diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml
index 4aa713c..360546b 100644
--- a/charts/maas/templates/deployment-ingress-errors.yaml
+++ b/charts/maas/templates/deployment-ingress-errors.yaml
@@ -37,6 +37,8 @@ spec:
     metadata:
       labels:
 {{ $labels | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-ingress-errors" "containerNames" (list "maas-ingress-errors") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "ingress_errors" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/maas/templates/deployment-maas-ingress.yaml b/charts/maas/templates/deployment-maas-ingress.yaml
index 2f9b8f6..290e97a 100644
--- a/charts/maas/templates/deployment-maas-ingress.yaml
+++ b/charts/maas/templates/deployment-maas-ingress.yaml
@@ -164,6 +164,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "maas-ingress" "containerNames" (list "init" "maas-ingress-vip-init" "maas-ingress-vip" "maas-ingress") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/charts/maas/templates/job-bootstrap-admin-user.yaml b/charts/maas/templates/job-bootstrap-admin-user.yaml
index 8e26931..dece8ef 100644
--- a/charts/maas/templates/job-bootstrap-admin-user.yaml
+++ b/charts/maas/templates/job-bootstrap-admin-user.yaml
@@ -30,6 +30,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "maas" "bootstrap-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-bootstrap-admin-user" "containerNames" (list "init" "maas-bootstrap-admin-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/charts/maas/templates/job-db-init.yaml b/charts/maas/templates/job-db-init.yaml
index 48eb148..7238e03 100644
--- a/charts/maas/templates/job-db-init.yaml
+++ b/charts/maas/templates/job-db-init.yaml
@@ -30,6 +30,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "maas" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-db-init" "containerNames" (list "init" "maas-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/charts/maas/templates/job-db-sync.yaml b/charts/maas/templates/job-db-sync.yaml
index edf492f..5f35302 100644
--- a/charts/maas/templates/job-db-sync.yaml
+++ b/charts/maas/templates/job-db-sync.yaml
@@ -30,6 +30,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "maas" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-db-sync" "containerNames" (list "init" "maas-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/charts/maas/templates/job-export-api-key.yaml b/charts/maas/templates/job-export-api-key.yaml
index 77a76ac..4db0b5b 100644
--- a/charts/maas/templates/job-export-api-key.yaml
+++ b/charts/maas/templates/job-export-api-key.yaml
@@ -74,6 +74,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "maas" "export-api-key" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-export-api-key" "containerNames" (list "init" "exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml
index 7d649a0..cc32ffc 100644
--- a/charts/maas/templates/job-import.yaml
+++ b/charts/maas/templates/job-import.yaml
@@ -30,6 +30,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "maas" "import-resources" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-import-resources" "containerNames" (list "init" "region-import-resources") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/charts/maas/templates/statefulset-maas-syslog.yaml b/charts/maas/templates/statefulset-maas-syslog.yaml
index 90b5f0b..9e0a18b 100644
--- a/charts/maas/templates/statefulset-maas-syslog.yaml
+++ b/charts/maas/templates/statefulset-maas-syslog.yaml
@@ -42,7 +42,7 @@ spec:
       annotations:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "maas-syslog" "containerNames" (list "syslog") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "maas-syslog" "containerNames" (list "init" "logrotate" "syslog") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       shareProcessNamespace: true
diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml
index e91bd86..4b7b8ee 100644
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@@ -48,7 +48,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "init" "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index 187b667..3f77ea3 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -44,7 +44,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "init" "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml
index dd6c1ec..578cdbc 100644
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@@ -288,11 +288,37 @@ pod:
   mandatory_access_control:
     type: apparmor
     maas-rack:
-      maas-rack: localhost/docker-default
+      maas-rack: runtime/default
+      init: runtime/default
     maas-region:
-      maas-region: localhost/docker-default
+      maas-region: runtime/default
+      init: runtime/default
     maas-syslog:
-      syslog: localhost/docker-default
+      syslog: runtime/default
+      logrotate: runtime/default
+      init: runtime/default
+    maas-ingress:
+      maas-ingress-vip: runtime/default
+      maas-ingress: runtime/default
+      init: runtime/default
+      maas-ingress-vip-init: runtime/default
+    maas-ingress-errors:
+      maas-ingress-errors: runtime/default
+    maas-bootstrap-admin-user:
+      maas-bootstrap-admin-user: runtime/default
+      init: runtime/default
+    maas-db-init:
+      maas-db-init: runtime/default
+      init: runtime/default
+    maas-db-sync:
+      maas-db-sync: runtime/default
+      init: runtime/default
+    maas-export-api-key:
+      exporter: runtime/default
+      init: runtime/default
+    maas-import-resources:
+      region-import-resources: runtime/default
+      init: runtime/default
   security_context:
     maas-syslog:
       pod: