Honour permissionPolicyName for pod identity inline IAM policies

[ShiriNmi1520]

Description

Fixes #8649.

This PR fixes support for custom inline policy names in pod identity associations.

Previously, when podIdentityAssociations.permissionPolicy was set, the IAM inline policy resource name was always hardcoded to Policy1, so permissionPolicyName was effectively ignored.

Key changes:

1. Updated IAM role builder logic to support a configurable inline policy name for pod identity associations.

• pkg/cfn/builder/iam.go
• NewIAMRoleResourceSetForPodIdentity now reads spec.PermissionPolicyName and falls back to Policy1 when empty.
• AddAllResources now attaches inline policies using the configured name rather than the hardcoded Policy1.

2. Preserved existing behaviour for non-pod-identity paths.

• Service account and capability builders continue to default to Policy1 to avoid regressions.

3. Added tests for the new behaviour.

• pkg/cfn/builder/iam_test.go
• Added coverage to verify that a custom pod identity inline policy name is used in the generated CloudFormation template.

4. Added API/schema support for config-driven usage.

• pkg/apis/eksctl.io/v1alpha5/iam.go
• pkg/apis/eksctl.io/v1alpha5/assets/schema.json
• Added permissionPolicyName to PodIdentityAssociation and schema definitions.

Testing snippets:

[n] ~/D/G/eksctl ☭ defineInlinePolicyName ● (^._.^)ﾉ彡ミ
⫸  cat /Users/shirinmi/Downloads/cilium_learn/eksctl/eks-addon.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: cilium-learn
  region: ap-east-1
  version: "1.34"

iam:
  podIdentityAssociations:
  - namespace: "kube-system"
    serviceAccountName: karpenter
    roleName: cilium-learn-karpenter
    permissionPolicyARNs:
    - arn:aws:iam::AWS-ACC-ID:policy/KarpenterControllerPolicy-cilium-learn

addons:
  - name: coredns
  - name: aws-ebs-csi-driver
  - name: eks-pod-identity-agent
  - name: metrics-server
  # For Test
  - name: vpc-cni
    version: latest
    podIdentityAssociations:
    - namespace: kube-system
      serviceAccountName: aws-node
      permissionPolicyName: cilium-learn-aws-node
      permissionPolicy:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - "ec2:AssignIpv6Addresses"
          - "ec2:DescribeInstances"
          - "ec2:DescribeTags"
          - "ec2:DescribeNetworkInterfaces"
          - "ec2:DescribeInstanceTypes"
          Resource: '*'
        - Effect: Allow
          Action:
          - "ec2:CreateTags"
          Resource: 'arn:aws:ec2:*:*:network-interface/*'

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[github-actions]

Hello ShiriNmi1520 👋 Thank you for opening a Pull Request in eksctl project. The team will review the Pull Request and aim to respond within 1-10 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[ShiriNmi1520]

I'll mark this pull request as a draft until I finish manual testing. Once completed, I'll update the description with relevant testing snippets.

[kprahulraj]

We can add a validation for permissionPolicyName that permissionPolicy is present, or fail. Since the permissionPolicyName is only used when the permissionPolicy is set.

[ShiriNmi1520]

Implemented the function validatePermissionPolicyName, which returns an error if permissionPolicyName is set without permissionPolicy. This function is integrated into both the iam.podIdentityAssociations and addons[].podIdentityAssociations configuration paths.

[kprahulraj]

if user creates policyName completely with special character, now this becomes empty and defaults to "Policy1". Might be better to add a log statement here, so user is aware about, why this is defaulted? Or a add this sanitize logic ahead during the validation and fail fast?

[ShiriNmi1520]

Went with the fail-fast approach. Added validation that permissionPolicyName must contain at least one alphanumeric character — this catches the all-special-characters case early during config validation rather than silently defaulting. The sanitizeResourceName fallback is kept as a safety net, but should now be unreachable for validated input.

[kprahulraj]

@ShiriNmi1520 Thanks for raising this PR. LGTM except for couple of comments that I left. Also you need to rebase and fix the lint issue with the dependencies

[ShiriNmi1520]

@ShiriNmi1520 Thanks for raising this PR. LGTM except for couple of comments that I left. Also you need to rebase and fix the lint issue with the dependencies

@kprahulraj Thank you for your review. I have already updated my code based on your feedback. If there is any misunderstanding or if you need any further clarification, please let me know.