diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
index 5a1d492060c..2b00684b4d2 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
@@ -1,4 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: pod-security-webhook
\ No newline at end of file
+  name: pod-security-webhook
+  labels:
+    # Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency,
+    # the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway.
+    pod-security.kubernetes.io/enforce: restricted