diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index fe884c42be..0c773af409 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -45,6 +45,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "horizon" "containerNames" (list "horizon" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
 {{ dict "envAll" $envAll "application" "horizon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
diff --git a/horizon/templates/job-db-sync.yaml b/horizon/templates/job-db-sync.yaml
index 893428cbaa..34872f0d0d 100644
--- a/horizon/templates/job-db-sync.yaml
+++ b/horizon/templates/job-db-sync.yaml
@@ -34,6 +34,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "horizon" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "horizon-db-sync" "containerNames" (list "horizon-db-sync" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/horizon/values_overrides/apparmor.yaml b/horizon/values_overrides/apparmor.yaml
new file mode 100644
index 0000000000..c31c5d06ba
--- /dev/null
+++ b/horizon/values_overrides/apparmor.yaml
@@ -0,0 +1,9 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    horizon:
+      horizon: runtime/default
+      init: runtime/default
+    horizon-db-sync:
+      horizon-db-sync: runtime/default
+      init: runtime/default
diff --git a/zuul.d/jobs-openstack-helm.yaml b/zuul.d/jobs-openstack-helm.yaml
index db419eb1ab..849c1fc1fe 100644
--- a/zuul.d/jobs-openstack-helm.yaml
+++ b/zuul.d/jobs-openstack-helm.yaml
@@ -240,6 +240,7 @@
     name: openstack-helm-apparmor
     parent: openstack-helm-chart-deploy
     run: tools/gate/playbooks/osh-gate-runner.yaml
+    timeout: 9600
     vars:
       osh_params:
         openstack_release: stein
@@ -256,6 +257,7 @@
         - ./tools/deployment/component/common/rabbitmq.sh
         - ./tools/deployment/component/nfs-provisioner/nfs-provisioner.sh
         - ./tools/deployment/component/keystone/keystone.sh
+        - ./tools/deployment/component/horizon/horizon.sh
         - ./tools/deployment/component/heat/heat.sh
         - ./tools/deployment/component/glance/glance.sh
         - ./tools/deployment/component/compute-kit/openvswitch.sh