MSP-3392: add supporting apparmor to soperator

api/v1/slurmcluster_types.go

@@ -79,6 +79,10 @@ type SlurmClusterSpec struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default={defMemPerNode: 1228800, defCpuPerGPU: 16, completeWait: 5, debugFlags: "Cgroup,CPU_Bind,Gres,JobComp,Priority,Script,SelectType,Steps,TraceJobs", taskPluginParam: "Verbose", maxJobCount: 10000, minJobAge: 86400}
 	SlurmConfig SlurmConfig `json:"slurmConfig,omitempty"`
+	// Generate and set default AppArmor profile for the Slurm worker and login nodes. The Security Profiles Operator must be installed.
+	//
+	// +kubebuilder:default=true
+	UseDefaultAppArmorProfile bool `json:"useDefaultAppArmorProfile,omitempty"`
 }
 
 // SlurmConfig represents the Slurm configuration in slurm.conf

cmd/main.go

@@ -40,6 +40,7 @@ import (
 	mariadbv1alpha1 "github.com/mariadb-operator/mariadb-operator/api/v1alpha1"
 	otelv1beta1 "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	prometheusv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	apparmor "sigs.k8s.io/security-profiles-operator/api/apparmorprofile/v1alpha1"
 
 	slurmv1 "nebius.ai/slurm-operator/api/v1"
 	"nebius.ai/slurm-operator/internal/check"
@@ -65,6 +66,9 @@ func init() {
 	if check.IsMariaDbCRDInstalled() {
 		utilruntime.Must(mariadbv1alpha1.AddToScheme(scheme))
 	}
+	if check.IsAppArmorCRDInstalled() {
+		utilruntime.Must(apparmor.AddToScheme(scheme))
+	}
 
 	utilruntime.Must(slurmv1.AddToScheme(scheme))
 

config/crd/bases/slurm.nebius.ai_slurmclusters.yaml

@@ -4405,6 +4405,11 @@ spec:
                         type: integer
                     type: object
                 type: object
+              useDefaultAppArmorProfile:
+                default: true
+                description: Generate and set default AppArmor profile for the Slurm
+                  worker and login nodes. The Security Profiles Operator must be installed.
+                type: boolean
               volumeSources:
                 description: VolumeSources define the sources for the volumes
                 items:

config/manager/manager.yaml

@@ -82,6 +82,9 @@ spec:
           # True if the MariaDB CRD is installed in the cluster kubernetes (default false)
           - name: IS_MARIADB_CRD_INSTALLED
             value: "false"
+          # True if the AppArmor CRD is installed in the cluster kubernetes (default false)
+          - name: IS_APPARMOR_CRD_INSTALLED
+            value: "false"
           - name: SLURM_OPERATOR_WATCH_NAMESPACES
             value: "*"
         image: controller:1.16.1

config/rbac/role.yaml

@@ -120,6 +120,18 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - security-profiles-operator.x-k8s.io
+  resources:
+  - apparmorprofiles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - slurm.nebius.ai
   resources:

go.mod

@@ -21,18 +21,23 @@ require (
 	k8s.io/client-go v0.31.4
 	k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3
 	sigs.k8s.io/controller-runtime v0.19.3
+	sigs.k8s.io/security-profiles-operator v0.8.4
 	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
+	github.com/containers/common v0.59.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/seccomp/libseccomp-golang v0.10.0 // indirect
 	github.com/sethvargo/go-envconfig v1.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	sigs.k8s.io/release-utils v0.8.1 // indirect
 )
 
 require (
@@ -49,7 +54,7 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect

go.sum

@@ -2,6 +2,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/containers/common v0.59.0 h1:fy9Jz0B7Qs1C030bm73YJtVddaiFSZD3558EV1tgN2g=
+github.com/containers/common v0.59.0/go.mod h1:53VicJCZ2AD0O+Br7VVoyrS7viXF4YmwlTIocWUT8XE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -37,8 +39,8 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -80,6 +82,10 @@ github.com/open-telemetry/opentelemetry-operator v0.103.0 h1:L0REMuJSMZjqCw7p7fW
 github.com/open-telemetry/opentelemetry-operator v0.103.0/go.mod h1:kf5B7DLm4m88avApWmHhBjn66fQfSABM2cuQfHqAR+Y=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
+github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-tools v0.9.1-0.20230914150019-408c51e934dc h1:d2hUh5O6MRBvStV55MQ8we08t42zSTqBbscoQccWmMc=
+github.com/opencontainers/runtime-tools v0.9.1-0.20230914150019-408c51e934dc/go.mod h1:8tx1helyqhUC65McMm3x7HmOex8lO2/v9zPuxmKHurs=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -99,6 +105,8 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=
+github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sethvargo/go-envconfig v1.1.0 h1:cWZiJxeTm7AlCvzGXrEXaSTCNgip5oJepekh/BOQuog=
 github.com/sethvargo/go-envconfig v1.1.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
 github.com/sethvargo/go-password v0.3.1 h1:WqrLTjo7X6AcVYfC6R7GtSyuUQR9hGyAj/f1PYQZCJU=
@@ -109,6 +117,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -208,6 +218,10 @@ sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8b
 sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/release-utils v0.8.1 h1:qSA9p3vZzO6RAq7zvzupCZjR29+n3NK9DSJPe9bSf7w=
+sigs.k8s.io/release-utils v0.8.1/go.mod h1:vrQ3eR1VmudgX4OUwr4pUZEkYLRms9bdbv06mr3kchQ=
+sigs.k8s.io/security-profiles-operator v0.8.4 h1:j00FWU9/NFnGYx7krJqiaHsuXyTmBwWq+luv2vmdguA=
+sigs.k8s.io/security-profiles-operator v0.8.4/go.mod h1:eXHEJ49YPW2gG8E4zWalu9LxO8oLAltBHk11s+fB87s=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=

helm/slurm-cluster/templates/slurm-cluster-cr.yaml

@@ -18,6 +18,7 @@ spec:
     {{- toYaml .Values.slurmConfig | nindent 4 }}
   {{- end }}
   crVersion: {{ .Chart.Version }}
+  useDefaultAppArmorProfile: {{ .Values.useDefaultAppArmorProfile }}
   pause: {{ .Values.pause }}
   clusterType: {{ .Values.clusterType }}
   partitionConfiguration:

helm/slurm-cluster/values.yaml

@@ -1,6 +1,8 @@
 clusterName: "slurm1"
 # Additional annotations for the cluster
 annotations: {}
+# Add appArmor profile to the cluster
+useDefaultAppArmorProfile: true
 # Whether to gracefully stop the cluster. Setting it to false after cluster has been paused starts the cluster back
 pause: false
 # Slurm cluster type. Can be now gpu or cpu

helm/soperator-crds/templates/slurmcluster-crd.yaml

@@ -4404,6 +4404,11 @@ spec:
                         type: integer
                     type: object
                 type: object
+              useDefaultAppArmorProfile:
+                default: true
+                description: Generate and set default AppArmor profile for the Slurm
+                  worker and login nodes. The Security Profiles Operator must be installed.
+                type: boolean
               volumeSources:
                 description: VolumeSources define the sources for the volumes
                 items:

helm/soperator/crds/slurmcluster-crd.yaml

@@ -4404,6 +4404,11 @@ spec:
                         type: integer
                     type: object
                 type: object
+              useDefaultAppArmorProfile:
+                default: true
+                description: Generate and set default AppArmor profile for the Slurm
+                  worker and login nodes. The Security Profiles Operator must be installed.
+                type: boolean
               volumeSources:
                 description: VolumeSources define the sources for the volumes
                 items:

helm/soperator/templates/deployment.yaml

@@ -31,14 +31,16 @@ spec:
         - name: ENABLE_WEBHOOKS
           value: "false"
         {{- end }}
-        - name: IS_OPENTELEMETRY_COLLECTOR_CRD_INSTALLED
-          value: {{ quote .Values.controllerManager.manager.env.isOpentelemetryCollectorCrdInstalled
-            }}
+        - name: IS_APPARMOR_CRD_INSTALLED
+          value: {{ quote .Values.controllerManager.manager.env.isApparmorCrdInstalled }}
         - name: IS_PROMETHEUS_CRD_INSTALLED
           value: {{ quote .Values.controllerManager.manager.env.isPrometheusCrdInstalled
             }}
         - name: IS_MARIADB_CRD_INSTALLED
           value: {{ quote .Values.controllerManager.manager.env.isMariadbCrdInstalled }}
+        - name: IS_OPENTELEMETRY_COLLECTOR_CRD_INSTALLED
+          value: {{ quote .Values.controllerManager.manager.env.isOpentelemetryCollectorCrdInstalled
+            }}
         - name: SLURM_OPERATOR_WATCH_NAMESPACES
           value: {{ quote .Values.controllerManager.manager.env.slurmOperatorWatchNamespaces
             }}

helm/soperator/templates/manager-rbac.yaml

@@ -121,6 +121,18 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - security-profiles-operator.x-k8s.io
+  resources:
+  - apparmorprofiles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - slurm.nebius.ai
   resources:

helm/soperator/values.yaml

@@ -32,6 +32,7 @@ controllerManager:
     env:
       isMariadbCrdInstalled: "false"
       isOpentelemetryCollectorCrdInstalled: "false"
+      isApparmorCrdInstalled: "false"
       isPrometheusCrdInstalled: "false"
       slurmOperatorWatchNamespaces: '*'
     image:

internal/check/installed_crd.go

@@ -11,6 +11,7 @@ var (
 	IsOpenTelemetryCollectorCRDInstalled = false
 	IsPrometheusOperatorCRDInstalled     = false
 	IsMariaDbOperatorCRDInstalled        = false
+	IsAppArmorOperatorCRDInstalled       = false
 )
 
 func IsOtelCRDInstalled() bool {
@@ -28,6 +29,11 @@ func IsMariaDbCRDInstalled() bool {
 	return IsMariaDbOperatorCRDInstalled
 }
 
+func IsAppArmorCRDInstalled() bool {
+	IsAppArmorOperatorCRDInstalled = os.Getenv("IS_APPARMOR_CRD_INSTALLED") == "true"
+	return IsAppArmorOperatorCRDInstalled
+}
+
 func IsPrometheusEnabled(exporter *values.SlurmExporter) bool {
 	if exporter != nil && exporter.Enabled {
 

internal/controller/clustercontroller/common.go

@@ -191,6 +191,34 @@ func (r SlurmClusterReconciler) ReconcileCommon(
 					return nil
 				},
 			},
+			utils.MultiStepExecutionStep{
+				Name: "AppArmor profiles",
+				Func: func(stepCtx context.Context) error {
+					stepLogger := log.FromContext(stepCtx)
+					stepLogger.Info("Reconciling")
+					if !check.IsAppArmorCRDInstalled() {
+						stepLogger.Info("AppArmor CRD is not installed, skipping AppArmor profile reconciliation")
+						return nil
+					}
+					if !clusterValues.NodeLogin.UseDefaultAppArmorProfile || !clusterValues.NodeWorker.UseDefaultAppArmorProfile {
+						stepLogger.Info("Default AppArmor profile is not set, skipping AppArmor profile reconciliation")
+						return nil
+					}
+
+					desired := common.RenderAppArmorProfile(
+						clusterValues,
+					)
+					stepLogger = stepLogger.WithValues(logfield.ResourceKV(desired)...)
+					stepLogger.Info("Rendered")
+
+					if err := r.AppArmorProfile.Reconcile(stepCtx, cluster, desired); err != nil {
+						stepLogger.Error(err, "Failed to reconcile")
+						return errors.Wrap(err, "reconciling AppArmor profiles")
+					}
+					stepLogger.Info("Reconciled")
+					return nil
+				},
+			},
 		)
 	}
 

internal/controller/clustercontroller/reconcile.go

@@ -42,6 +42,7 @@ import (
 	mariadbv1alpha1 "github.com/mariadb-operator/mariadb-operator/api/v1alpha1"
 	otelv1beta1 "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	prometheusv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	apparmor "sigs.k8s.io/security-profiles-operator/api/apparmorprofile/v1alpha1"
 )
 
 //+kubebuilder:rbac:groups=slurm.nebius.ai,resources=slurmclusters,verbs=get;list;watch;create;update;patch;delete
@@ -68,28 +69,30 @@ import (
 //+kubebuilder:rbac:groups=k8s.mariadb.com,resources=mariadbs,verbs=get;list;watch;update;patch;delete;create
 //+kubebuilder:rbac:groups=k8s.mariadb.com,resources=grants,verbs=get;list;watch;update;patch;delete;create
 //+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;update;patch;delete;create
+//+kubebuilder:rbac:groups=security-profiles-operator.x-k8s.io,resources=apparmorprofiles,verbs=get;list;watch;update;patch;delete;create
 
 // SlurmClusterReconciler reconciles a SlurmCluster object
 type SlurmClusterReconciler struct {
 	*reconciler.Reconciler
 
 	WatchNamespaces WatchNamespaces
 
-	ConfigMap      *reconciler.ConfigMapReconciler
-	Secret         *reconciler.SecretReconciler
-	CronJob        *reconciler.CronJobReconciler
-	Job            *reconciler.JobReconciler
-	Service        *reconciler.ServiceReconciler
-	StatefulSet    *reconciler.StatefulSetReconciler
-	DaemonSet      *reconciler.DaemonSetReconciler
-	ServiceAccount *reconciler.ServiceAccountReconciler
-	Role           *reconciler.RoleReconciler
-	RoleBinding    *reconciler.RoleBindingReconciler
-	Otel           *reconciler.OtelReconciler
-	PodMonitor     *reconciler.PodMonitorReconciler
-	Deployment     *reconciler.DeploymentReconciler
-	MariaDb        *reconciler.MariaDbReconciler
-	MariaDbGrant   *reconciler.MariaDbGrantReconciler
+	ConfigMap       *reconciler.ConfigMapReconciler
+	Secret          *reconciler.SecretReconciler
+	CronJob         *reconciler.CronJobReconciler
+	Job             *reconciler.JobReconciler
+	Service         *reconciler.ServiceReconciler
+	StatefulSet     *reconciler.StatefulSetReconciler
+	DaemonSet       *reconciler.DaemonSetReconciler
+	ServiceAccount  *reconciler.ServiceAccountReconciler
+	Role            *reconciler.RoleReconciler
+	RoleBinding     *reconciler.RoleBindingReconciler
+	Otel            *reconciler.OtelReconciler
+	PodMonitor      *reconciler.PodMonitorReconciler
+	Deployment      *reconciler.DeploymentReconciler
+	MariaDb         *reconciler.MariaDbReconciler
+	MariaDbGrant    *reconciler.MariaDbGrantReconciler
+	AppArmorProfile *reconciler.AppArmorProfileReconciler
 }
 
 func NewSlurmClusterReconciler(client client.Client, scheme *runtime.Scheme, recorder record.EventRecorder) *SlurmClusterReconciler {
@@ -113,6 +116,7 @@ func NewSlurmClusterReconciler(client client.Client, scheme *runtime.Scheme, rec
 		Deployment:      reconciler.NewDeploymentReconciler(r),
 		MariaDb:         reconciler.NewMariaDbReconciler(r),
 		MariaDbGrant:    reconciler.NewMariaDbGrantReconciler(r),
+		AppArmorProfile: reconciler.NewAppArmorProfileReconciler(r),
 	}
 }
 
@@ -673,6 +677,13 @@ func (r *SlurmClusterReconciler) createResourceChecks(saPredicate predicate.Func
 			},
 			Predicate: predicate.GenerationChangedPredicate{},
 		},
+		{
+			Check: check.IsAppArmorOperatorCRDInstalled,
+			Objects: []client.Object{
+				&apparmor.AppArmorProfile{},
+			},
+			Predicate: predicate.GenerationChangedPredicate{},
+		},
 	}
 }