feat(eks): add AlbControllerVersion support for v2.8.3 through v3.2.2

[letsgomeow]

Issue # (if applicable)

Closes #37414.

Reason for this change

AlbControllerVersion only included versions up to V2_8_2. Users who
needed v2.8.3+ or v3.x were forced to use the AlbControllerVersion.of()
escape hatch and maintain their own IAM policy document — tracking upstream
policy changes manually and passing the policy explicitly via the policy
prop. This was brittle and created ongoing operational burden, especially
when security scanners flagged outdated controller versions.

Description of changes

Added built-in support for AWS Load Balancer Controller versions v2.8.3
through v3.2.2 (24 versions) in both aws-eks and aws-eks-v2 modules.

• Added AlbControllerVersion static constants V2_8_3 through V3_2_2
  with correct Helm chart version mappings sourced from the
  eks-charts Chart.yaml history
• Bundled IAM policy JSON files for each new version, sourced from the
  upstream releases
• Updated README examples and integ test LATEST_VERSION to V3_2_2
• Switched integ tests from deprecated OpenIdConnectProvider to
  OidcProviderNative (EKS_USE_NATIVE_OIDC_PROVIDER: true) to resolve
  a DeprecationError that caused integ test synthesis to fail under
  JSII_DEPRECATED=fail

Describe any new or updated permissions being added

No new IAM permissions are introduced by the CDK construct itself. The
bundled IAM policy JSON files reflect the permissions required by each
version of the AWS Load Balancer Controller as published upstream. The
policy content for v3.x differs from v2.x (upstream change), but the
CDK construct logic for applying the policy is unchanged.

Description of how you validated changes

• Unit tests pass for aws-eks and aws-eks-v2 with no modifications
  required — the existing test.each(Object.values(AlbControllerVersion))
  and all vended policies are valid tests automatically cover all newly
  added versions and policy files
• Integration test integ.alb-controller passed in ap-northeast-1 for
  both aws-eks and aws-eks-v2 with LATEST_VERSION set to V3_2_2
• Integ test snapshots were fully regenerated due to the
  EKS_USE_NATIVE_OIDC_PROVIDER switch (existing snapshot used the
  deprecated Custom Resource-backed OIDC provider; new snapshot uses the
  native AWS::IAM::OIDCProvider resource)

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	96 ran	96 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	96 ran	96 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[gasolima]

No action needed, but i checked that the version is matching using this

$ curl -s https://aws.github.io/eks-charts/index.yaml | \
yq '.entries.aws-load-balancer-controller[] | [.appVersion, .version] | @tsv' | \
sort -t'.' -k1,1V -k2,2n -k3,3n | \
column -t -s$'\t'

v2.0.0   0.1.1
v2.0.0   1.0.0
v2.0.0   1.0.3
v2.0.0   1.0.4
v2.0.0   1.0.5
v2.0.0   1.0.6
v2.0.1   1.0.7
v2.0.1   1.0.8
v2.1.0   1.1.0
v2.1.0   1.1.1
v2.1.1   1.1.2
v2.1.1   1.1.3
v2.1.2   1.1.4
v2.1.3   1.1.5
v2.1.3   1.1.6
v2.2.0   1.2.0
v2.2.0   1.2.1
v2.2.0   1.2.2
v2.2.1   1.2.3
v2.2.2   1.2.5
v2.2.3   1.2.6
v2.2.4   1.2.7
v2.3.0   1.3.1
v2.3.0   1.3.2
v2.3.1   1.3.3
v2.4.0   1.4.0
v2.4.1   1.4.1
v2.4.2   1.4.2
v2.4.2   1.4.3
v2.4.3   1.4.4
v2.4.4   1.4.5
v2.4.5   1.4.6
v2.4.6   1.4.7
v2.4.7   1.4.8
v2.5.0   1.5.0
v2.5.1   1.5.1
v2.5.1   1.5.2
v2.5.2   1.5.3
v2.5.3   1.5.4
v2.5.4   1.5.5
v2.6.0   1.6.0
v2.6.1   1.6.1
v2.6.2   1.6.2
v2.7.0   1.7.0
v2.7.1   1.7.1
v2.7.2   1.7.2
v2.8.0   1.8.0
v2.8.1   1.8.1
v2.8.2   1.8.2
v2.8.3   1.8.3
v2.8.3   1.8.4
v2.9.0   1.9.0
v2.9.1   1.9.1
v2.9.2   1.9.2
v2.10.0  1.10.0
v2.10.1  1.10.1
v2.11.0  1.11.0
v2.12.0  1.12.0
v2.13.0  1.13.0
v2.13.1  1.13.1
v2.13.2  1.13.2
v2.13.3  1.13.3
v2.13.4  1.13.4
v2.14.0  1.14.0
v2.14.1  1.14.1
v2.15.0  1.15.0
v2.16.0  1.16.0
v2.17.0  1.17.0
v2.17.1  1.17.1
v3.0.0   3.0.0
v3.1.0   3.1.0
v3.2.0   3.2.0
v3.2.1   3.2.1
v3.2.2   3.2.2
v3.3.0   3.3.0

[gasolima]

No action needed, checked the required policy by checking https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.10.0/docs/install/iam_policy.json

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-13 16:32 UTC · Rule: default-squash
• 🚫 Left the queue — 2026-05-13 16:33 UTC · at 6ff47e0f8603640ce4b311d1f71d52af37d4d8a2

This pull request spent 24 seconds in the queue, with no time running CI.

Reason

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/community-review-timeout.yml without workflows permission

Hint

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

Pull request has been modified.

[letsgomeow]

@gasolima The previous approval was dismissed because I had to rebase locally to fix the Mergify workflow permission issue. Could you please re-review? All CI checks are passing. 🙏