(aws-eks): Add built-in support for ALB Controller v3.x versions

[Abogical]

Describe the feature

The AlbControllerVersion enum currently stops at V2_8_2, and the bundled IAM policy JSON files only go up to alb-iam_policy-v2.8.2.json. The AWS Load Balancer Controller has released v3.x versions (e.g., v3.0.0, v3.1.0) which include significant changes including updated IAM policies.

Currently, users who need v3.x must use the AlbControllerVersion.of("v3.1.0") escape hatch and supply their own IAM policy document. This means they have to:

1. Maintain a local copy of the full ALB Controller IAM policy JSON
2. Manually track upstream policy changes
3. Pass the policy explicitly via the policy prop

This is brittle and creates ongoing operational burden, especially when security scanners flag outdated controller versions.

Use Case

Teams running EKS clusters need to stay on supported ALB Controller versions to avoid security findings (e.g., Mirador). Without built-in v3.x support, every team must independently source and maintain the IAM policy, which is error-prone and duplicative.

Proposed Solution

1. Add new static constants to AlbControllerVersion (e.g., V3_0_0, V3_1_0) with the correct helm chart version mappings
2. Add the corresponding alb-iam_policy-v3.x.x.json files to packages/aws-cdk-lib/aws-eks/lib/addons/
3. Keep the AlbControllerVersion.of() escape hatch for future versions

Other Information

• ALB Controller releases: https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases
• Helm chart compatibility: https://github.com/aws/eks-charts/tree/master/stable/aws-load-balancer-controller
• Related internal ticket: the lack of built-in v3.x support forces customers to maintain local IAM policy copies, which need manual updates whenever the policy changes upstream

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.182.0

Environment details (OS name and version, etc.)

N/A