fix(eks): use AmazonEC2ContainerRegistryPullOnly for default node group roles

[syukawa-gh]

Closes #36706

Replace AmazonEC2ContainerRegistryReadOnly with AmazonEC2ContainerRegistryPullOnly for EKS node group default roles. PullOnly provides minimal permissions and supports pull-through cache.

Exemption Request: Managed policy name change, covered by existing EKS integration tests.

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[syukawa-gh]

Exemption Request: This fix updates the default managed policy from AmazonEC2ContainerRegistryReadOnly to AmazonEC2ContainerRegistryPullOnly for EKS node group roles. Unit tests are included. Integration test snapshot update is needed — will add.

[syukawa-gh]

Correction to my previous comment: After reviewing the diff more carefully, this PR needs unit tests to be added. I will update this PR with the required tests. The Exemption Request above should be disregarded for the unit test requirement.

[syukawa-gh]

To clarify my earlier comments: unit tests are already included in this PR. The "Correction" comment above was posted in error. The exemption request is for the integration test only — this change updates the default managed policy for EKS node group roles, and the unit test verifies the correct policy ARN in the generated template.

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	624 ran	620 passed		4 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-ipv6.js.snapshot/aws-cdk-eks-cluster-ipv6-test.template.json
ec2-no-open-security-groups.guard	❌ failure
iam-no-overly-permissive-passrole.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-removal-policy.js.snapshot/EksClusterRemovalPolicyStack.template.json
iam-no-overly-permissive-passrole.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster.js.snapshot/aws-cdk-eks-cluster.template.json
iam-no-overly-permissive-passrole.guard	❌ failure

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	624 ran	613 passed		11 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-al2023-nodegroup.js.snapshot/aws-cdk-eks-cluster-al2023-nodegroup-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-bottlerocket-ng.js.snapshot/aws-cdk-eks-cluster-bottlerocket-ng-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-imported.js.snapshot/aws-cdk-eks-import-cluster-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-ipv6.js.snapshot/aws-cdk-eks-cluster-ipv6-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-private-endpoint.js.snapshot/aws-cdk-eks-cluster-private-endpoint-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster.js.snapshot/aws-cdk-eks-cluster.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test-prev.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-pod-identities.js.snapshot/eks-pod-identities.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-windows-ng.js.snapshot/aws-cdk-eks-cluster-windows-ng-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.nodegroup-repair-config.js.snapshot/aws-cdk-eks-nodegroup-repair-config-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure

• View Security Guardian Results with resolved templates