diff --git a/pkg/model/components/addonmanifests/karpenter/iam.go b/pkg/model/components/addonmanifests/karpenter/iam.go
index 9d3b2763d2..4cdb2fb7c6 100644
--- a/pkg/model/components/addonmanifests/karpenter/iam.go
+++ b/pkg/model/components/addonmanifests/karpenter/iam.go
@@ -51,9 +51,11 @@ func addKarpenterPermissions(p *iam.Policy) {
 		// Not included because we require Karpenter
 		// use existing kOps instance group launch templates
 		// "ec2:CreateLaunchTemplate",
+		// "ec2:DeleteLaunchTemplate",
 		"ec2:CreateFleet",
 		"ec2:CreateTags",
 		"ec2:DescribeAvailabilityZones",
+		"ec2:DescribeImages",
 		"ec2:DescribeInstanceTypeOfferings",
 		"ec2:DescribeInstanceTypes",
 		"ec2:DescribeInstances",
@@ -61,9 +63,9 @@ func addKarpenterPermissions(p *iam.Policy) {
 		"ec2:DescribeSecurityGroups",
 		"ec2:DescribeSpotPriceHistory",
 		"ec2:DescribeSubnets",
-		"iam:PassRole",
 		"ec2:RunInstances",
 		"ec2:TerminateInstances",
+		"iam:PassRole",
 		"pricing:GetProducts",
 		"ssm:GetParameter",
 	)
diff --git a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
index 07f40f3a6b..8c9819079b 100644
--- a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
+++ b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy
@@ -5,6 +5,7 @@
         "ec2:CreateFleet",
         "ec2:CreateTags",
         "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeImages",
         "ec2:DescribeInstanceTypeOfferings",
         "ec2:DescribeInstanceTypes",
         "ec2:DescribeInstances",
diff --git a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template
index 7a7d3c1d6b..5983ecf60e 100644
--- a/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template
+++ b/upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template
@@ -1771,7 +1771,7 @@ spec:
   requirements:
     - key: karpenter.sh/capacity-type
       operator: In
-      values: ["spot", "ondemand"]
+      values: ["spot", "on-demand"]
     - key: kubernetes.io/arch
       operator: In
       values: ["{{ ArchitectureOfAMI $spec.Image }}"]