fix(kubernetes): configure sandbox apparmor profile

[TaylorMutch]

Summary

Expose Kubernetes AppArmor profile configuration for sandbox agent containers and default the Helm chart to Unconfined so AppArmor-enabled nodes do not block supervisor network namespace setup.

Related Issue

Closes #1643

Changes

• Added app_armor_profile parsing for Unconfined, RuntimeDefault, and Localhost/<profile> in the Kubernetes driver.
• Rendered securityContext.appArmorProfile onto sandbox agent containers when configured.
• Added Helm server.appArmorProfile with default Unconfined and chart tests for default/opt-out rendering.
• Updated gateway config, Kubernetes setup, compute-driver, architecture, and driver README docs.

Testing

• mise run pre-commit passes
• cargo test -p openshell-driver-kubernetes
• cargo test -p openshell-server kubernetes
• mise run helm:test
• mise run helm:docs:check
• mise run helm:lint
• mise run e2e:kubernetes

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1767.docs.buildwithfern.com/openshell

[github-actions]

Label test:e2e applied for 5e89437. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.