diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
index 2d82a630f89..ea3a4e4b53e 100644
--- a/pkg/kubelet/kuberuntime/helpers.go
+++ b/pkg/kubelet/kuberuntime/helpers.go
@@ -288,34 +288,44 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
 	}, nil
 }
 
-func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, error) {
+func getAppArmorProfile(pod *v1.Pod, container *v1.Container) (*runtimeapi.SecurityProfile, string, error) {
 	profile := apparmor.GetProfile(pod, container)
 	if profile == nil {
-		return nil, nil
+		return nil, "", nil
 	}
 
+	var (
+		securityProfile   *runtimeapi.SecurityProfile
+		deprecatedProfile string // Deprecated apparmor profile format, still provided for backwards compatibility with older runtimes.
+	)
+
 	switch profile.Type {
 	case v1.AppArmorProfileTypeRuntimeDefault:
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileRuntimeDefault
 
 	case v1.AppArmorProfileTypeUnconfined:
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_Unconfined,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNameUnconfined
 
 	case v1.AppArmorProfileTypeLocalhost:
 		if profile.LocalhostProfile == nil {
-			return nil, errors.New("missing localhost apparmor profile name")
+			return nil, "", errors.New("missing localhost apparmor profile name")
 		}
-		return &runtimeapi.SecurityProfile{
+		securityProfile = &runtimeapi.SecurityProfile{
 			ProfileType:  runtimeapi.SecurityProfile_Localhost,
 			LocalhostRef: *profile.LocalhostProfile,
-		}, nil
+		}
+		deprecatedProfile = v1.DeprecatedAppArmorBetaProfileNamePrefix + *profile.LocalhostProfile
 
 	default:
 		// Shouldn't happen.
-		return nil, fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
+		return nil, "", fmt.Errorf("unknown apparmor profile type: %q", profile.Type)
 	}
+
+	return securityProfile, deprecatedProfile, nil
 }
diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go
index 8eb7ded1a70..ead2abef6d1 100644
--- a/pkg/kubelet/kuberuntime/helpers_test.go
+++ b/pkg/kubelet/kuberuntime/helpers_test.go
@@ -367,10 +367,11 @@ func TestToKubeContainerState(t *testing.T) {
 
 func TestGetAppArmorProfile(t *testing.T) {
 	tests := []struct {
-		name            string
-		podProfile      *v1.AppArmorProfile
-		expectedProfile *runtimeapi.SecurityProfile
-		expectError     bool
+		name               string
+		podProfile         *v1.AppArmorProfile
+		expectedProfile    *runtimeapi.SecurityProfile
+		expectedOldProfile string
+		expectError        bool
 	}{{
 		name:            "no appArmor",
 		expectedProfile: nil,
@@ -380,12 +381,14 @@ func TestGetAppArmorProfile(t *testing.T) {
 		expectedProfile: &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
 		},
+		expectedOldProfile: "runtime/default",
 	}, {
 		name:       "unconfined",
 		podProfile: &v1.AppArmorProfile{Type: v1.AppArmorProfileTypeUnconfined},
 		expectedProfile: &runtimeapi.SecurityProfile{
 			ProfileType: runtimeapi.SecurityProfile_Unconfined,
 		},
+		expectedOldProfile: "unconfined",
 	}, {
 		name: "localhost",
 		podProfile: &v1.AppArmorProfile{
@@ -396,6 +399,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 			ProfileType:  runtimeapi.SecurityProfile_Localhost,
 			LocalhostRef: "test",
 		},
+		expectedOldProfile: "localhost/test",
 	}, {
 		name: "invalid localhost",
 		podProfile: &v1.AppArmorProfile{
@@ -424,7 +428,7 @@ func TestGetAppArmorProfile(t *testing.T) {
 				},
 			}
 
-			actual, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])
+			actual, actualOld, err := getAppArmorProfile(&pod, &pod.Spec.Containers[0])
 
 			if test.expectError {
 				assert.Error(t, err)
@@ -432,7 +436,8 @@ func TestGetAppArmorProfile(t *testing.T) {
 				assert.NoError(t, err)
 			}
 
-			assert.Equal(t, test.expectedProfile, actual)
+			assert.Equal(t, test.expectedProfile, actual, "AppArmor profile")
+			assert.Equal(t, test.expectedOldProfile, actualOld, "old (deprecated) profile string")
 		})
 	}
 }
diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go
index e7cde1e38a0..37f079bdd79 100644
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@@ -41,7 +41,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	}
 
 	// set ApparmorProfile.
-	synthesized.Apparmor, err = getAppArmorProfile(pod, container)
+	synthesized.Apparmor, synthesized.ApparmorProfile, err = getAppArmorProfile(pod, container)
 	if err != nil {
 		return nil, err
 	}