Fix AWS IAM permissions example for Karpenter

[sergkondr]

Is an existing page relevant?

https://karpenter.sh/preview/getting-started/migrating-from-cas/

What karpenter features are relevant?

Hi Karpenter team!

In the documentation, you give an example of the IAM policy:

        {
            "Action": "ec2:TerminateInstances",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "*karpenter*"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "ConditionalEC2Termination"
        },

However, if the "Name" tag has a different value, it may result in Karpenter drain nodes that cannot be terminated. This, in turn, causes the nodes to be unavailable for scheduling new pods, thereby exceeding the limit on the number of nodes and preventing new pods from being scheduled.

How should the docs be improved?

Would something like this be better?

  statement {
    actions = [
      "ec2:TerminateInstances",
    ]
    effect    = "Allow"
    resources = ["*"]
    condition {
      test     = "StringLike"
      values   = ["*"]
      variable = "ec2:ResourceTag/karpenter.sh/provisioner-name"
    }
  }

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[ellistarn]

Would you be willing to cut a PR for this?