Fix missing permission setup for IPv6 cluster

Author: guessi

examples/30-vpc-with-ip-family.yaml

@@ -14,6 +14,23 @@ kubernetesNetworkConfig:
 addons:
   - name: vpc-cni
     version: latest
+    # "ec2:AssignIpv6Addresses" would be required for IPv6 cluster
+    # - https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode
+    attachPolicy:
+      Version: "2012-10-17"
+      Statement:
+      - Effect: Allow
+        Action:
+        - "ec2:AssignIpv6Addresses"
+        - "ec2:DescribeInstances"
+        - "ec2:DescribeTags"
+        - "ec2:DescribeNetworkInterfaces"
+        - "ec2:DescribeInstanceTypes"
+        Resource: '*'
+      - Effect: Allow
+        Action:
+        - "ec2:CreateTags"
+        Resource: 'arn:aws:ec2:*:*:network-interface/*'
   - name: coredns
     version: latest
   - name: kube-proxy

userdocs/src/usage/vpc-ip-family.md

@@ -40,6 +40,7 @@ This is an in config file setting only. When IPv6 is set, the following restrict
 - managed nodegroup creation is not supported with un-owned IPv6 clusters
 - `vpc.NAT` and `serviceIPv4CIDR` fields are created by eksctl for ipv6 clusters and thus, are not supported configuration options
 - AutoAllocateIPv6 is not supported together with IPv6
+- For IPv6 cluster, the IAM role for vpc-cni must have [required IAM policies for IPv6 mode](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode) associated
 
 The default value is `IPv4`.