diff --git a/apparmor.d/groups/virt/calico b/apparmor.d/groups/virt/calico
new file mode 100644
index 00000000..328d3e85
--- /dev/null
+++ b/apparmor.d/groups/virt/calico
@@ -0,0 +1,26 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{opt/,}{cni/,}bin/calico
+profile calico @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rix,
+  @{exec_path}-ipam rix,
+  
+  network inet,
+  
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /var/lib/calico/ r,
+  /var/lib/calico/** r,
+  /etc/cni/net.d/ r,
+  /etc/cni/net.d/** r,
+    
+  /var/log/calico/cni/ r,
+  /var/log/calico/cni/cni.log wr,
+  
+  /run/calico/ipam.lock rwk,
+
+  include if exists <local/calico>
+}
diff --git a/apparmor.d/groups/virt/cni b/apparmor.d/groups/virt/cni
new file mode 100644
index 00000000..2a4039c0
--- /dev/null
+++ b/apparmor.d/groups/virt/cni
@@ -0,0 +1,35 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile loopback /{opt/,}{cni/,}bin/loopback {
+  include <abstractions/base>
+
+  /opt/cni/bin/loopback rix,
+  
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/loopback>
+}
+
+profile portmap /{opt/,}{cni/,}bin/portmap {
+  include <abstractions/base>
+
+  /opt/cni/bin/portmap rix,
+  
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/portmap>
+}
+
+profile bandwidth /{opt/,}{cni/,}bin/bandwidth {
+  include <abstractions/base>
+
+  /opt/cni/bin/bandwidth rix,
+  
+  network inet,
+  network netlink raw,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/bandwidth>
+}
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index e279b484..1ae77b55 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/containerd
 profile containerd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability net_admin,
@@ -16,6 +17,10 @@ profile containerd @{exec_path} {
 
   signal (receive) set=term peer=dockerd,
 
+  # Pulling container images
+  network inet,
+  network inet6,
+
   @{exec_path} mr,
 
   /{usr/,}bin/containerd-shim-runc-v2 rPUx,
@@ -26,6 +31,19 @@ profile containerd @{exec_path} {
   /etc/cni/net.d/ rw,
   /etc/containerd/*.toml r,
 
+  /opt/cni/bin/loopback Px,
+  /opt/cni/bin/portmap Px,
+  /opt/cni/bin/bandwidth Px,
+  /opt/cni/bin/calico Px,
+
+  /var/log/pods/**/[0-9]*.log w,
+  @{run}/calico/ w,
+
+  @{run}/netns/ w,
+  @{run}/netns/cni-@{uuid} rw,
+  /var/lib/cni/results/cni-loopback-@{uuid}-lo l,
+  @{PROC}/@{pid}/task/[0-9]*/ns/net rw,
+
   /var/lib/containerd/{,**} rwk,
   /var/lib/docker/containerd/{,**} rwk,
   @{run}/containerd/{,**} rwk,