fix(eks): kubectlProvider should use the AmazonEC2ContainerRegistryPullOnly managed policy (#35248)

### Issue

Closes #35244

### Problem Statement

The current KubectlProvider implementation uses the AmazonEC2ContainerRegistryReadOnly managed policy for ECR access, which has two key limitations:

1. Too broad: Includes unnecessary permissions like ecr:ListImages that kubectl doesn't require
2. Too narrow: Missing the ecr:BatchImportUpstreamImage action required for ECR pull-through cache functionality

This prevents users from leveraging ECR pull-through caches when installing Helm charts from ECR repositories via the CDK.

### Solution

Replace `AmazonEC2ContainerRegistryReadOnly` with `AmazonEC2ContainerRegistryPullOnly` in the KubectlProvider's IAM role. The `AmazonEC2ContainerRegistryPullOnly` policy:

• Provides the exact permissions needed for container image pulling
• Includes support for ecr:BatchImportUpstreamImage enabling pull-through cache functionality
• Follows the principle of least privilege by removing unnecessary permissions

### Changes Made

• Updated kubectl-provider.ts to use AmazonEC2ContainerRegistryPullOnly instead of AmazonEC2ContainerRegistryReadOnly
• Regenerated integration test snapshots to reflect the policy change across all affected EKS test cases

### Impact

• **Enables ECR pull-through cache support** for Helm chart installations via kubectl
• **Improves security posture** by applying principle of least privilege
• **Maintains backward compatibility** - all existing functionality continues to work
• **No breaking changes** - this is a drop-in replacement with enhanced capabilities

### Testing

• All existing integration tests pass with updated snapshots
• The change affects multiple EKS integration test scenarios including ALB controller, custom addons, and various node group
configurations
• Verified that the new policy provides all necessary permissions for kubectl operations

### References

• [AmazonEC2ContainerRegistryPullOnly Policy Documentation](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPullOnly.html)
• [AmazonEC2ContainerRegistryReadOnly Policy Documentation](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html)


---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Author: pahud

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/integ-eks-stack.assets.json

@@ -456,7 +456,7 @@
         {
          "Ref": "AWS::Partition"
         },
-        ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+        ":iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
        ]
       ]
      },

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/integ-eks-stack.template.json

@@ -456,7 +456,7 @@
         {
          "Ref": "AWS::Partition"
         },
-        ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+        ":iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
        ]
       ]
      },

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/manifest.json

@@ -456,7 +456,7 @@
         {
          "Ref": "AWS::Partition"
         },
-        ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+        ":iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
        ]
       ]
      },