diff --git a/pkg/webhook/clusterpropagationpolicy/mutating.go b/pkg/webhook/clusterpropagationpolicy/mutating.go
index bcc65bdcd..dc7141eef 100644
--- a/pkg/webhook/clusterpropagationpolicy/mutating.go
+++ b/pkg/webhook/clusterpropagationpolicy/mutating.go
@@ -23,6 +23,7 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
+	admissionv1 "k8s.io/api/admission/v1"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	policyv1alpha1 "github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1"
@@ -82,7 +83,7 @@ func (a *MutatingAdmission) Handle(_ context.Context, req admission.Request) adm
 		}
 	}
 
-	if util.GetLabelValue(policy.Labels, policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel) == "" {
+	if req.Operation == admissionv1.Create {
 		util.MergeLabel(policy, policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel, uuid.New().String())
 	}
 
diff --git a/pkg/webhook/clusterpropagationpolicy/validating.go b/pkg/webhook/clusterpropagationpolicy/validating.go
index 38a3f9fa0..2933a954d 100644
--- a/pkg/webhook/clusterpropagationpolicy/validating.go
+++ b/pkg/webhook/clusterpropagationpolicy/validating.go
@@ -60,6 +60,16 @@ func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) a
 			klog.Error(err)
 			return admission.Denied(err.Error())
 		}
+
+		if policy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel] !=
+			oldPolicy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel] {
+			return admission.Denied(fmt.Sprintf("label %s is immutable, it can only be set by the system during creation",
+				policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel))
+		}
+	}
+	if _, exist := policy.Labels[policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel]; !exist {
+		return admission.Denied(fmt.Sprintf("label %s is required, it should be set by the mutating admission webhook during creation",
+			policyv1alpha1.ClusterPropagationPolicyPermanentIDLabel))
 	}
 
 	errs := validation.ValidatePropagationSpec(policy.Spec)
diff --git a/pkg/webhook/propagationpolicy/mutating.go b/pkg/webhook/propagationpolicy/mutating.go
index c9742c998..01aa95185 100644
--- a/pkg/webhook/propagationpolicy/mutating.go
+++ b/pkg/webhook/propagationpolicy/mutating.go
@@ -23,6 +23,7 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
+	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
@@ -94,7 +95,7 @@ func (a *MutatingAdmission) Handle(_ context.Context, req admission.Request) adm
 		}
 	}
 
-	if util.GetLabelValue(policy.Labels, policyv1alpha1.PropagationPolicyPermanentIDLabel) == "" {
+	if req.Operation == admissionv1.Create {
 		util.MergeLabel(policy, policyv1alpha1.PropagationPolicyPermanentIDLabel, uuid.New().String())
 	}
 
diff --git a/pkg/webhook/propagationpolicy/validating.go b/pkg/webhook/propagationpolicy/validating.go
index d89e4053b..93908143e 100644
--- a/pkg/webhook/propagationpolicy/validating.go
+++ b/pkg/webhook/propagationpolicy/validating.go
@@ -60,6 +60,16 @@ func (v *ValidatingAdmission) Handle(_ context.Context, req admission.Request) a
 			klog.Error(err)
 			return admission.Denied(err.Error())
 		}
+
+		if policy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel] !=
+			oldPolicy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel] {
+			return admission.Denied(fmt.Sprintf("label %s is immutable, it can only be set by the system during creation",
+				policyv1alpha1.PropagationPolicyPermanentIDLabel))
+		}
+	}
+	if _, exist := policy.Labels[policyv1alpha1.PropagationPolicyPermanentIDLabel]; !exist {
+		return admission.Denied(fmt.Sprintf("label %s is required, it should be set by the mutating admission webhook during creation",
+			policyv1alpha1.PropagationPolicyPermanentIDLabel))
 	}
 
 	errs := validation.ValidatePropagationSpec(policy.Spec)