[PROF-14068] Remove privileges for host-profiler

[theomagellan]

What does this PR do?

This PR mirrors DataDog/helm-charts#2586 for datadog-operator:

• removes privileges: true and replaces by list of capabilities
• adds support for apparmor profiles
• embeds seccomp profile
• adds host-profiler related FQDN to Agent's Cilium allow-list
  • intake.profile.%s: profiling intake
  • sourcemap-intake.%s: symbol intake
  • otlp.%s: OTLP metrics intake

Motivation

https://datadoghq.atlassian.net/browse/REVIEW-85?focusedCommentId=3201542

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

Write there any instructions and details you may have to test your PR.

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 17.72727% with 181 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.10%. Comparing base (d5f00bf) to head (600cc39).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...controller/datadogagent/component/agent/default.go	19.68%	151 Missing ⚠️
internal/controller/datadogagent/common/volumes.go	0.00%	14 Missing ⚠️
...nal/controller/datadogagent/global/dependencies.go	0.00%	8 Missing ⚠️
...ntroller/datadogagent/component/objects/network.go	0.00%	6 Missing ⚠️
internal/controller/datadogagent/common/utils.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2953      +/-   ##
==========================================
+ Coverage   40.91%   41.10%   +0.18%     
==========================================
  Files         324      324              
  Lines       28743    29126     +383     
==========================================
+ Hits        11760    11972     +212     
- Misses      16129    16298     +169     
- Partials      854      856       +2     

Flag	Coverage Δ
unittests	41.10% <17.72%> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...oller/datadogagent/feature/hostprofiler/feature.go	78.46% <100.00%> (+0.68%)	⬆️
internal/controller/datadogagent/common/utils.go	0.00% <0.00%> (ø)
...ntroller/datadogagent/component/objects/network.go	0.00% <0.00%> (ø)
...nal/controller/datadogagent/global/dependencies.go	18.28% <0.00%> (-0.59%)	⬇️
internal/controller/datadogagent/common/volumes.go	0.00% <0.00%> (ø)
...controller/datadogagent/component/agent/default.go	47.97% <19.68%> (+4.36%)	⬆️

... and 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d5f00bf...600cc39. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

🛑 Gate Violations

🎯 1 Code Coverage issue detected

A Patch coverage percentage gate may be blocking this PR.

• Patch coverage: 16.67% (threshold: 80.00%)

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 16.67%
• Overall Coverage: 41.18% (+0.14%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 600cc39 | Docs | Datadog PR Page | Give us feedback!}