aws-iam-authenticator error “could not load/generate a certificate” can be resolved by terminating master node
You can use Amazon EC2 Instance Connect which provides a simple and secure way to connect to your instances using Secure Shell (SSH).
Your source code is in bitbucket and your bitbucket setting requires whitelisting of server IP. You want to clone the repo on bastion server.
Additional user-data can be passed to the host provisioning by setting the additionalUserData field.
You can install a Kubernetes cluster on AWS using a tool called kops. kops provisions fully automated installation of cluster.
Agent forwarding is a mechanism whereby an SSH client allows an SSH server to use the local agent on the server, the user logs into, as if it was local there.
You can create kubernetes cluster using kops command in your existing VPC and hosted zone. Kops will create rest of the required AWS resources.