diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 3f0ba0c6..d373416c 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -31,6 +31,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
   mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  mount -> /tmp/ctd-volume[0-9]*/,
   mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
 
   umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
@@ -68,7 +69,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /var/lib/containerd/{,**} rwk,
   /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
   /var/lib/docker/containerd/{,**} rwk,
-  /var/log/pods/**/[0-9]*.log w,
+  /var/lib/kubelet/seccomp/{,**} r,
+  /var/log/pods/**/[0-9]*.log{,*} w,
+  /var/lib/security-profiles-operator/{,**/*.json} r,
 
   @{run}/calico/ w,
   @{run}/containerd/{,**} rwk,
@@ -77,7 +80,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   @{run}/netns/cni-@{uuid} rw,
   @{run}/systemd/notify w,
 
-  /tmp/cri-containerd.apparmor.d[0-9]* rwl,
+  owner /var/tmp/** rwkl,
+  owner /tmp/** rwkl,
+        /tmp/cri-containerd.apparmor.d[0-9]* rwl,
+        /tmp/ctd-volume[0-9]*/ rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 423e79d6..fa8e6bbe 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -17,6 +17,8 @@ profile k3s @{exec_path} flags=(complain) {
   capability kill,
   capability dac_override,
   capability dac_read_search,
+  capability fsetid
+  capability fowner
   capability net_admin,
   capability syslog,
   capability sys_admin,
@@ -24,7 +26,15 @@ profile k3s @{exec_path} flags=(complain) {
   capability sys_resource,
 
   ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,k3s//xtables-nft-multi,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,unconfined},
+  ptrace (read) peer=mount,
+
+  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
+  # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
+  ptrace (read) peer=container-*,
+  ptrace (read) peer=docker-*,
+  ptrace (read) peer=k3s-*,
+  ptrace (read) peer=kubernetes-*,
 
   network inet dgram,
   network inet6 dgram,
@@ -70,7 +80,7 @@ profile k3s @{exec_path} flags=(complain) {
   /var/log/kubernetes/audit/** rw,
   /var/log/pods/{,**} r,
   /var/log/pods/{,**/} rw,
-  /var/log/pods/**/[0-9]*.log rw,
+  /var/log/pods/**/[0-9]*.log{,*} rw,
 
   owner @{HOME}/.kube/** rw,
 
@@ -81,8 +91,8 @@ profile k3s @{exec_path} flags=(complain) {
   @{run}/nodeagent/ rw,
   @{run}/xtables.lock rwk,
 
-  owner /var/tmp/etilqs_[0-9a-f]* rw,
-  owner /tmp/kubectl-edit-[0-9]*.yaml rw,
+  owner /var/tmp/** rwkl,
+  owner /tmp/** rwkl,
 
   owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/cpuset r,
@@ -124,6 +134,7 @@ profile k3s @{exec_path} flags=(complain) {
   @{sys}/devices/system/cpu/ r,
   @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r,
   @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   @{sys}/devices/system/cpu/present{,/} r,
 
   @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,