Change node role policy ReadOnly -> PullOnly (support ECR pull-through cache) (#8386)

artem-nefedov · web-flow · commit ec4e7fb5fc7e · 2025-06-06T11:53:54.000-07:00
Change for default node IAM permissions to support ECR pull-through cache repositories, remove extra unnecessary permissions, and be in line with current AWS guidelines. Fixes issue #8318
diff --git a/integration/tests/accessentries/testdata/node-role.yaml b/integration/tests/accessentries/testdata/node-role.yaml
@@ -21,7 +21,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/integration/tests/existing_vpc/cf-template.yaml b/integration/tests/existing_vpc/cf-template.yaml
@@ -106,7 +106,7 @@ Resources:
                   - EC2
         Version: "2012-10-17"
       ManagedPolicyArns:
-        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
         - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy
         - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy
       Path: /
diff --git a/integration/tests/unowned_cluster/cf-template.yaml b/integration/tests/unowned_cluster/cf-template.yaml
@@ -103,7 +103,7 @@ Resources:
                     - EC2
         Version: "2012-10-17"
       ManagedPolicyArns:
-        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
+        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
         - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy
         - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy
       Path: "/"
diff --git a/pkg/actions/nodegroup/testdata/al2-force-false-template.json b/pkg/actions/nodegroup/testdata/al2-force-false-template.json
@@ -202,7 +202,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/actions/nodegroup/testdata/al2-no-force-template.json b/pkg/actions/nodegroup/testdata/al2-no-force-template.json
@@ -201,7 +201,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/actions/nodegroup/testdata/al2-updated-template.json b/pkg/actions/nodegroup/testdata/al2-updated-template.json
@@ -203,7 +203,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/actions/nodegroup/testdata/br-force-false-template.json b/pkg/actions/nodegroup/testdata/br-force-false-template.json
@@ -204,7 +204,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/actions/nodegroup/testdata/br-force-true-template.json b/pkg/actions/nodegroup/testdata/br-force-true-template.json
@@ -204,7 +204,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/actions/nodegroup/testdata/br-updated-template.json b/pkg/actions/nodegroup/testdata/br-updated-template.json
@@ -204,7 +204,7 @@
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/cluster_test.go b/pkg/cfn/builder/cluster_test.go
@@ -680,7 +680,7 @@ var _ = Describe("Cluster Template Builder", func() {
 				Expect(clusterTemplate.Resources).To(HaveKey("HybridNodesIRARole"))
 				iraRole := clusterTemplate.Resources["HybridNodesIRARole"]
 				Expect(iraRole.Properties.ManagedPolicyArns).To(ContainElement(map[string]interface{}{
-					"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+					"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly",
 				}))
 				Expect(iraRole.Properties.ManagedPolicyArns).To(ContainElement(map[string]interface{}{
 					"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore",
diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -27,7 +27,7 @@ const (
 	iamPolicyAmazonEKSWorkerNodePolicy           = "AmazonEKSWorkerNodePolicy"
 	iamPolicyAmazonEKSCNIPolicy                  = "AmazonEKS_CNI_Policy"
 	iamPolicyAmazonEC2ContainerRegistryPowerUser = "AmazonEC2ContainerRegistryPowerUser"
-	iamPolicyAmazonEC2ContainerRegistryReadOnly  = "AmazonEC2ContainerRegistryReadOnly"
+	iamPolicyAmazonEC2ContainerRegistryPullOnly  = "AmazonEC2ContainerRegistryPullOnly"
 	iamPolicyCloudWatchAgentServerPolicy         = "CloudWatchAgentServerPolicy"
 	iamPolicyAmazonSSMManagedInstanceCore        = "AmazonSSMManagedInstanceCore"
 
@@ -180,7 +180,7 @@ func (c *ClusterResourceSet) addIAMRolesAnywhere() {
 			eksDescribeClusterPolicy,
 		},
 		ManagedPolicyArns: gfnt.NewSlice(makePolicyARNs([]string{
-			iamPolicyAmazonEC2ContainerRegistryReadOnly,
+			iamPolicyAmazonEC2ContainerRegistryPullOnly,
 			iamPolicyAmazonSSMManagedInstanceCore,
 		}...)...),
 		AWSCloudFormationDependsOn: []string{TrustAnchor},
@@ -213,7 +213,7 @@ func (c *ClusterResourceSet) addSSM() {
 		},
 		ManagedPolicyArns: gfnt.NewSlice(makePolicyARNs([]string{
 			iamPolicyAmazonSSMManagedInstanceCore,
-			iamPolicyAmazonEC2ContainerRegistryReadOnly,
+			iamPolicyAmazonEC2ContainerRegistryPullOnly,
 		}...)...),
 	}
 	c.newResource(SSMRole, role)
diff --git a/pkg/cfn/builder/iam_helper.go b/pkg/cfn/builder/iam_helper.go
@@ -161,7 +161,7 @@ func makeManagedPolicies(iamCluster *api.ClusterIAM, iamConfig *api.NodeGroupIAM
 			// The Managed Nodegroup API requires this managed policy to be present, even though
 			// AmazonEC2ContainerRegistryPowerUser (attached if imageBuilder is enabled) contains a superset of the
 			// actions allowed by this managed policy
-			managedPolicyNames.Insert(iamPolicyAmazonEC2ContainerRegistryReadOnly)
+			managedPolicyNames.Insert(iamPolicyAmazonEC2ContainerRegistryPullOnly)
 		}
 		managedPolicyNames.Insert(iamPolicyAmazonSSMManagedInstanceCore)
 	}
@@ -171,7 +171,7 @@ func makeManagedPolicies(iamCluster *api.ClusterIAM, iamConfig *api.NodeGroupIAM
 	} else if !managed {
 		// attach this policy even if `AttachPolicyARNs` is specified to preserve existing behaviour for unmanaged
 		// nodegroups
-		managedPolicyNames.Insert(iamPolicyAmazonEC2ContainerRegistryReadOnly)
+		managedPolicyNames.Insert(iamPolicyAmazonEC2ContainerRegistryPullOnly)
 	}
 
 	if api.IsEnabled(iamConfig.WithAddonPolicies.CloudWatch) {
diff --git a/pkg/cfn/builder/karpenter.go b/pkg/cfn/builder/karpenter.go
@@ -124,7 +124,7 @@ func (k *KarpenterResourceSet) addResourcesForKarpenter() error {
 	managedPolicyNames := sets.New[string]()
 	managedPolicyNames.Insert(iamPolicyAmazonEKSWorkerNodePolicy,
 		iamPolicyAmazonEKSCNIPolicy,
-		iamPolicyAmazonEC2ContainerRegistryReadOnly,
+		iamPolicyAmazonEC2ContainerRegistryPullOnly,
 		iamPolicyAmazonSSMManagedInstanceCore,
 	)
 	k.Template().Mappings[servicePrincipalPartitionMapName] = api.Partitions.ServicePrincipalPartitionMappings()
diff --git a/pkg/cfn/builder/karpenter_test.go b/pkg/cfn/builder/karpenter_test.go
@@ -196,7 +196,7 @@ var expectedTemplate = `{
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
@@ -352,7 +352,7 @@ var expectedTemplateWithPermissionBoundary = `{
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
@@ -596,7 +596,7 @@ var expectedTemplateWithSpotInterruptionQueue = `{
         },
         "ManagedPolicyArns": [
           {
-            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
           },
           {
             "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/managed_nodegroup_test.go b/pkg/cfn/builder/managed_nodegroup_test.go
@@ -31,31 +31,31 @@ func TestManagedPolicyResources(t *testing.T) {
 		description             string
 	}{
 		{
-			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore"),
+			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryPullOnly", "AmazonSSMManagedInstanceCore"),
 			description:             "Default policies",
 		},
 		{
 			addons: api.NodeGroupIAMAddonPolicies{
 				ImageBuilder: api.Enabled(),
 			},
 			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy",
-				"AmazonEC2ContainerRegistryReadOnly", "AmazonEC2ContainerRegistryPowerUser", "AmazonSSMManagedInstanceCore"),
+				"AmazonEC2ContainerRegistryPullOnly", "AmazonEC2ContainerRegistryPowerUser", "AmazonSSMManagedInstanceCore"),
 			description: "ImageBuilder enabled",
 		},
 		{
 			addons: api.NodeGroupIAMAddonPolicies{
 				CloudWatch: api.Enabled(),
 			},
 			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy",
-				"AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore", "CloudWatchAgentServerPolicy"),
+				"AmazonEC2ContainerRegistryPullOnly", "AmazonSSMManagedInstanceCore", "CloudWatchAgentServerPolicy"),
 			description: "CloudWatch enabled",
 		},
 		{
 			addons: api.NodeGroupIAMAddonPolicies{
 				AutoScaler: api.Enabled(),
 			},
 			expectedNewPolicies:     []string{"PolicyAutoScaling"},
-			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore"),
+			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryPullOnly", "AmazonSSMManagedInstanceCore"),
 			description:             "AutoScaler enabled",
 		},
 		{
@@ -67,7 +67,7 @@ func TestManagedPolicyResources(t *testing.T) {
 				"Resource": "*",
 			}),
 			expectedNewPolicies:     []string{"Policy1"},
-			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore"),
+			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryPullOnly", "AmazonSSMManagedInstanceCore"),
 			description:             "Custom inline policies",
 		},
 		{
diff --git a/pkg/cfn/builder/nodegroup_test.go b/pkg/cfn/builder/nodegroup_test.go
@@ -301,9 +301,9 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 					ng.IAM.AttachPolicyARNs = []string{"arn:aws:iam::1234567890:role/foo"}
 				})
 
-				It("adds the provided policy and the AmazonEC2ContainerRegistryReadOnly policy", func() {
+				It("adds the provided policy and the AmazonEC2ContainerRegistryPullOnly policy", func() {
 					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(HaveLen(2))
-					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEC2ContainerRegistryReadOnly")))
+					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEC2ContainerRegistryPullOnly")))
 					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement("arn:aws:iam::1234567890:role/foo"))
 				})
 
@@ -312,7 +312,7 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 						ng.IAM.AttachPolicyARNs = []string{"foo"}
 					})
 
-					It("adds the provided policy and the AmazonEC2ContainerRegistryReadOnly policy", func() {
+					It("adds the provided policy and the AmazonEC2ContainerRegistryPullOnly policy", func() {
 						Expect(addErr).To(MatchError("arn: invalid prefix"))
 					})
 				})
@@ -326,7 +326,7 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 				It("adds the default policies to the role", func() {
 					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(HaveLen(4))
 
-					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEC2ContainerRegistryReadOnly")))
+					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEC2ContainerRegistryPullOnly")))
 					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEKSWorkerNodePolicy")))
 					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEKS_CNI_Policy")))
 					Expect(ngTemplate.Resources["NodeInstanceRole"].Properties.ManagedPolicyArns).To(ContainElement(makePolicyARNRef("AmazonEKS_CNI_Policy")))
diff --git a/pkg/cfn/builder/testdata/launch_template/bottlerocket.json b/pkg/cfn/builder/testdata/launch_template/bottlerocket.json
@@ -147,7 +147,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json b/pkg/cfn/builder/testdata/launch_template/bottlerocket_additional_encrypted_volume.json
@@ -155,7 +155,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json b/pkg/cfn/builder/testdata/launch_template/bottlerocket_volume.json
@@ -147,7 +147,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/capacity_block.json b/pkg/cfn/builder/testdata/launch_template/capacity_block.json
@@ -153,7 +153,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/custom_ami.json b/pkg/cfn/builder/testdata/launch_template/custom_ami.json
@@ -148,7 +148,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template.json b/pkg/cfn/builder/testdata/launch_template/launch_template.json
@@ -61,7 +61,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json b/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes.json
@@ -160,7 +160,7 @@
       },
       "ManagedPolicyArns": [
         {
-          "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+          "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
         },
         {
           "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json b/pkg/cfn/builder/testdata/launch_template/launch_template_additional_volumes_missing_size.json
@@ -159,7 +159,7 @@
       },
       "ManagedPolicyArns": [
         {
-          "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+          "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
         },
         {
           "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_custom_ami.json b/pkg/cfn/builder/testdata/launch_template/launch_template_custom_ami.json
@@ -61,7 +61,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_id.json
@@ -154,7 +154,7 @@
             },
             "ManagedPolicyArns":[
                 {
-                    "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_preference.json
@@ -152,7 +152,7 @@
             },
             "ManagedPolicyArns":[
                 {
-                    "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json b/pkg/cfn/builder/testdata/launch_template/launch_template_with_capacity_reservation_resource_group_arn.json
@@ -154,7 +154,7 @@
             },
             "ManagedPolicyArns":[
                 {
-                    "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/lt_instance_types.json b/pkg/cfn/builder/testdata/launch_template/lt_instance_types.json
@@ -62,7 +62,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/node-repair-enabled.json b/pkg/cfn/builder/testdata/launch_template/node-repair-enabled.json
@@ -150,7 +150,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/placement.json b/pkg/cfn/builder/testdata/launch_template/placement.json
@@ -150,7 +150,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/spot.json b/pkg/cfn/builder/testdata/launch_template/spot.json
@@ -148,7 +148,7 @@
             },
             "ManagedPolicyArns": [
                 {
-                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                    "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
                 },
                 {
                     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
diff --git a/pkg/cfn/builder/testdata/launch_template/ssh_disabled.json b/pkg/cfn/builder/testdata/launch_template/ssh_disabled.json
diff --git a/pkg/cfn/builder/testdata/launch_template/ssh_enabled.json b/pkg/cfn/builder/testdata/launch_template/ssh_enabled.json
diff --git a/pkg/cfn/builder/testdata/launch_template/standard.json b/pkg/cfn/builder/testdata/launch_template/standard.json
diff --git a/pkg/cfn/builder/testdata/launch_template/windows.json b/pkg/cfn/builder/testdata/launch_template/windows.json
diff --git a/pkg/cfn/builder/testdata/nodegroup_access_entry/1.json b/pkg/cfn/builder/testdata/nodegroup_access_entry/1.json
diff --git a/pkg/cfn/builder/testdata/nodegroup_access_entry/2.json b/pkg/cfn/builder/testdata/nodegroup_access_entry/2.json
diff --git a/pkg/cfn/builder/testdata/nodegroup_access_entry/3.json b/pkg/cfn/builder/testdata/nodegroup_access_entry/3.json
diff --git a/pkg/cfn/template/testdata/nodegroup-example-1.json b/pkg/cfn/template/testdata/nodegroup-example-1.json
diff --git a/pkg/cfn/template/testdata/nodegroup-example-old-format-1.json b/pkg/cfn/template/testdata/nodegroup-example-old-format-1.json
diff --git a/userdocs/src/usage/iam-policies.md b/userdocs/src/usage/iam-policies.md

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@`
`21`	`21`	`},`
`22`	`22`	`"ManagedPolicyArns": [`
`23`	`23`	`{`
`24`		`- "Fn::Sub": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
	`24`	`+ "Fn::Sub": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"`
`25`	`25`	`},`
`26`	`26`	`{`
`27`	`27`	`"Fn::Sub": "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@`
`202`	`202`	`},`
`203`	`203`	`"ManagedPolicyArns": [`
`204`	`204`	`{`
`205`		`- "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
	`205`	`+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"`
`206`	`206`	`},`
`207`	`207`	`{`
`208`	`208`	`"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"`
Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@`
`201`	`201`	`},`
`202`	`202`	`"ManagedPolicyArns": [`
`203`	`203`	`{`
`204`		`- "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
	`204`	`+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"`
`205`	`205`	`},`
`206`	`206`	`{`
`207`	`207`	`"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"`
Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@`
`203`	`203`	`},`
`204`	`204`	`"ManagedPolicyArns": [`
`205`	`205`	`{`
`206`		`- "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
	`206`	`+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"`
`207`	`207`	`},`
`208`	`208`	`{`
`209`	`209`	`"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"`
Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@`
`204`	`204`	`},`
`205`	`205`	`"ManagedPolicyArns": [`
`206`	`206`	`{`
`207`		`- "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
	`207`	`+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"`
`208`	`208`	`},`
`209`	`209`	`{`
`210`	`210`	`"Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"`