Problem:
Fail to enable monitoring on restricted PSP clusters.

Solution:
1. Update grafana to run as grafana user.
2. Update nginx sidecars to run as nginx user, move files to the user
home directory(/var/cache/nginx) and listen on non privileged 8080 port.
With 1 & 2, project monitoring works in restricted clusters out of the
box.
3. Add necessary PSP/role/rb resource to node-exporter, which is used by
cluster monitoring.