如同扫描Dockerfile一样，k8s各类运行资源模版也需要安全扫描

Checkov安装

参考Dockerfile静态扫描过程安装即可

对Manifest文件扫描

# 非常简单的Manifest，定义了svc跟deploy资源
[root@jenkins-bj-ali-ql1 tmp]# cat nginx.yaml
apiVersion: v1
kind: Service
metadata:
   name: nginx
   labels:
     app: nginx
spec:
  type: ClusterIP
  selector:
    app: nginx
  ports:
   - port: 80
     protocol: TCP
     targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
     matchLabels:
       app: nginx
  template:
    metadata:
      labels:
         app: nginx
    spec:
     containers:
     - name: nginx
       image: nginx:latest
       imagePullPolicy: IfNotPresent
       ports:
       - containerPort: 80
[root@jenkins-bj-ali-ql1 tmp]# checkov -f nginx.yaml --quiet --compact --skip-results-upload --framework kubernetes
kubernetes scan results:

Passed checks: 67, Failed checks: 22, Skipped checks: 0

Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: Service.default.nginx
	File: /nginx.yaml:1-15
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Check: CKV_K8S_13: "Memory limits should be set"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Check: CKV_K8S_12: "Memory requests should be set"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Check: CKV_K8S_15: "Image Pull Policy should be Always"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Check: CKV_K8S_11: "CPU limits should be set"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Check: CKV_K8S_30: "Apply security context to your containers"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Check: CKV_K8S_29: "Apply security context to your pods and containers"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Check: CKV_K8S_10: "CPU requests should be set"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Check: CKV_K8S_43: "Image should use digest"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Check: CKV_K8S_23: "Minimize the admission of root containers"
	FAILED for resource: Deployment.default.nginx
	File: /nginx.yaml:16-37
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
	FAILED for resource: Pod.default.nginx.app-nginx
	File: /nginx.yaml:16-37

问题点太多，就不一一列举了，可以看出我们日常随便使用的资源文件是多么的脆弱，不过这也正是我们完善安全的目的

对helm chart扫描

helm的文档挺不错的，并且也有很多写法满足我们各类需求，强烈建议大家都看一遍
https://helm.sh/zh/docs/chart_template_guide/getting_started/

# 以helm命令直接初始一个新chart
[root@jenkins-bj-ali-ql1 tmp]# helm create ikun
Creating ikun
[root@jenkins-bj-ali-ql1 tmp]# ll ikun/
total 16
drwxr-xr-x 2 root root 4096 Jul 19 16:42 charts
-rw-r--r-- 1 root root 1140 Jul 19 16:42 Chart.yaml
drwxr-xr-x 3 root root 4096 Jul 19 16:42 templates
-rw-r--r-- 1 root root 1871 Jul 19 16:42 values.yaml
[root@jenkins-bj-ali-ql1 tmp]# checkov -d ikun --quiet --compact --skip-results-upload --framework helm
helm scan results:

Passed checks: 141, Failed checks: 34, Skipped checks: 0

Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: Service.default.release-name-ikun
	File: /ikun/templates/service.yaml:3-22
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: ServiceAccount.default.release-name-ikun
	File: /ikun/templates/serviceaccount.yaml:3-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Check: CKV_K8S_13: "Memory limits should be set"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Check: CKV_K8S_15: "Image Pull Policy should be Always"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Check: CKV_K8S_11: "CPU limits should be set"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Check: CKV_K8S_43: "Image should use digest"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Check: CKV_K8S_23: "Minimize the admission of root containers"
	FAILED for resource: Deployment.default.release-name-ikun
	File: /ikun/templates/deployment.yaml:3-47
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Check: CKV_K8S_13: "Memory limits should be set"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Check: CKV_K8S_12: "Memory requests should be set"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Check: CKV_K8S_11: "CPU limits should be set"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Check: CKV_K8S_30: "Apply security context to your containers"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Check: CKV_K8S_29: "Apply security context to your pods and containers"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Check: CKV_K8S_10: "CPU requests should be set"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Check: CKV_K8S_43: "Image should use digest"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Check: CKV_K8S_23: "Minimize the admission of root containers"
	FAILED for resource: Pod.default.release-name-ikun-test-connection
	File: /ikun/templates/tests/test-connection.yaml:3-21
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html

问题直接刷屏了，看来默认chart不太行，离我们真正使用到生成环境还有很大的距离

集成jenkins pipeline

与Dockerfile一样，我们不需要在pipeline中每次对这种基础固定资源进行扫描，只需要在每次变更后扫描确保没有问题即可

其他Kubernetes扫描工具
Checkov
Terrascan
KubeLinter
Kyverno
Kubewarden
Gatekeeper

本栏目推荐文章
• k8s核心组件介绍
• Chrome 浏览器插件 V3 版本 Manifest.json 文件中 Action 的类型（Types）、方法（Methods）和事件（Events）的属性和参数解析
• k8s安装
• Ubuntu 20.04版本安装k8s控制节点
• k8s 将 cri 从 docker 切换到 containerd
• 十分钟教你在 k8s 中部署一个前后端应用
• Prometheus监控k8s集群节点主机内存/CPU使用率
• k8s 1.26.3 部署（containerd+centos 7.9）
• k8s集群手动更换证书过程
• 如何使用 Helm 在 K8s 上集成 Prometheus 和 Grafana｜Part 1

Manifest Chart Helm k8s k8manifest chart helm k8s helm kong k8s k8 helm k8s k8 8s helm kubernetes工具k8s 项目helm k8s k8 环境chart helm 12 easysearch chart helm chart helm 指南chart redis helm k8s-helm-template