diff --git a/config/admission/admission.yaml b/config/admission/admission.yaml
new file mode 100644
index 000000000..8a795ae96
--- /dev/null
+++ b/config/admission/admission.yaml
@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "clusterextensions-package-uniqueness"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: olm.operatorframework.io/v1alpha1
+    kind: ClusterExtension
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["olm.operatorframework.io"]
+      apiVersions: ["v1alpha1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["clusterextensions"]
+  matchConditions:
+    # Only apply the policy when the request operation is CREATE
+    # or when the package is being changed
+    - name: 'only-create-or-package-change'
+      expression: request.operation == 'CREATE' || oldObject.spec.packageName != object.spec.packageName
+  validations:
+    - expression: object.spec.packageName != params.spec.packageName
+      messageExpression: "'Package \"' + string(object.spec.packageName) + '\" is already installed via ClusterExtension \"' +  string(params.metadata.name) + '\"'"
+      reason: Invalid
+
+---
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "clusterextensions-package-uniqueness-binding"
+spec:
+  policyName: "clusterextensions-package-uniqueness"
+  validationActions: [Deny]
+  paramRef:
+    parameterNotFoundAction: Allow
+    selector: {}
diff --git a/config/admission/kustomization.yaml b/config/admission/kustomization.yaml
new file mode 100644
index 000000000..4e1629d33
--- /dev/null
+++ b/config/admission/kustomization.yaml
@@ -0,0 +1,5 @@
+configurations:
+- kustomizeconfig.yaml
+
+resources:
+- admission.yaml
diff --git a/config/admission/kustomizeconfig.yaml b/config/admission/kustomizeconfig.yaml
new file mode 100644
index 000000000..55fc4088a
--- /dev/null
+++ b/config/admission/kustomizeconfig.yaml
@@ -0,0 +1,9 @@
+# This file is for teaching kustomize how to substitute name in ValidatingAdmissionPolicyBinding
+# This might become obsolete depending on the outcome of https://github.com/kubernetes-sigs/kustomize/issues/5674
+nameReference:
+- kind: ValidatingAdmissionPolicy
+  group: admissionregistration.k8s.io
+  fieldSpecs:
+  - kind: ValidatingAdmissionPolicyBinding
+    group: admissionregistration.k8s.io
+    path: spec/policyName
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 6e2a672dd..2719a8565 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -16,6 +16,7 @@ namePrefix: operator-controller-
 
 resources:
 - ../crd
+- ../admission
 - ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in