60-apparmor-namespace.conf

# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
#
# Mentioned also in https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
#kernel.apparmor_restrict_unprivileged_unconfined=0

# This sysctl allows enabling or disabling all apparmor mediation/restrictions
# around unprivileged user namespaces. If set to off the other sysctls are
# ignored, rules in policy are ignored etc.
# Uncommenting this makes things "work":
#kernel.apparmor_restrict_unprivileged_userns=0

# This sysctl is used to control policy abi compatibility which is an AppArmor
# feature where older policy is supported at its declared ABI/feature set
# level. This is used to prevent confined applications from breaking when a
# new kernel is used without the policy being updated. However this also means
# confined applications can by-pass the user namespace restriction if they are
# using policy that has not been updated to the new ABI.
#
# This sysctl allows forcing the userns restrictions on regardless of the
# policies declared ABI. When enabled all confined applications will have the
# user namespace mediation enforced; old policy missing the appropriate rule
# will deny access to use namespace creation.
#kernel.apparmor_restrict_unprivileged_userns_force=0

# This sysctl is used to control complain mode of user namespace mediation for
# unconfined processes. It allows for the restriction to be globally enabled,
# but only log uses, instead of denying them.
#kernel.apparmor_restrict_unprivileged_userns_complain=1

Line 10 basically disables the whole unprivileged_userns which is causing massive instability.
Line 28 turns it on to complain mode instead so it can be developed and left reporting, but not enforcing.

Also, this can be placed in /etc/sysctl.d/ and the specific comments would be involved in disabling the various policies that cause the issues.