[codex] Add Cloud Security Kubernetes DaemonSet setup

[cyrbouchiat]

What changed

• Added a DaemonSet tab to the Cloud Security Kubernetes setup page.
• Documented the Cloud Security env vars required for Misconfigurations, Vulnerability Management, container image mount scanning, and runtime package tracking.
• Clarified that the same env var block must be applied to each Agent pod container in a DaemonSet: agent, security-agent, and system-probe.
• Added a DaemonSet option to the Runtime Package Tracking section.

Why

The Kubernetes Cloud Security setup page covered Operator and Helm, but not direct DaemonSet configuration. Customers using DaemonSets need explicit env var instructions, especially for DD_COMPLIANCE_CONFIG_ENABLED, DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED, DD_SBOM_CONTAINER_IMAGE_USE_MOUNT, and DD_SBOM_ENRICHMENT_USAGE_ENABLED.

Validation

• Verified all required env vars are present in each DaemonSet container shown.
• Verified Hugo tab shortcode counters balance.
• Ran git diff --check.
• Confirmed only content/en/security/cloud_security_management/setup/agent/kubernetes.md changed.

[github-actions]

Preview links (active after the build_preview check completes)

Modified Files

• https://docs-staging.datadoghq.com/codex/cloud-security-kubernetes-daemonset/security/cloud_security_management/setup/agent/kubernetes

[cyrbouchiat]

Updated after review to avoid implying the Workload Protection docs already had an equivalent expanded block per container. The DaemonSet instructions now show one env var block and explicitly say to copy it into each Agent container (agent, security-agent, and system-probe), matching the Agent team guidance while keeping the snippet closer to the existing DaemonSet docs style.

[agentzzk]

We'll also need to add a note for customers to add hostPID: true when manually managing DaemonSet through env

Also, I believe we need to set DD_SBOM_CONTAINER_IMAGE_ENABLED here too, similar to containerImage.enabled for Helm or Operator? cc @lebauce

[cyrbouchiat]

Updated. I added hostPID: true to the DaemonSet pod spec snippet for mount-based container image scanning, and updated the Runtime Package Tracking DaemonSet snippet to include DD_SBOM_ENABLED=true, DD_SBOM_CONTAINER_IMAGE_ENABLED=true, and DD_SBOM_ENRICHMENT_USAGE_ENABLED=true for every Agent container.