diff --git a/.zuul.yaml b/.zuul.yaml
index 3b7f05d2..8cd2c97d 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -59,6 +59,8 @@
       Deploy airship promenade genesis
     run: tools/zuul/playbooks/deploy-promenade.yaml
     post-run: tools/zuul/playbooks/debug-report.yaml
+    required-projects:
+      - openstack/openstack-helm-infra
     timeout: 3600
     nodeset: airship-promenade-single-node-bionic
 
@@ -67,6 +69,8 @@
     description: |
       Deploy airship promenade genesis with containerd
     run: tools/zuul/playbooks/deploy-promenade-containerd.yaml
+    required-projects:
+      - openstack/openstack-helm-infra
     timeout: 3600
     nodeset: airship-promenade-single-node-bionic
 
diff --git a/charts/controller_manager/templates/daemonset.yaml b/charts/controller_manager/templates/daemonset.yaml
index 34071a26..397b6187 100644
--- a/charts/controller_manager/templates/daemonset.yaml
+++ b/charts/controller_manager/templates/daemonset.yaml
@@ -42,6 +42,7 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ''
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "kubernetes-controller-manager-anchor" "containerNames" (list "anchor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "kubernetes" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
diff --git a/charts/controller_manager/values.yaml b/charts/controller_manager/values.yaml
index b5861c5e..c2e9be9a 100644
--- a/charts/controller_manager/values.yaml
+++ b/charts/controller_manager/values.yaml
@@ -85,6 +85,10 @@ dependencies:
   controller_manager:
 
 pod:
+  mandatory_access_control:
+    type: apparmor
+    kubernetes-controller-manager-anchor:
+      anchor: runtime/default
   security_context:
     kubernetes:
       pod:
diff --git a/tools/zuul/playbooks/deploy-promenade-containerd.yaml b/tools/zuul/playbooks/deploy-promenade-containerd.yaml
index f6afb87e..5437f814 100644
--- a/tools/zuul/playbooks/deploy-promenade-containerd.yaml
+++ b/tools/zuul/playbooks/deploy-promenade-containerd.yaml
@@ -22,6 +22,14 @@
     - name: Install docker
       command: apt-get install docker.io resolvconf -y
 
+    - name: Setup Apparmor
+      shell: |
+        set -xe;
+        ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
+      args:
+        chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
+        executable: /bin/bash
+
     - name: Generate configuration files
       shell: |
         set -xe;
diff --git a/tools/zuul/playbooks/deploy-promenade.yaml b/tools/zuul/playbooks/deploy-promenade.yaml
index 1bfa21e4..5433483e 100644
--- a/tools/zuul/playbooks/deploy-promenade.yaml
+++ b/tools/zuul/playbooks/deploy-promenade.yaml
@@ -22,6 +22,14 @@
     - name: Install docker
       command: apt-get install docker.io resolvconf -y
 
+    - name: Setup Apparmor
+      shell: |
+        set -xe;
+        ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
+      args:
+        chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
+        executable: /bin/bash
+
     - name: Generate configuration files
       shell: |
         set -xe;