diff --git a/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
new file mode 100644
index 0000000000..ee815f7f94
--- /dev/null
+++ b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
@@ -0,0 +1,32 @@
+{{if .OVN_NETWORK_SEGMENTATION_ENABLE}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: user-defined-networks-namespace-label
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["namespaces"]
+  failurePolicy: Fail
+  validations:
+    - expression: "('k8s.ovn.org/primary-user-defined-network' in oldObject.metadata.labels) == ('k8s.ovn.org/primary-user-defined-network' in object.metadata.labels)"
+      message: "The 'k8s.ovn.org/primary-user-defined-network' label cannot be added/removed after the namespace was created"
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: user-defined-networks-namespace-label-binding
+spec:
+  policyName: user-defined-networks-namespace-label
+  validationActions: [Deny]
+  matchResources:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["namespaces"]
+{{end}}