1. 确认Bitbucket Pipeline的服务角色是否有权限访问EKS API。可通过以下命令获取服务角色ARN：

aws iam get-role --role-name CodePipelineServiceRole

2. 在EKS上创建namespace和ServiceAccount以及相关的IAM角色和策略文件。

Kubernetes命名空间：

apiVersion: v1 kind: Namespace metadata: name: my-namespace

ServiceAccount：

apiVersion: v1 kind: ServiceAccount metadata: name: my-sa namespace: my-namespace

IAM Role：

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:Describe*", "ec2:Describe*", "ssm:GetParameters", "ssm:GetParameter" ], "Resource": "*" } ] }

IAM Policy Attachment：

apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: my-sa-binding namespace: my-namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: eks-describe-role subjects:

• kind: ServiceAccount name: my-sa namespace: my-namespace

3. 在Bitbucket Pipeline中添加以下脚本步骤来获取EKS集群的认证令牌并将其作为变量传递给kubectl：

• export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
• export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
• export AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION
• export EKS_CLUSTER_ARN=$EKS_CLUSTER_ARN
• $(aws eks update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CLUSTER_ARN --kubeconfig config.yaml)
• export KUBECONFIG=$PWD/config.yaml
• export EKS_TOKEN=$(kubectl -n my-namespace describe secret $(kubectl -n my-namespace get secret | grep my-sa-token | awk '{print $1}') | awk '$1=="token:"{print $2}')

4. 在Bit