diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 54c859d..8fd5021 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,26 +51,26 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
           
-      - name: Login to HUAWEICLOUD
-        uses: docker/login-action@v3
-        with:
-          registry: swr.cn-southwest-2.myhuaweicloud.com
-          username: ${{ secrets.HUAWEICLOUD_USERNAME }}
-          password: ${{ secrets.HUAWEICLOUD_PASSWORD }}
+      # - name: Login to HUAWEICLOUD
+      #   uses: docker/login-action@v3
+      #   with:
+      #     registry: swr.cn-southwest-2.myhuaweicloud.com
+      #     username: ${{ secrets.HUAWEICLOUD_USERNAME }}
+      #     password: ${{ secrets.HUAWEICLOUD_PASSWORD }}
           
       - name: Build and push Docker images
         uses: docker/build-push-action@v3
         with:
           tags: |
-            kubesphere/kubectl:${{ steps.prepare.outputs.version }}
+            docker.io/kubesphere/kubectl:${{ steps.prepare.outputs.version }}
             registry.cn-beijing.aliyuncs.com/kubesphereio/kubectl:${{ steps.prepare.outputs.version }}
           push: true
           platforms: linux/amd64,linux/arm64
 
-      - name: Sync images to HUAWEICLOUD
-        if: steps.chose_registry.outputs.env == 'prod'
-        run: |
-          docker pull kubesphere/kubectl:${{ steps.prepare.outputs.version }}
-          docker tag kubesphere/kubectl:${{ steps.prepare.outputs.version }} swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:${{ steps.prepare.outputs.version }}
-          docker push swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:${{ steps.prepare.outputs.version }}
+      # - name: Sync images to HUAWEICLOUD
+      #   if: steps.chose_registry.outputs.env == 'prod'
+      #   run: |
+      #     docker pull kubesphere/kubectl:${{ steps.prepare.outputs.version }}
+      #     docker tag kubesphere/kubectl:${{ steps.prepare.outputs.version }} swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:${{ steps.prepare.outputs.version }}
+      #     docker push swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:${{ steps.prepare.outputs.version }}
           
diff --git a/Dockerfile b/Dockerfile
index e376da6..3417f1c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,46 +1,68 @@
-FROM alpine:3.21.3
-
-ARG KUBECTL_VERSION=v1.33.1
-ARG HELM_VERSION=v3.18.1
-ARG KUSTOMIZE_VERSION=v5.6.0
-ARG TARGETOS
-ARG TARGETARCH
-
-RUN apk update && apk add \
-   bash \
-   bash-completion \
-   busybox-extras \
-   net-tools \
-   vim \
-   curl \
-   jq \
-   yq \
-   grep \
-   wget \
-   tcpdump \
-   git \
-   ca-certificates && \
-   update-ca-certificates && \
-   rm -rf /var/cache/apk/* && \
-   curl -SsLO https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz && \
-   tar xf helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz -C /usr/local/bin && \
-   mv /usr/local/bin/${TARGETOS}-${TARGETARCH}/helm /usr/local/bin && \
-   rm helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz && \
-   rm -rf /usr/local/bin/${TARGETOS}-${TARGETARCH} && \
-   helm plugin install https://github.com/helm/helm-mapkubeapis
-
-RUN curl -LO https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \
-    chmod +x ./kubectl && \
-    mv ./kubectl /usr/local/bin/kubectl && \
-    echo -e 'source /usr/share/bash-completion/bash_completion\nsource <(kubectl completion bash)' >>~/.bashrc
-
-RUN curl -SsLO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz && \
-    tar xvzf kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz && \
-    mv kustomize /usr/local/bin/ && \
-    rm kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
+# ---------- Build stage ----------
+FROM alpine:3.22.1 AS builder
 
-COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+ARG KUBECTL_VERSION=v1.33.4
+ARG HELM_VERSION=v3.18.5
+ARG KUSTOMIZE_VERSION=v5.7.1
+
+RUN apk add --no-cache curl tar gzip coreutils grep
+
+WORKDIR /tmp
+
+# ----- Download and verify Helm -----
+RUN curl -fsSLO https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz && \
+    curl -fsSLO https://get.helm.sh/helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz.sha256 && \
+    echo "$(cat helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz.sha256)  helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz" | sha256sum -c - && \
+    tar xf helm-${HELM_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz && \
+    mv ${TARGETOS}-${TARGETARCH}/helm /tmp/helm
+
+# ----- Download and verify kubectl -----
+RUN curl -fsSLo /tmp/kubectl https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \
+    curl -fsSLo /tmp/kubectl.sha256 https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl.sha256 && \
+    echo "$(cat /tmp/kubectl.sha256)  /tmp/kubectl" | sha256sum -c - && \
+    chmod +x /tmp/kubectl
+
+# ----- Download and verify kustomize -----
+# GitHub release tag: kustomize/vX.Y.Z
+# File name: kustomize_X.Y.Z_linux_amd64.tar.gz
+RUN curl -fsSLO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz && \
+    curl -fsSLO https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${KUSTOMIZE_VERSION}/checksums.txt && \
+    grep "kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz" checksums.txt | sha256sum -c - && \
+    tar xzf kustomize_${KUSTOMIZE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz
 
-ENTRYPOINT ["entrypoint.sh"]
 
+# ---------- Runtime stage ----------
+FROM alpine:3.22.1
 
+RUN apk add --no-cache \
+      bash \
+      bash-completion \
+      busybox-extras \
+      net-tools \
+      vim \
+      curl \
+      jq \
+      yq \
+      grep \
+      wget \
+      tcpdump \
+      git \
+      ca-certificates && \
+      update-ca-certificates
+
+# Copy verified binaries
+COPY --from=builder /tmp/helm /usr/local/bin/helm
+COPY --from=builder /tmp/kubectl /usr/local/bin/kubectl
+COPY --from=builder /tmp/kustomize /usr/local/bin/kustomize
+
+# Enable kubectl bash completion globally
+RUN echo -e 'source /usr/share/bash-completion/bash_completion\nsource <(kubectl completion bash)' >> /etc/bash.bashrc
+
+# Install Helm plugin
+RUN helm plugin install https://github.com/helm/helm-mapkubeapis
+
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["entrypoint.sh"]