diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml
index 80a653469..a3c49681d 100644
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@@ -108,6 +108,7 @@ spec:
         # priority scheduling and that its resources are reserved
         # if it ever gets evicted.
         scheduler.alpha.kubernetes.io/critical-pod: ''
+{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
 {{- if .Values.monitoring.prometheus.enabled }}
 {{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
diff --git a/calico/values.yaml b/calico/values.yaml
index 14148fbee..6737e3236 100644
--- a/calico/values.yaml
+++ b/calico/values.yaml
@@ -100,6 +100,10 @@ pod:
     disruption_budget:
       controllers:
         min_available: 0
+  mandatory_access_control:
+    type: apparmor
+    calico-node:
+      calico-node: localhost/docker-default
 
 dependencies:
   dynamic:
diff --git a/playbooks/osh-infra-upgrade-host.yaml b/playbooks/osh-infra-upgrade-host.yaml
index 495b5cb99..3a2b79bb9 100644
--- a/playbooks/osh-infra-upgrade-host.yaml
+++ b/playbooks/osh-infra-upgrade-host.yaml
@@ -39,3 +39,15 @@
     - upgrade-host
     - start-zuul-console
     - disable-local-nameserver
+
+- hosts: all
+  vars_files:
+    - vars.yaml
+  vars:
+    work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}"
+  gather_facts: False
+  become: yes
+  roles:
+    - deploy-apparmor
+  tags:
+    - deploy-apparmor
diff --git a/roles/deploy-apparmor/tasks/main.yaml b/roles/deploy-apparmor/tasks/main.yaml
new file mode 100644
index 000000000..b03314c78
--- /dev/null
+++ b/roles/deploy-apparmor/tasks/main.yaml
@@ -0,0 +1,37 @@
+# Copyright 2018 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- block:
+    - name: ensuring AppArmor is deployed on host
+      when: ansible_distribution == 'Ubuntu'
+      include_role:
+        name: deploy-package
+        tasks_from: dist
+      vars:
+        packages:
+          deb:
+            - apparmor
+
+    - name: "Enable AppArmor"
+      when: ansible_distribution == 'Ubuntu'
+      become: true
+      become_user: root
+      shell: |-
+              set -xe
+              systemctl enable apparmor
+              systemctl start apparmor
+              systemctl status apparmor.service
+      args:
+        executable: /bin/bash
+      ignore_errors: True