diff --git a/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
new file mode 100644
index 0000000000..f6c3a5f443
--- /dev/null
+++ b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
@@ -0,0 +1,32 @@
+{{if .OVN_NETWORK_SEGMENTATION_ENABLE}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: user-defined-networks-namespace-label
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["namespaces"]
+  failurePolicy: Fail
+  validations:
+    - expression: "('k8s.ovn.org/primary-user-defined-network' in oldObject.metadata.labels) == ('k8s.ovn.org/primary-user-defined-network' in object.metadata.labels)"
+      message: "The 'k8s.ovn.org/primary-user-defined-network' label cannot be added/removed after the namespace was created"
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: user-defined-networks-namespace-label-binding
+spec:
+  policyName: disable-udn-label-change
+  validationActions: [Deny]
+  matchResources:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["namespaces"]
+{{end}}
diff --git a/pkg/network/ovn_kubernetes_test.go b/pkg/network/ovn_kubernetes_test.go
index cb22573c09..73f0c69d22 100644
--- a/pkg/network/ovn_kubernetes_test.go
+++ b/pkg/network/ovn_kubernetes_test.go
@@ -3991,6 +3991,19 @@ func Test_renderOVNKubernetes(t *testing.T) {
 			},
 		)
 	}
+	udnFeatureGate := func() featuregates.FeatureGate {
+		return featuregates.NewFeatureGate(
+			[]configv1.FeatureGateName{
+				apifeatures.FeatureGateNetworkSegmentation,
+			},
+			[]configv1.FeatureGateName{
+				apifeatures.FeatureGateAdminNetworkPolicy,
+				apifeatures.FeatureGateDNSNameResolver,
+				apifeatures.FeatureGatePersistentIPsForVirtualization,
+				apifeatures.FeatureGateOVNObservability,
+			},
+		)
+	}
 	type args struct {
 		conf            func() *operv1.NetworkSpec
 		bootstrapResult func() *bootstrap.BootstrapResult
@@ -4030,6 +4043,17 @@ func Test_renderOVNKubernetes(t *testing.T) {
 			},
 			expectNumObjs: 38,
 		},
+		{
+			name: "render with UDN",
+			args: args{
+				conf:            fakeNetworkConf,
+				bootstrapResult: fakeBootstrapResultOVN,
+				manifestDir:     manifestDirOvn,
+				client:          cnofake.NewFakeClient(),
+				featureGates:    udnFeatureGate,
+			},
+			expectNumObjs: 41,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {