[PROF-14068] Remove privileges for host-profiler

[theomagellan]

What does this PR do?

This PR mirrors DataDog/helm-charts#2586 for datadog-operator:

• removes privileges: true and replaces by list of capabilities
• adds support for apparmor profiles
• embeds seccomp profile
• adds host-profiler related FQDN to Agent's Cilium allow-list
  • intake.profile.%s: profiling intake
  • sourcemap-intake.%s: symbol intake
  • otlp.%s: OTLP metrics intake

Motivation

https://datadoghq.atlassian.net/browse/REVIEW-85?focusedCommentId=3201542

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

Tested on a cluster with the host-profiler feature enabled via agent.datadoghq.com/host-profiler-enabled: "true" annotation on the DDA.

Profiles for both supported architectures can be found here

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 85.84071% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 42.59%. Comparing base (d5f00bf) to head (8236c6a).
⚠️ Report is 25 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/controller/datadogagent/common/volumes.go	0.00%	14 Missing ⚠️
...nal/controller/datadogagent/global/dependencies.go	0.00%	8 Missing ⚠️
...ntroller/datadogagent/component/objects/network.go	0.00%	6 Missing ⚠️
internal/controller/datadogagent/common/utils.go	0.00%	2 Missing ⚠️
...controller/datadogagent/component/agent/default.go	99.48%	1 Missing ⚠️
internal/controller/datadogagent/feature/types.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2953      +/-   ##
==========================================
+ Coverage   40.91%   42.59%   +1.67%     
==========================================
  Files         324      344      +20     
  Lines       28743    32581    +3838     
==========================================
+ Hits        11760    13877    +2117     
- Misses      16129    17754    +1625     
- Partials      854      950      +96     

Flag	Coverage Δ
unittests	42.59% <85.84%> (+1.67%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...oller/datadogagent/feature/hostprofiler/feature.go	78.46% <100.00%> (+0.68%)	⬆️
...controller/datadogagent/component/agent/default.go	62.82% <99.48%> (+19.21%)	⬆️
internal/controller/datadogagent/feature/types.go	22.10% <0.00%> (ø)
internal/controller/datadogagent/common/utils.go	0.00% <0.00%> (ø)
...ntroller/datadogagent/component/objects/network.go	0.00% <0.00%> (ø)
...nal/controller/datadogagent/global/dependencies.go	18.28% <0.00%> (-0.59%)	⬇️
internal/controller/datadogagent/common/volumes.go	0.00% <0.00%> (ø)

... and 66 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d5f00bf...8236c6a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-prod-us1-5]

🎯 Code Coverage (details)
• Patch Coverage: 86.04%
• Overall Coverage: 42.63% (+1.08%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8236c6a | Docs | Datadog PR Page | Give us feedback!}

[theomagellan]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 87b1df2f66

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7847cf22fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[r1viollet]

AppArmor: Do we want to expose a setting to override the "unconfined" ? I'm not familiar with how someone would override this.

[r1viollet]

NIT, we are no longer privileged, so this could be slightly confusing 😄