diff --git a/ranger-agent/templates/deployment-ranger-agent-api.yaml b/ranger-agent/templates/deployment-ranger-agent-api.yaml
index 8db1fbb0..3e6a4ae6 100755
--- a/ranger-agent/templates/deployment-ranger-agent-api.yaml
+++ b/ranger-agent/templates/deployment-ranger-agent-api.yaml
@@ -66,6 +66,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "ranger-agent-api" "containerNames" (list "init" "ranger-agent-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "ranger_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/ranger-agent/templates/deployment-ranger-agent-engine.yaml b/ranger-agent/templates/deployment-ranger-agent-engine.yaml
index 8e704b87..cdeb44a0 100755
--- a/ranger-agent/templates/deployment-ranger-agent-engine.yaml
+++ b/ranger-agent/templates/deployment-ranger-agent-engine.yaml
@@ -66,6 +66,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "ranger-agent" "containerNames" (list "ranger-agent-engine") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "ranger_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/ranger-agent/values_overrides/apparmor.yaml b/ranger-agent/values_overrides/apparmor.yaml
new file mode 100644
index 00000000..95a3a567
--- /dev/null
+++ b/ranger-agent/values_overrides/apparmor.yaml
@@ -0,0 +1,9 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ranger-agent-api:
+      init: runtime/default
+      ranger-agent-api: runtime/default
+    ranger-agent:
+      ranger-agent-engine: runtime/default
+
diff --git a/tools/deployment/component/ranger/ranger-agent.sh b/tools/deployment/component/ranger/ranger-agent.sh
index 4d031340..f6ef7faf 100755
--- a/tools/deployment/component/ranger/ranger-agent.sh
+++ b/tools/deployment/component/ranger/ranger-agent.sh
@@ -84,9 +84,17 @@ dependencies:
           service: local_image_registry
 EOF
 
+#NOTE: Get the over-rides to use
+: ${OSH_EXTRA_HELM_ARGS_RANGER_AGENT:="$(./tools/deployment/common/get-values-overrides.sh ranger-agent)"}
+
+#NOTE: Deploy command
+: ${OSH_EXTRA_HELM_ARGS:=""}
+
 helm upgrade --install ranger-agent ./ranger-agent \
   --namespace=openstack \
-  --values=/tmp/ranger-agent.yaml
+  --values=/tmp/ranger-agent.yaml \
+    ${OSH_EXTRA_HELM_ARGS} \
+    ${OSH_EXTRA_HELM_ARGS_RANGER_AGENT}
 
 #NOTE: Wait for deploy
 ./tools/deployment/common/wait-for-pods.sh openstack
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 9393faf4..d646723e 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -66,7 +66,8 @@
       osh_params:
         openstack_release: ocata
         container_distro_name: ubuntu
-        container_distro_version: xenial
+        container_distro_version: bionic
+        feature_gates: apparmor
       gate_scripts:
         - ./tools/deployment/common/install-packages.sh
         - ./tools/deployment/common/deploy-k8s.sh