当前位置：首页 > news >正文

Jenkins × 容器技术：构建未来DevOps生态的超级引擎

news 2025/7/2 8:05:29

🚀 Jenkins × 容器技术：构建未来DevOps生态的超级引擎

「代码即基础设施，容器即未来」 —— 在云原生时代，Jenkins与容器技术的深度融合正在重新定义CI/CD的边界

🌟 技术前瞻：容器化时代的DevOps革命

在数字化转型的浪潮中，传统的CI/CD模式正面临前所未有的挑战。Jenkins作为持续集成领域的王者，与Docker、Kubernetes等容器技术的结合，不仅仅是技术栈的升级，更是一场关于效率、可扩展性和资源利用率的革命。

🎯 本文导航矩阵

在这里插入图片描述

🐳 Jenkins + Docker：重塑构建环境的DNA

🔬 技术架构解析

在传统模式下，构建环境的配置往往是DevOps团队的噩梦。Docker的引入彻底改变了这一局面，让"Build Once, Run Anywhere"成为现实。

🏗️ 容器化构建环境搭建

核心架构设计：

# docker-compose.yml - Jenkins容器化部署
version: '3.8'
services:jenkins-master:image: jenkins/jenkins:lts-alpinecontainer_name: jenkins-nexusports:- "8080:8080"- "50000:50000"volumes:- jenkins_home:/var/jenkins_home- /var/run/docker.sock:/var/run/docker.sock- ./jenkins-config:/usr/share/jenkins/refenvironment:- JENKINS_OPTS=--httpPort=8080- JAVA_OPTS=-Xmx2048m -Xms1024mnetworks:- jenkins-networkjenkins-agent:image: jenkins/inbound-agent:alpinecontainer_name: jenkins-agent-01environment:- JENKINS_URL=http://jenkins-master:8080- JENKINS_SECRET=${AGENT_SECRET}- JENKINS_AGENT_NAME=docker-agent-01volumes:- /var/run/docker.sock:/var/run/docker.socknetworks:- jenkins-networkdepends_on:- jenkins-mastervolumes:jenkins_home:driver: localnetworks:jenkins-network:driver: bridge

🔥 高级Pipeline配置：

// Jenkinsfile - 多阶段容器化构建
pipeline {agent noneenvironment {DOCKER_REGISTRY = 'harbor.company.com'IMAGE_NAME = 'microservice-app'BUILD_VERSION = "${env.BUILD_NUMBER}-${env.GIT_COMMIT.take(8)}"}stages {stage('🔍 Code Analysis') {agent {docker {image 'sonarqube/sonar-scanner-cli:latest'args '-v /var/run/docker.sock:/var/run/docker.sock'}}steps {script {sh '''sonar-scanner \-Dsonar.projectKey=${JOB_NAME} \-Dsonar.sources=src \-Dsonar.host.url=${SONAR_HOST_URL} \-Dsonar.login=${SONAR_TOKEN}'''}}}stage('🏗️ Multi-Stage Build') {parallel {stage('Frontend Build') {agent {docker {image 'node:18-alpine'args '-v npm-cache:/root/.npm'}}steps {sh '''npm ci --cache /root/.npmnpm run build:prodnpm run test:coverage'''publishHTML([allowMissing: false,alwaysLinkToLastBuild: true,keepAll: true,reportDir: 'coverage',reportFiles: 'index.html',reportName: 'Coverage Report'])}}stage('Backend Build') {agent {docker {image 'maven:3.8-openjdk-17-slim'args '-v maven-cache:/root/.m2'}}steps {sh '''mvn clean compile test package \-Dmaven.repo.local=/root/.m2/repository \-DskipTests=false'''junit 'target/surefire-reports/*.xml'archiveArtifacts artifacts: 'target/*.jar', fingerprint: true}}}}stage('🐳 Container Image Build') {agent anysteps {script {def customImage = docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_VERSION}","--build-arg BUILD_VERSION=${BUILD_VERSION} " +"--build-arg GIT_COMMIT=${env.GIT_COMMIT} " +"--target production .")// 安全扫描sh "trivy image --exit-code 1 --severity HIGH,CRITICAL ${customImage.id}"// 推送到镜像仓库docker.withRegistry("https://${DOCKER_REGISTRY}", 'harbor-credentials') {customImage.push()customImage.push('latest')}}}}}post {always {cleanWs()sh 'docker system prune -f'}success {slackSend(channel: '#devops',color: 'good',message: "✅ Build Success: ${env.JOB_NAME} #${env.BUILD_NUMBER}")}failure {slackSend(channel: '#devops',color: 'danger',message: "❌ Build Failed: ${env.JOB_NAME} #${env.BUILD_NUMBER}")}}
}

🎨 多阶段Dockerfile优化

# Dockerfile - 生产级多阶段构建
FROM node:18-alpine AS frontend-builder
WORKDIR /app/frontend
COPY frontend/package*.json ./
RUN npm ci --only=production && npm cache clean --force
COPY frontend/ .
RUN npm run build:prodFROM maven:3.8-openjdk-17-slim AS backend-builder
WORKDIR /app/backend
COPY backend/pom.xml .
RUN mvn dependency:go-offline -B
COPY backend/src ./src
RUN mvn clean package -DskipTests=trueFROM openjdk:17-jre-slim AS production
LABEL maintainer="DevOps Team <devops@company.com>"
LABEL version="${BUILD_VERSION}"
LABEL git-commit="${GIT_COMMIT}"# 安全优化
RUN groupadd -r appuser && useradd -r -g appuser appuser
RUN apt-get update && apt-get install -y --no-install-recommends \curl \&& rm -rf /var/lib/apt/lists/*WORKDIR /app# 复制构建产物
COPY --from=frontend-builder /app/frontend/dist ./static
COPY --from=backend-builder /app/backend/target/*.jar ./app.jar# 健康检查
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \CMD curl -f http://localhost:8080/actuator/health || exit 1USER appuser
EXPOSE 8080ENTRYPOINT ["java", "-XX:+UseContainerSupport", "-XX:MaxRAMPercentage=75.0", "-jar", "app.jar"]

☸️ Jenkins + Kubernetes：云原生时代的资源编排大师

🌐 动态资源调度架构

Kubernetes的引入将Jenkins的可扩展性提升到了一个全新的维度。通过Kubernetes Plugin，Jenkins可以根据构建负载动态创建和销毁Pod，实现真正的弹性扩展。

🚀 Kubernetes集群配置

# jenkins-k8s-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: jenkins-masternamespace: jenkinslabels:app: jenkinstier: master
spec:replicas: 1selector:matchLabels:app: jenkinstier: mastertemplate:metadata:labels:app: jenkinstier: masterspec:serviceAccountName: jenkinscontainers:- name: jenkinsimage: jenkins/jenkins:ltsports:- containerPort: 8080- containerPort: 50000resources:requests:memory: "2Gi"cpu: "1000m"limits:memory: "4Gi"cpu: "2000m"env:- name: JAVA_OPTSvalue: "-Xmx3072m -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85"volumeMounts:- name: jenkins-homemountPath: /var/jenkins_home- name: docker-sockmountPath: /var/run/docker.socklivenessProbe:httpGet:path: /loginport: 8080initialDelaySeconds: 60timeoutSeconds: 5readinessProbe:httpGet:path: /loginport: 8080initialDelaySeconds: 60timeoutSeconds: 5volumes:- name: jenkins-homepersistentVolumeClaim:claimName: jenkins-pvc- name: docker-sockhostPath:path: /var/run/docker.sock
---
apiVersion: v1
kind: Service
metadata:name: jenkins-servicenamespace: jenkins
spec:selector:app: jenkinstier: mastertype: LoadBalancerports:- name: httpport: 80targetPort: 8080- name: jnlpport: 50000targetPort: 50000

🎯 动态Agent Pod模板

# jenkins-agent-pod-template.yaml
apiVersion: v1
kind: Pod
metadata:name: jenkins-agentlabels:jenkins: agent
spec:serviceAccountName: jenkins-agentcontainers:- name: jnlpimage: jenkins/inbound-agent:alpineresources:requests:memory: "512Mi"cpu: "500m"limits:memory: "1Gi"cpu: "1000m"env:- name: JENKINS_URLvalue: "http://jenkins-service.jenkins.svc.cluster.local"- name: dockerimage: docker:dindsecurityContext:privileged: trueresources:requests:memory: "1Gi"cpu: "500m"limits:memory: "2Gi"cpu: "1000m"volumeMounts:- name: docker-sockmountPath: /var/run/docker.sock- name: kubectlimage: bitnami/kubectl:latestcommand:- cattty: trueresources:requests:memory: "256Mi"cpu: "100m"limits:memory: "512Mi"cpu: "200m"volumes:- name: docker-sockhostPath:path: /var/run/docker.socknodeSelector:kubernetes.io/os: linuxtolerations:- key: "jenkins-agent"operator: "Equal"value: "true"effect: "NoSchedule"

🔧 Jenkins Kubernetes Plugin配置

// Pipeline with Kubernetes Pod Template
pipeline {agent {kubernetes {yaml """apiVersion: v1kind: Podspec:containers:- name: mavenimage: maven:3.8-openjdk-17command:- cattty: trueresources:requests:memory: "1Gi"cpu: "500m"limits:memory: "2Gi"cpu: "1000m"- name: dockerimage: docker:latestcommand:- cattty: truevolumeMounts:- mountPath: /var/run/docker.sockname: docker-sock- name: kubectlimage: bitnami/kubectl:latestcommand:- cattty: truevolumes:- name: docker-sockhostPath:path: /var/run/docker.sock"""}}environment {KUBECONFIG = credentials('k8s-config')DOCKER_REGISTRY = 'harbor.company.com'NAMESPACE = 'production'}stages {stage('🔨 Build & Test') {steps {container('maven') {sh '''mvn clean compile test packagemvn sonar:sonar -Dsonar.host.url=${SONAR_URL}'''}}}stage('🐳 Container Build') {steps {container('docker') {script {def image = docker.build("${DOCKER_REGISTRY}/app:${BUILD_NUMBER}")docker.withRegistry("https://${DOCKER_REGISTRY}", 'harbor-creds') {image.push()image.push('latest')}}}}}stage('🚀 Deploy to K8s') {steps {container('kubectl') {sh '''kubectl set image deployment/app \app=${DOCKER_REGISTRY}/app:${BUILD_NUMBER} \-n ${NAMESPACE}kubectl rollout status deployment/app -n ${NAMESPACE}# 健康检查kubectl wait --for=condition=available \--timeout=300s deployment/app -n ${NAMESPACE}'''}}}}post {always {// 清理资源sh 'kubectl delete pod --field-selector=status.phase==Succeeded -n jenkins'}}
}

🤖 容器化Agent实践：分布式构建的艺术

🎭 多样化Agent生态系统

在容器化环境中，Jenkins Agent不再是单一的构建节点，而是一个可以根据需求动态调整的智能构建集群。

🏭 专业化Agent镜像构建

# Dockerfile.jenkins-agent-nodejs
FROM jenkins/inbound-agent:alpineUSER root# 安装Node.js和构建工具
RUN apk add --no-cache \nodejs \npm \yarn \python3 \make \g++ \git \curl# 安装全局工具
RUN npm install -g \@angular/cli \@vue/cli \create-react-app \typescript \eslint \prettier# 配置缓存目录
RUN mkdir -p /home/jenkins/.npm && \mkdir -p /home/jenkins/.yarn && \chown -R jenkins:jenkins /home/jenkinsUSER jenkins# 预热缓存
RUN npm config set cache /home/jenkins/.npm
RUN yarn config set cache-folder /home/jenkins/.yarnWORKDIR /home/jenkins/agent

# Dockerfile.jenkins-agent-python
FROM jenkins/inbound-agent:alpineUSER root# 安装Python和数据科学工具
RUN apk add --no-cache \python3 \python3-dev \py3-pip \gcc \musl-dev \linux-headers \postgresql-dev# 安装Python包管理工具
RUN pip3 install --upgrade pip setuptools wheel# 安装常用数据科学库
RUN pip3 install \pandas \numpy \scikit-learn \matplotlib \seaborn \jupyter \pytest \black \flake8USER jenkins
WORKDIR /home/jenkins/agent

🎪 智能Agent调度策略

// 智能Agent选择Pipeline
pipeline {agent nonestages {stage('🔍 Project Analysis') {agent anysteps {script {// 分析项目类型def projectType = detectProjectType()env.PROJECT_TYPE = projectTypeenv.AGENT_LABEL = getOptimalAgent(projectType)echo "检测到项目类型: ${projectType}"echo "选择Agent标签: ${env.AGENT_LABEL}"}}}stage('🏗️ Dynamic Build') {agent {kubernetes {label "${env.AGENT_LABEL}"yaml getAgentPodTemplate(env.PROJECT_TYPE)}}steps {script {switch(env.PROJECT_TYPE) {case 'nodejs':buildNodejsProject()breakcase 'python':buildPythonProject()breakcase 'java':buildJavaProject()breakcase 'golang':buildGolangProject()breakdefault:error "不支持的项目类型: ${env.PROJECT_TYPE}"}}}}}
}// 项目类型检测函数
def detectProjectType() {if (fileExists('package.json')) {return 'nodejs'} else if (fileExists('requirements.txt') || fileExists('setup.py')) {return 'python'} else if (fileExists('pom.xml') || fileExists('build.gradle')) {return 'java'} else if (fileExists('go.mod')) {return 'golang'} else {return 'generic'}
}// 获取最优Agent
def getOptimalAgent(projectType) {def agentMap = ['nodejs': 'nodejs-agent','python': 'python-agent','java': 'java-agent','golang': 'golang-agent','generic': 'generic-agent']return agentMap[projectType] ?: 'generic-agent'
}// 获取Agent Pod模板
def getAgentPodTemplate(projectType) {def templates = ['nodejs': '''apiVersion: v1kind: Podspec:containers:- name: nodejsimage: jenkins-agent-nodejs:latestresources:requests:memory: "1Gi"cpu: "500m"limits:memory: "2Gi"cpu: "1000m"''','python': '''apiVersion: v1kind: Podspec:containers:- name: pythonimage: jenkins-agent-python:latestresources:requests:memory: "2Gi"cpu: "1000m"limits:memory: "4Gi"cpu: "2000m"''']return templates[projectType] ?: templates['nodejs']
}

⚡ CI/CD流程优化：容器化部署的终极进化

🎯 零停机部署策略

在容器化环境中，CI/CD流程的优化不仅仅是速度的提升，更是可靠性和用户体验的革命性改进。

🔄 蓝绿部署自动化

// 蓝绿部署Pipeline
pipeline {agent {kubernetes {yaml '''apiVersion: v1kind: Podspec:containers:- name: kubectlimage: bitnami/kubectl:latestcommand: ["cat"]tty: true- name: helmimage: alpine/helm:latestcommand: ["cat"]tty: true'''}}environment {APP_NAME = 'microservice-app'NAMESPACE = 'production'BLUE_GREEN_TIMEOUT = '300'}stages {stage('🔍 Pre-deployment Check') {steps {container('kubectl') {script {// 检查当前活跃环境def currentEnv = sh(script: "kubectl get service ${APP_NAME} -n ${NAMESPACE} -o jsonpath='{.spec.selector.version}'",returnStdout: true).trim()env.CURRENT_ENV = currentEnv ?: 'blue'env.TARGET_ENV = (currentEnv == 'blue') ? 'green' : 'blue'echo "当前环境: ${env.CURRENT_ENV}"echo "目标环境: ${env.TARGET_ENV}"}}}}stage('🚀 Deploy to Target Environment') {steps {container('helm') {sh '''helm upgrade --install ${APP_NAME}-${TARGET_ENV} ./helm-chart \--namespace ${NAMESPACE} \--set image.tag=${BUILD_NUMBER} \--set environment=${TARGET_ENV} \--set replicaCount=3 \--wait --timeout=${BLUE_GREEN_TIMEOUT}s'''}}}stage('🧪 Health Check & Smoke Tests') {steps {container('kubectl') {script {// 等待Pod就绪sh '''kubectl wait --for=condition=ready pod \-l app=${APP_NAME},version=${TARGET_ENV} \-n ${NAMESPACE} --timeout=${BLUE_GREEN_TIMEOUT}s'''// 执行健康检查def healthCheck = sh(script: '''kubectl run health-check-${BUILD_NUMBER} \--image=curlimages/curl:latest \--rm -i --restart=Never \--namespace=${NAMESPACE} \-- curl -f http://${APP_NAME}-${TARGET_ENV}:8080/actuator/health''',returnStatus: true)if (healthCheck != 0) {error "健康检查失败，停止部署"}// 执行烟雾测试sh '''kubectl apply -f - <<EOF
apiVersion: batch/v1
kind: Job
metadata:name: smoke-test-${BUILD_NUMBER}namespace: ${NAMESPACE}
spec:template:spec:containers:- name: smoke-testimage: postman/newman:alpinecommand: ["newman"]args: ["run", "/tests/smoke-tests.json", "--env-var", "baseUrl=http://${APP_NAME}-${TARGET_ENV}:8080"]volumeMounts:- name: test-scriptsmountPath: /testsvolumes:- name: test-scriptsconfigMap:name: smoke-test-scriptsrestartPolicy: Never
EOFkubectl wait --for=condition=complete job/smoke-test-${BUILD_NUMBER} \-n ${NAMESPACE} --timeout=120s'''}}}}stage('🔄 Traffic Switch') {steps {container('kubectl') {script {// 切换流量sh '''kubectl patch service ${APP_NAME} -n ${NAMESPACE} \-p '{"spec":{"selector":{"version":"${TARGET_ENV}"}}}''''echo "流量已切换到 ${env.TARGET_ENV} 环境"// 等待一段时间观察sleep(30)// 验证新环境def finalCheck = sh(script: '''kubectl run final-check-${BUILD_NUMBER} \--image=curlimages/curl:latest \--rm -i --restart=Never \--namespace=${NAMESPACE} \-- curl -f http://${APP_NAME}:8080/actuator/info''',returnStatus: true)if (finalCheck != 0) {error "最终验证失败，需要回滚"}}}}}stage('🧹 Cleanup Old Environment') {steps {container('helm') {sh '''# 保留旧环境一段时间以备回滚echo "旧环境 ${CURRENT_ENV} 将在30分钟后自动清理"# 可以设置定时任务或使用TTL控制器kubectl annotate deployment ${APP_NAME}-${CURRENT_ENV} \-n ${NAMESPACE} \cleanup.time="$(date -d '+30 minutes' -Iseconds)"'''}}}}post {failure {container('kubectl') {script {// 自动回滚echo "部署失败，执行自动回滚"sh '''kubectl patch service ${APP_NAME} -n ${NAMESPACE} \-p '{"spec":{"selector":{"version":"${CURRENT_ENV}"}}}'helm uninstall ${APP_NAME}-${TARGET_ENV} -n ${NAMESPACE}'''}}}success {slackSend(channel: '#deployments',color: 'good',message: "✅ 蓝绿部署成功: ${env.APP_NAME} 已切换到 ${env.TARGET_ENV} 环境")}}
}

🎢 金丝雀发布策略

# canary-deployment.yaml
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:name: microservice-appnamespace: production
spec:replicas: 10strategy:canary:steps:- setWeight: 10- pause: {duration: 2m}- setWeight: 20- pause: {duration: 2m}- setWeight: 50- pause: {duration: 5m}- setWeight: 80- pause: {duration: 2m}analysis:templates:- templateName: success-rateargs:- name: service-namevalue: microservice-app- name: namespacevalue: productiontrafficRouting:istio:virtualService:name: microservice-appdestinationRule:name: microservice-appcanarySubsetName: canarystableSubsetName: stableselector:matchLabels:app: microservice-apptemplate:metadata:labels:app: microservice-appspec:containers:- name: appimage: harbor.company.com/microservice-app:latestports:- containerPort: 8080resources:requests:memory: "512Mi"cpu: "250m"limits:memory: "1Gi"cpu: "500m"livenessProbe:httpGet:path: /actuator/healthport: 8080initialDelaySeconds: 30periodSeconds: 10readinessProbe:httpGet:path: /actuator/healthport: 8080initialDelaySeconds: 5periodSeconds: 5

📊 性能监控与自动化回滚

// 集成监控的部署Pipeline
pipeline {agent anyenvironment {PROMETHEUS_URL = 'http://prometheus.monitoring.svc.cluster.local:9090'GRAFANA_URL = 'http://grafana.monitoring.svc.cluster.local:3000'ALERT_MANAGER_URL = 'http://alertmanager.monitoring.svc.cluster.local:9093'}stages {stage('📊 Pre-deployment Metrics') {steps {script {// 记录部署前的基线指标def baselineMetrics = sh(script: '''curl -s "${PROMETHEUS_URL}/api/v1/query?query=rate(http_requests_total[5m])" | \jq -r '.data.result[0].value[1]'''',returnStdout: true).trim()env.BASELINE_REQUEST_RATE = baselineMetricsecho "部署前请求率基线: ${baselineMetrics} req/s"}}}stage('🚀 Deploy with Monitoring') {steps {// 部署应用sh 'kubectl apply -f k8s-manifests/'// 等待部署完成sh '''kubectl rollout status deployment/microservice-app \-n production --timeout=300s'''// 启动监控script {env.DEPLOYMENT_START_TIME = sh(script: 'date +%s',returnStdout: true).trim()}}}stage('🔍 Post-deployment Validation') {steps {script {// 监控关键指标def monitoringDuration = 300 // 5分钟def checkInterval = 30 // 30秒def maxIterations = monitoringDuration / checkIntervalfor (int i = 0; i < maxIterations; i++) {sleep(checkInterval)// 检查错误率def errorRate = sh(script: '''curl -s "${PROMETHEUS_URL}/api/v1/query?query=rate(http_requests_total{status=~\"5..\"}[2m])" | \jq -r '.data.result[0].value[1] // "0"'''',returnStdout: true).trim() as Double// 检查响应时间def responseTime = sh(script: '''curl -s "${PROMETHEUS_URL}/api/v1/query?query=histogram_quantile(0.95,rate(http_request_duration_seconds_bucket[2m]))" | \jq -r '.data.result[0].value[1] // "0"'''',returnStdout: true).trim() as Doubleecho "第${i+1}次检查 - 错误率: ${errorRate}, 响应时间: ${responseTime}s"// 设置阈值if (errorRate > 0.01) { // 错误率超过1%error "错误率过高: ${errorRate}, 触发自动回滚"}if (responseTime > 2.0) { // 响应时间超过2秒error "响应时间过长: ${responseTime}s, 触发自动回滚"}}echo "✅ 监控验证通过，部署成功"}}}}post {failure {script {echo "🔄 执行自动回滚"// 回滚到上一个版本sh '''kubectl rollout undo deployment/microservice-app -n productionkubectl rollout status deployment/microservice-app -n production'''// 发送告警sh '''curl -X POST ${ALERT_MANAGER_URL}/api/v1/alerts \-H "Content-Type: application/json" \-d '[{"labels": {"alertname": "DeploymentFailed","service": "microservice-app","severity": "critical"},"annotations": {"summary": "部署失败，已自动回滚","description": "构建 #${BUILD_NUMBER} 部署失败，系统已自动回滚到上一个稳定版本"}}]''''}}success {// 创建Grafana快照sh '''curl -X POST "${GRAFANA_URL}/api/snapshots" \-H "Content-Type: application/json" \-d '{"name": "Deployment Success - Build #${BUILD_NUMBER}","expires": 86400}''''}}
}

🎯 未来展望：下一代DevOps生态

🧠 AI驱动的智能运维

随着人工智能技术的发展，Jenkins与容器技术的结合正在向更加智能化的方向演进：

🤖 智能故障预测：基于历史数据和实时监控，预测潜在的部署风险
🔮 自适应资源调度：根据负载模式自动调整容器资源分配
🧬 代码质量AI分析：深度学习模型分析代码质量和安全漏洞
⚡ 零配置部署：AI自动生成最优的部署策略和配置

🌐 边缘计算与IoT集成

# edge-deployment-pipeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:name: edge-deployment-config
data:edge-locations: |- name: "asia-east"endpoint: "https://k8s-asia.edge.company.com"capacity: "high"- name: "europe-west"endpoint: "https://k8s-eu.edge.company.com"capacity: "medium"- name: "americas-central"endpoint: "https://k8s-us.edge.company.com"capacity: "high"

🔐 零信任安全架构

// 零信任安全Pipeline
stage('🔒 Zero Trust Security Scan') {parallel {stage('容器镜像安全扫描') {steps {sh '''# Trivy安全扫描trivy image --format json --output trivy-report.json ${IMAGE_NAME}# Clair扫描clair-scanner --ip $(hostname -i) ${IMAGE_NAME}# 自定义安全策略检查opa eval -d security-policies/ \-i trivy-report.json \"data.security.allow"'''}}stage('运行时安全策略') {steps {sh '''# Falco规则验证kubectl apply -f falco-rules/# OPA Gatekeeper策略kubectl apply -f opa-policies/# 网络策略验证kubectl apply -f network-policies/'''}}}
}