diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index afa78f1a4a..d08cd3c344 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -52,6 +52,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-api" "containerNames" (list "keystone-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/keystone/templates/job-credential-cleanup.yaml b/keystone/templates/job-credential-cleanup.yaml
index 5337dcd50e..41f86b0a94 100644
--- a/keystone/templates/job-credential-cleanup.yaml
+++ b/keystone/templates/job-credential-cleanup.yaml
@@ -38,6 +38,11 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll $serviceName "credential-cleanup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-credential-cleanup" "containerNames" (list "keystone-credential-cleanup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceName }}
       restartPolicy: Never
diff --git a/keystone/templates/job-credential-setup.yaml b/keystone/templates/job-credential-setup.yaml
index 19c41b4140..bb498f0619 100644
--- a/keystone/templates/job-credential-setup.yaml
+++ b/keystone/templates/job-credential-setup.yaml
@@ -62,6 +62,11 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "keystone" "credential-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-credential-setup" "containerNames" (list "keystone-credential-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       initContainers:
diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml
index 014f598bf6..26f417d606 100644
--- a/keystone/templates/job-domain-manage.yaml
+++ b/keystone/templates/job-domain-manage.yaml
@@ -32,6 +32,11 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-domain-manage" "containerNames" (list "keystone-domain-manage" "keystone-domain-manage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/keystone/templates/job-fernet-setup.yaml b/keystone/templates/job-fernet-setup.yaml
index 957e9d4c01..de22de8557 100644
--- a/keystone/templates/job-fernet-setup.yaml
+++ b/keystone/templates/job-fernet-setup.yaml
@@ -61,6 +61,11 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "keystone" "fernet-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-fernet-setup" "containerNames" (list "keystone-fernet-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       initContainers:
diff --git a/keystone/values_overrides/apparmor.yaml b/keystone/values_overrides/apparmor.yaml
index 234a533916..03c4cdf404 100644
--- a/keystone/values_overrides/apparmor.yaml
+++ b/keystone/values_overrides/apparmor.yaml
@@ -1,5 +1,14 @@
 pod:
   mandatory_access_control:
     type: apparmor
-    keystone-api-default:
-      keystone-api-default: runtime/default
+    keystone-api:
+      keystone-api: runtime/default
+    keystone-credential-setup:
+      keystone-credential-setup: runtime/default
+    keystone-fernet-setup:
+      keystone-fernet-setup: runtime/default
+    keystone-credential-cleanup:
+      keystone-credential-cleanup: runtime/default
+    keystone-domain-manage:
+      keystone-domain-manage: runtime/default
+      keystone-domain-manage-init: runtime/default