Adicione isto à sua configuração de cluster:
spec: additionalPolicies: master: | [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInternetGateways" ], "Resource": "*" } ]