, error) {
 	return bindataRead(
@@ -235,8 +235,8 @@ func assetsDnsNamespaceYaml() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "assets/dns/namespace.yaml", size: 417, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
-	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xba, 0x5c, 0xb4, 0x3b, 0x1e, 0xfd, 0x5c, 0x96, 0x1a, 0xe8, 0x2d, 0x87, 0xb, 0x40, 0xe4, 0x9e, 0xce, 0x66, 0x5e, 0xc0, 0x6, 0xdd, 0x13, 0x60, 0x38, 0x8c, 0x77, 0x94, 0x1d, 0xee, 0x25, 0x8f}}
+	info := bindataFileInfo{name: "assets/dns/namespace.yaml", size: 713, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
+	a := &asset{bytes: bytes, info: info, digest: [32]uint8{0x8d, 0x10, 0x2c, 0xc1, 0x8, 0x39, 0x7c, 0xf5, 0x5, 0x6, 0x5d, 0x3e, 0xc1, 0x41, 0x2e, 0xa6, 0x25, 0x14, 0x59, 0xa3, 0x20, 0x7c, 0xf2, 0xad, 0xa6, 0xd5, 0x64, 0xd8, 0x12, 0xc4, 0x1b, 0x9f}}
 	return a, nil
 }