chore(iam): follow the best practice to use "AmazonEC2ContainerRegistryPullOnly" only (#1183)

Author: guessi

java/eks/fargate-cluster/src/test/resources/com/amazonaws/cdk/EksFargateStackExpected.json

@@ -104,7 +104,7 @@
                 {
                   "Ref": "AWS::Partition"
                 },
-                ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                ":iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
               ]
             ]
           },

java/eks/private-cluster/src/main/java/com/amazonaws/cdk/examples/EksPrivateClusterStack.java

@@ -175,7 +175,7 @@ private void createBastion(Role clusterAdmin) {
     client
         .getRole()
         .addManagedPolicy(
-            ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryReadOnly"));
+            ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryPullOnly"));
     // access to read assets from S3 bucket e.g. kubectl, awscliv2, etc
     client
         .getRole()

typescript/eks/cluster/index.ts

@@ -51,7 +51,7 @@ class EKSCluster extends cdk.Stack {
         assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
         managedPolicies: [
           "AmazonEKSWorkerNodePolicy",
-          "AmazonEC2ContainerRegistryReadOnly",
+          "AmazonEC2ContainerRegistryPullOnly",
           "AmazonEKS_CNI_Policy",
         ].map((policy) => iam.ManagedPolicy.fromAwsManagedPolicyName(policy)),
       }),