tests/multi-server: also unconfine apparmor on the kafka broker

The previous seccomp:unconfined change flipped redpanda's first-stage
failure mode (perf_event_open now EACCES from the kernel sysctl,
instead of EPERM from seccomp) but the fatal close() EINVAL during
seastar reactor init still fired.  On DinD runners the inner
containers inherit the default docker-default AppArmor profile in
addition to seccomp, and that profile is what's driving the EINVAL.
Opt out of both sandboxes for the test broker.

Author: arr2036

src/tests/multi-server/environments/kafka.yml.j2

@@ -32,14 +32,17 @@ services:
   kafka:
     image: docker.redpanda.com/redpandadata/redpanda:latest
     # Redpanda's seastar reactor opens io_uring / eventfd / perf_event
-    # fds during startup; the default Docker seccomp profile on the
-    # self-hosted CI runners blocks enough of those that close() fails
-    # with EINVAL on a stale handle and the broker aborts during init.
-    # (Local Docker Desktop's profile is looser and doesn't hit this.)
-    # Relaxing seccomp for this single service unblocks CI without
-    # giving the broker any broader host access.
+    # fds during startup; the default Docker seccomp AND AppArmor
+    # profiles on the self-hosted CI runners between them block enough
+    # of those that close() fails with EINVAL on a stale handle and the
+    # broker aborts during init.  (Local Docker Desktop's profiles are
+    # looser and don't hit this.)  Opting the kafka service out of both
+    # sandboxes unblocks CI without giving the broker any broader host
+    # access - it only talks to the two other containers on the compose
+    # network.
     security_opt:
     - seccomp:unconfined
+    - apparmor:unconfined
     # Override the default command to advertise the broker under its
     # compose service name.  Without this the broker tells clients to
     # reconnect at 127.0.0.1:9092 which only works when client and