diff --git a/bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml b/bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml
new file mode 100644
index 0000000000..f9130b58d9
--- /dev/null
+++ b/bindata/network/ovn-kubernetes/common/egressip-admission-policy.yaml
@@ -0,0 +1,56 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: egressip-update-validation
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - expression: '("k8s.ovn.org/egressip-mark" in object.metadata.annotations) && (!has(oldObject.metadata.annotations) ||
+       !("k8s.ovn.org/egressip-mark" in oldObject.metadata.annotations))'
+    name: egressip-mark-annotation-update
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["k8s.ovn.org"]
+      apiVersions: ["v1"]
+      operations: ["UPDATE"]
+      resources: ["egressips"]
+  validations:
+  - expression: '(request.userInfo.username == "system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-control-plane")'
+    message: 'A regular user must not add "k8s.ovn.org/egressip-mark" annotation to an EgressIP custom resource.'
+    reason: Invalid
+
+---    
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: egressip-create-validation
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups: ["k8s.ovn.org"]
+      apiVersions: ["v1"]
+      operations: ["CREATE"]
+      resources: ["egressips"]
+  validations:
+  - expression: '!has(object.metadata.annotations) || !("k8s.ovn.org/egressip-mark" in object.metadata.annotations)'
+    message: 'EgressIP resources cannot be created with the "k8s.ovn.org/egressip-mark" annotation. This annotation is managed by the system.'
+    reason: Invalid
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: egressip-update-validation-binding
+spec:
+  policyName: egressip-update-validation
+  validationActions: [Deny]
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: egressip-create-validation-binding
+spec:
+  policyName: egressip-create-validation
+  validationActions: [Deny]
\ No newline at end of file
diff --git a/pkg/network/ovn_kubernetes_test.go b/pkg/network/ovn_kubernetes_test.go
index 8109ab1166..5c750b59c3 100644
--- a/pkg/network/ovn_kubernetes_test.go
+++ b/pkg/network/ovn_kubernetes_test.go
@@ -4153,7 +4153,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:          cnofake.NewFakeClient(),
 				featureGates:    noFeatureGates,
 			},
-			expectNumObjs: 38,
+			expectNumObjs: 42,
 		},
 		{
 			name: "render routeadvertisements",
@@ -4168,7 +4168,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:          cnofake.NewFakeClient(),
 				featureGates:    noFeatureGates,
 			},
-			expectNumObjs: 39,
+			expectNumObjs: 43,
 		},
 		{
 			name: "render with UDN",
@@ -4179,7 +4179,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:          cnofake.NewFakeClient(),
 				featureGates:    udnFeatureGate,
 			},
-			expectNumObjs: 44,
+			expectNumObjs: 48,
 		},
 		{
 			name: "render with PreconfiguredUDNAddresses, UDN, persistent-IP, and RA",
@@ -4193,7 +4193,7 @@ func Test_renderOVNKubernetes(t *testing.T) {
 				client:       cnofake.NewFakeClient(),
 				featureGates: preDefUDNFeatureGates,
 			},
-			expectNumObjs: 47,
+			expectNumObjs: 51,
 		},
 	}
 	for _, tt := range tests {