Allow running istio-cni as unprivileged

[keithmattix]

Describe the feature request
Today, the main istio-cni container runs as a Daemonset with privileged: true. This isn't great to have a privileged container running on every node; instead, we should do whatever privileged actions are necessary in a separate initcontainer (this is the approach kube-proxy takes: https://www.kubernetes.dev/blog/2024/01/05/kube-proxy-non-privileged/). Note that the repair controller currently requires privileged: true because it reads procfs; we should allow turning that off if we don't already. Users may have other options (e.g. a cloud provider process) for handling the race-conditions, so istio-cni should be able to turn off that functionality

Describe alternatives you've considered

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context

[jaellio]

The repair controller can be disabled by setting values.cni.repair.enabled to false. https://istio.io/latest/docs/setup/additional-setup/cni/#race-condition--mitigation