feat: Update Karpenter controller policy and permissions to match upstream project (#3510)

Author: erezzarum

modules/karpenter/main.tf

@@ -297,7 +297,7 @@ resource "aws_iam_role_policy_attachment" "node" {
   for_each = { for k, v in merge(
     {
       AmazonEKSWorkerNodePolicy          = "${local.node_iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
-      AmazonEC2ContainerRegistryReadOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
+      AmazonEC2ContainerRegistryPullOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryPullOnly"
     },
     local.ipv4_cni_policy,
     local.ipv6_cni_policy

modules/karpenter/policy.tf

@@ -50,6 +50,7 @@ data "aws_iam_policy_document" "controller" {
       "arn:${local.partition}:ec2:${local.region}:*:network-interface/*",
       "arn:${local.partition}:ec2:${local.region}:*:launch-template/*",
       "arn:${local.partition}:ec2:${local.region}:*:spot-instances-request/*",
+      "arn:${local.partition}:ec2:${local.region}:*:capacity-reservation/*"
     ]
     actions = [
       "ec2:RunInstances",
@@ -348,6 +349,12 @@ data "aws_iam_policy_document" "controller" {
     actions   = ["iam:GetInstanceProfile"]
   }
 
+  statement {
+    sid       = "AllowUnscopedInstanceProfileListAction"
+    resources = ["*"]
+    actions   = ["iam:ListInstanceProfiles"]
+  }
+
   statement {
     sid       = "AllowAPIServerEndpointDiscovery"
     resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${var.cluster_name}"]