Fix IAM permissions for Karpenter

pkg/model/components/addonmanifests/karpenter/iam.go

@@ -52,17 +52,19 @@ func addKarpenterPermissions(p *iam.Policy) {
 		// use existing kOps instance group launch templates
 		// "ec2:CreateLaunchTemplate",
 		"ec2:CreateFleet",
-		"ec2:RunInstances",
 		"ec2:CreateTags",
-		"iam:PassRole",
-		"ec2:TerminateInstances",
-		"ec2:DescribeLaunchTemplates",
-		"ec2:DescribeInstances",
-		"ec2:DescribeSecurityGroups",
-		"ec2:DescribeSubnets",
-		"ec2:DescribeInstanceTypes",
-		"ec2:DescribeInstanceTypeOfferings",
 		"ec2:DescribeAvailabilityZones",
+		"ec2:DescribeInstanceTypeOfferings",
+		"ec2:DescribeInstanceTypes",
+		"ec2:DescribeInstances",
+		"ec2:DescribeLaunchTemplates",
+		"ec2:DescribeSecurityGroups",
+		"ec2:DescribeSpotPriceHistory",
+		"ec2:DescribeSubnets",
+		"iam:PassRole",
+		"ec2:RunInstances",
+		"ec2:TerminateInstances",
+		"pricing:GetProducts",
 		"ssm:GetParameter",
 	)
 }

tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_karpenter.kube-system.sa.minimal.example.com_policy

@@ -10,10 +10,12 @@
         "ec2:DescribeInstances",
         "ec2:DescribeLaunchTemplates",
         "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSpotPriceHistory",
         "ec2:DescribeSubnets",
         "ec2:RunInstances",
         "ec2:TerminateInstances",
         "iam:PassRole",
+        "pricing:GetProducts",
         "ssm:GetParameter"
       ],
       "Effect": "Allow",