I can't set PSA label on namespace

[JayJay-K]

I don't know whether I can open issue with this ..

I create one namespace 'psans' with "kuberctl create ns psans". Then, I can see follow labes [root@bastion /]# kubectl describe ns psans | grep secu pod-security.kubernetes.io/audit=baseline pod-security.kubernetes.io/audit-version=v1.24 pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/warn-version=v1.24

And I can add and remove enforce: [root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/enforce=baseline namespace/psans labeled [root@bastion /]# kubectl describe ns psans | grep secu pod-security.kubernetes.io/audit=baseline pod-security.kubernetes.io/audit-version=v1.24 pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/warn-version=v1.24 [root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/enforce- namespace/psans unlabeled [root@bastion /]# kubectl describe ns psans | grep secu pod-security.kubernetes.io/audit=baseline pod-security.kubernetes.io/audit-version=v1.24 pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/warn-version=v1.24

But I can't remove audit or warn: [root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/audit-version- namespace/psans unlabeled [root@bastion /]# kubectl describe ns psans | grep secu pod-security.kubernetes.io/audit=baseline pod-security.kubernetes.io/audit-version=v1.24 pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/warn-version=v1.24 [root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/audit- namespace/psans unlabeled [root@bastion /]# kubectl describe ns psans | grep secu pod-security.kubernetes.io/audit=baseline pod-security.kubernetes.io/audit-version=v1.24 pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/warn-version=v1.24

Is it a policy? Otherwise, do I have to use other proper commands?