Document the newly required SQS permissions for NTH

docs/addons.md

@@ -139,7 +139,7 @@ spec:
 
 If `enableSQSTerminationDraining` is true Node Termination Handler will operate in Queue Processor mode. In addition to the events mentioned above, Queue Processor mode allows Node Termination Handler to take care of ASG Scale-In, AZ-Rebalance, Unhealthy Instances, EC2 Instance Termination via the API or Console, and more. kOps will provision the necessary infrastructure: an SQS queue, EventBridge rules, and ASG Lifecycle hooks. `managedASGTag` can be configured with Queue Processor mode to distinguish resource ownership between multiple clusters.
 
-The kOps CLI requires additional IAM permissions to create the requisite EventBridge rules and SQS queue:
+The kOps CLI requires additional IAM permissions to manage the requisite EventBridge rules and SQS queue:
 
 ```json
 {
@@ -150,7 +150,9 @@ The kOps CLI requires additional IAM permissions to create the requisite EventBr
             "Action": [
                 "events:PutEvents",
                 "events:PutTargets",
-                "sqs:CreateQueue"
+                "sqs:CreateQueue",
+                "sqs:ListQueues",
+                "sqs:DeleteQueue",
             ],
             "Resource": "*"
         }

docs/releases/1.21-NOTES.md

@@ -21,6 +21,8 @@ In 1.21, this feature is behind a feature flag as node role name, labels, taints
 
 # Required Actions
 
+* To support [Node Termination Handler's Queue Process mode](/addons/#node-termination-handler), AWS cluster deletion now requires the kops CLI have `sqs:ListQueues` permission regardless of whether or not the addon is used.
+
 # Deprecations
 
 * Support for Kubernetes versions 1.15 and 1.16 are deprecated and will be removed in kOps 1.22.