}

func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, string, error) {
	profile := apparmor.GetProfile(pod, container)
	if profile == nil {
		return nil, "", nil
	}

	var (
		securityProfile   *runtimeapi.SecurityProfile
		deprecatedProfile string // Deprecated apparmor profile format, still provided for backwards compatibility with older runtimes.
	)

	switch profile.Type {

		name               string
		podProfile         *v1.AppArmorProfile
		expectedProfile    *runtimeapi.SecurityProfile
		expectedOldProfile string
		expectError        bool
	}{{
		name:            "no appArmor",
		expectedProfile: nil,
	}, {
		name:       "runtime default",
		podProfile: &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeRuntimeDefault},
		expectedProfile: &runtimeapi.SecurityProfile{

    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
    #
    # annotations:
    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    #

    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
    #
    # annotations:
    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    #

	if err != nil {
		return nil, err
	}

	// set ApparmorProfile.
	synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container)
	if err != nil {
		return nil, err
	}

	// set RunAsUser.
	if synthesized.RunAsUser == nil {
		if uid != nil {

		pod            api.Pod
	}{{
		description:    "with AppArmor Annotations",
		hasAnnotations: true,
		pod: api.Pod{
			ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{"a": "1", v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "foo": "default"}},
			Spec:       api.PodSpec{},
		},
	}, {
		description:    "with AppArmor Annotations & fields",
		hasAnnotations: true,
		hasFields:      true,

	}

	if !utilfeature.DefaultFeatureGate.Enabled(features.AppArmor) && !appArmorAnnotationsInUse(oldPodAnnotations) {
		for k := range podAnnotations {
			if strings.HasPrefix(k, api.DeprecatedAppArmorAnnotationKeyPrefix) {
				delete(podAnnotations, k)
			}
		}
	}

	// beta: v1.24
	//
	// Enables usage of any object for volume data source in PVCs
	AnyVolumeDataSource featuregate.Feature = "AnyVolumeDataSource"

	// owner: @tallclair
	// beta: v1.4
	AppArmor featuregate.Feature = "AppArmor"

	// owner: @tallclair
	// beta: v1.30
	AppArmorFields featuregate.Feature = "AppArmorFields"

	// owner: @danwinship
	// alpha: v1.27
	// beta: v1.29
	// GA: v1.30
	//

  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
`,
		Args: cobra.ExactArgs(0),
		PreRunE: func(cmd *cobra.Command, args []string) error {

						core.SeccompPodAnnotationKey: "localhost/../foo",
					},
				},
				Spec: validPodSpec(nil),
			},
		},
		"AppArmor profile must apply to a container": {
			expectedError: "metadata.annotations[container.apparmor.security.beta.kubernetes.io/fake-ctr]",
			spec: core.Pod{
				ObjectMeta: metav1.ObjectMeta{
					Name:      "123",
					Namespace: "ns",