Jenkins pipeline on Kubernetes

Jenkins is fundamentally architected as a distributed system, with a master that coordinates the builds and agents that do the work. The Kubernetes plugin enables deploying a distributed Jenkins build system to a Kubernetes cluster. Everything required to deploy Jenkins to a Kubernetes cluster is nicely packaged in the Jenkins Helm chart. This article explains how to integrate the Prisma Cloud scanner into a pipeline build running in a Kubernetes cluster.

Key concepts

A pipeline is a script that tells Jenkins what to do when your pipeline is run. The Kubernetes Plugin for Jenkins lets you control the creation of the Jenkins slave pod from the pipeline, and add one or more build containers to the slave pod to accommodate build requirements and dependencies.
When the Jenkins master schedules the new build, it creates a new slave pod. Each stage of the build is run in a container in the slave pod. By default, each stage runs in the Jenkins slave (jnlp) container, unless other specified. The following diagram shows a slave pod being launched on a worker node using the Java Network Launch Protocol (JNLP) protocol:
A slave pod is composed of at least one container, which must be the Jenkins jnlp container. Your pipeline defines a podTemplate, which specifies all the containers that make up the Jenkins slave pod. You’ll want your podTemplate to include any images that provide the tools required to execute the build. For example, if one part of your app consists of a C library, then your podTemplate should include a container that provides the GCC toolchain, and the build stage for the library should execute within the context of the GCC container.
The Prisma Cloud Jenkins plugin lets you scan images generated in your pipeline.
The Prisma Cloud scanner can run inside the default Jenkins jnlp slave container only. It cannot be run within the context of a different container (i.e. from within the container statement block).

Scripted Pipeline

This section provides a pipeline script that you can use as a starting point for your own script.
You cannot run the Prisma Cloud scanner inside a container. The following example snippet will NOT work.
stage('Prisma Cloud Scan') { container('jenkins-slave-twistlock') { // THIS DOES NOT WORK prismaCloudScanImage ca: '', cert: '', ... } }
Instead, run the Prisma Cloud scanner in the normal context:
stage('Prisma Cloud Scan') { // THIS WILL WORK prismaCloudScanImage ca: '', cert: '', ... }

Pipeline template

The following template can be used as a starting point for your own scripted pipeline. This template is a fully functional pipeline that pulls the nginx:stable-alpine image from Docker Hub, and then scans it with the Prisma Cloud scanner.
While this example shows how to scan cont