diff --git a/hack/tools/internal/tilt-prepare/main.go b/hack/tools/internal/tilt-prepare/main.go
index c1366ea8c8ff..98ae68d4db40 100644
--- a/hack/tools/internal/tilt-prepare/main.go
+++ b/hack/tools/internal/tilt-prepare/main.go
@@ -788,7 +788,11 @@ func writeIfChanged(prefix string, path string, yaml []byte) error {
 // This has the affect that the appended ones will take precedence, as those are read last.
 // Finally, we modify the deployment to enable prometheus metrics scraping.
 func prepareWorkload(name, prefix, binaryName, containerName string, objs []unstructured.Unstructured, ts *tiltSettings) error {
-	return updateDeployment(prefix, objs, func(deployment *appsv1.Deployment) {
+	updatedObjs, err := updateNamespaceSecurityPolicy(objs)
+	if err != nil {
+			return errors.Wrapf(err, "[%s] failed to update Namespace security policy", prefix)
+	}
+	return updateDeployment(prefix, updatedObjs, func(deployment *appsv1.Deployment) {
 		for j, container := range deployment.Spec.Template.Spec.Containers {
 			if container.Name != containerName {
 				continue
@@ -957,3 +961,16 @@ func getProviderObj(version *string) func(prefix string, objs []unstructured.Uns
 		return providerObj, nil
 	}
 }
+
+// updateNamespaceSecurityPolicy updates the pod-security.kubernetes.io/enforce label to "privileged" for Namespace objects.
+func updateNamespaceSecurityPolicy(objs []unstructured.Unstructured) ([]unstructured.Unstructured, error) {
+	for i, obj := range objs {
+		if obj.GetKind() == "Namespace" {
+			labels := obj.GetLabels()
+			labels["pod-security.kubernetes.io/enforce"] = "privileged"
+			obj.SetLabels(labels)
+			objs[i] = obj
+			return objs, nil
+	}
+	return objs, fmt.Errorf("no Namespace object found to update")
+}