diff --git a/ztp/kube-compare-reference/metadata.yaml b/ztp/kube-compare-reference/metadata.yaml
index 60336af997..65f847b7dd 100644
--- a/ztp/kube-compare-reference/metadata.yaml
+++ b/ztp/kube-compare-reference/metadata.yaml
@@ -167,7 +167,6 @@ parts:
 
 templateFunctionFiles:
   - validate_node_selector.tmpl
-  - optional_labels.tmpl
   - unordered_list.tmpl
 
 fieldsToOmit:
@@ -184,13 +183,11 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."machineconfiguration.openshift.io/mc-name-suffix"
       - pathToKey: metadata.labels."kubernetes.io/metadata.name"
       - pathToKey: metadata.labels."olm.operatorgroup.uid"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io"
       - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
       - pathToKey: metadata.resourceVersion
       - pathToKey: metadata.uid
       - pathToKey: spec.finalizers
       - pathToKey: metadata.creationTimestamp
-      - pathToKey: metadata."pod-security.kubernetes.io"
       - pathToKey: metadata.generation
       - pathToKey: status # TODO:  We need to check status in Subscription and CatalogSource. CNF-13521
       - pathToKey: metadata.finalizers
@@ -202,10 +199,8 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."include.release.openshift.io/single-node-developer"
       - pathToKey: metadata.annotations."release.openshift.io/create-only"
       - pathToKey: metadata.labels."lca.openshift.io/target-ocp-version"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/audit"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/audit-version"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/warn"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/warn-version"
+      - pathToKey: metadata.labels."pod-security.kubernetes.io/"
+        isPrefix: true
       - pathToKey: metadata.annotations."capability.openshift.io/name"
       - pathToKey: metadata.annotations."olm.providedAPIs"
       - pathToKey: metadata.annotations."operator.sriovnetwork.openshift.io/last-network-namespace"
diff --git a/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml b/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml
index 507178d7b6..a9ebbc39b9 100644
--- a/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml
+++ b/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml
@@ -4,9 +4,3 @@ metadata:
   name: openshift-local-storage
   annotations:
     workload.openshift.io/allowed: management
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml b/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml
index d9b65841a9..57008f40d1 100644
--- a/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml
+++ b/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml
@@ -2,9 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: vran-acceleration-operators
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml b/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml
index 1879457d2a..5e0cbafc22 100644
--- a/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml
@@ -2,14 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-storage
-  {{- if .metadata.labels }}
   labels:
     # from 4.15+ LVM operator can be part of the management partition.
-    {{- template "requiredLabels" (list .metadata.labels
-        "workload.openshift.io/allowed: \"management\""
-        "openshift.io/cluster-monitoring: \"true\""
-    ) }}
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
+    workload.openshift.io/allowed: "management"
+    openshift.io/cluster-monitoring: "true"
diff --git a/ztp/kube-compare-reference/optional_labels.tmpl b/ztp/kube-compare-reference/optional_labels.tmpl
deleted file mode 100644
index f51d026dac..0000000000
--- a/ztp/kube-compare-reference/optional_labels.tmpl
+++ /dev/null
@@ -1,21 +0,0 @@
-{{- define "allowLabels" }}
-{{- $prefixes := slice . 1 }}
-{{- $result := dict }}
-{{- range $key, $value := (index . 0) }}
-    {{- range $prefix := $prefixes }}
-        {{- if (hasPrefix $prefix $key) }}
-            {{- $_ := set $result $key $value }}
-        {{- end }}
-    {{- end }}
-{{- end }}
-{{- $result | toYaml | nindent 4 }}
-{{- end }}
-
-{{- define "requiredLabels" }}
-{{- $labels := slice . 1 }}
-{{- $result := dict }}
-{{- range $label := $labels }}
-    {{- $_ := merge $result ($label | fromYaml) }}
-{{- end }}
-{{- $result | toYaml | nindent 4 }}
-{{- end }}
diff --git a/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml b/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml
index e1b3682e3d..f798254100 100644
--- a/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml
+++ b/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml
@@ -4,9 +4,3 @@ metadata:
   name: openshift-logging
   annotations:
     workload.openshift.io/allowed: management
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml b/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml
index cd1b49799f..33bc3a6443 100644
--- a/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml
@@ -6,12 +6,3 @@ metadata:
     workload.openshift.io/allowed: management
   labels:
     kubernetes.io/metadata.name: openshift-lifecycle-agent
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "requiredLabels" (list .metadata.labels
-        "kubernetes.io/metadata.name: openshift-lifecycle-agent"
-    ) }}
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml b/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml
index a91690b0be..0aaf9bd6d2 100644
--- a/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml
@@ -6,12 +6,3 @@ metadata:
     workload.openshift.io/allowed: management
   labels:
     openshift.io/cluster-monitoring: "true"
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "requiredLabels" (list .metadata.labels
-        "openshift.io/cluster-monitoring: \"true\""
-    ) }}
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml b/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml
index 1e28ed3124..0071359bb2 100644
--- a/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml
@@ -4,9 +4,3 @@ metadata:
   name: openshift-sriov-network-operator
   annotations:
     workload.openshift.io/allowed: management
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}