[PROF-14068] Remove privileges for host-profiler

[theomagellan]

What does this PR do?

This PR mirrors DataDog/helm-charts#2586 for datadog-operator:

• removes privileges: true and replaces by list of capabilities
• adds support for apparmor profiles
• embeds seccomp profile
• adds host-profiler related FQDN to Agent's Cilium allow-list
  • intake.profile.%s: profiling intake
  • sourcemap-intake.%s: symbol intake
  • otlp.%s: OTLP metrics intake

Motivation

https://datadoghq.atlassian.net/browse/REVIEW-85?focusedCommentId=3201542

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: vX.Y.Z
• Cluster Agent: vX.Y.Z

Describe your test plan

Tested on a cluster with the host-profiler feature enabled via agent.datadoghq.com/host-profiler-enabled: "true" annotation on the DDA.

Profiles for both supported architectures can be found here

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 85.65022% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 42.60%. Comparing base (d5f00bf) to head (7847cf2).
⚠️ Report is 23 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/controller/datadogagent/common/volumes.go	0.00%	14 Missing ⚠️
...nal/controller/datadogagent/global/dependencies.go	0.00%	8 Missing ⚠️
...ntroller/datadogagent/component/objects/network.go	0.00%	6 Missing ⚠️
internal/controller/datadogagent/common/utils.go	0.00%	2 Missing ⚠️
...controller/datadogagent/component/agent/default.go	99.47%	1 Missing ⚠️
internal/controller/datadogagent/feature/types.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2953      +/-   ##
==========================================
+ Coverage   40.91%   42.60%   +1.68%     
==========================================
  Files         324      331       +7     
  Lines       28743    31709    +2966     
==========================================
+ Hits        11760    13509    +1749     
- Misses      16129    17260    +1131     
- Partials      854      940      +86     

Flag	Coverage Δ
unittests	42.60% <85.65%> (+1.68%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...oller/datadogagent/feature/hostprofiler/feature.go	78.46% <100.00%> (+0.68%)	⬆️
...controller/datadogagent/component/agent/default.go	62.71% <99.47%> (+19.10%)	⬆️
internal/controller/datadogagent/feature/types.go	22.10% <0.00%> (ø)
internal/controller/datadogagent/common/utils.go	0.00% <0.00%> (ø)
...ntroller/datadogagent/component/objects/network.go	0.00% <0.00%> (ø)
...nal/controller/datadogagent/global/dependencies.go	18.28% <0.00%> (-0.59%)	⬇️
internal/controller/datadogagent/common/volumes.go	0.00% <0.00%> (ø)

... and 51 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d5f00bf...7847cf2. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[datadog-prod-us1-5]

🎯 Code Coverage (details)
• Patch Coverage: 85.84%
• Overall Coverage: 42.64% (+1.10%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 7847cf2 | Docs | Datadog PR Page | Give us feedback!}

[theomagellan]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 87b1df2f66

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7847cf22fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Derive HostProfiler AppArmor annotation from the final name

When a user sets spec.override.nodeAgent.containers.host-profiler.name, the feature adds this annotation before overrides run, and override.Container later renames the actual container, leaving an AppArmor annotation for the now-missing host-profiler container. The override path already guards these annotations with podSpecHasContainer because such stale AppArmor annotations make the DaemonSet invalid; fresh evidence for this scenario is that overrides are applied after feature management and can rename the container.

Useful? React with 👍 / 👎.