diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index 628e56bd..f945c911 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -117,6 +117,7 @@ spec:
 {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "apiserver-webhook" "containerNames" (list "apiserver" "webhook") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml
index d3b89e64..7e285f65 100644
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@@ -202,6 +202,11 @@ network_policy:
       - {}
 
 pod:
+  mandatory_access_control:
+    type: apparmor
+    apiserver-webhook:
+      apiserver: runtime/default
+      webhook: runtime/default
   security_context:
     apiserver_webhook:
       pod: