diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
index 3973a36fcc..8c42169d1e 100644
--- a/pkg/render/apiserver.go
+++ b/pkg/render/apiserver.go
@@ -296,9 +296,13 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 		objsToDelete = append(objsToDelete, &admregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: SidecarMutatingWebhookConfigName}})
 	}
 
+	podSecurityNamespaceLabel := PodSecurityStandard(PSSRestricted)
+	if c.hostNetwork() {
+		podSecurityNamespaceLabel = PSSPrivileged
+	}
 	// Global OSS-only objects.
 	globalCalicoObjects := []client.Object{
-		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, PSSPrivileged),
+		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, podSecurityNamespaceLabel),
 	}
 
 	// Compile the final arrays based on the variant.