Challenge - 5 Problems

🎖️

External Secrets Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

💻 Command Output

intermediate

2:00remaining

What is the output of this command?

You have installed External Secrets Operator in your Kubernetes cluster. You run the following command to check the status of the ExternalSecret resource named db-credentials in the default namespace:

kubectl describe externalsecret db-credentials

What output will you see regarding the secret synchronization status?

AError: Secret not found in external provider

BStatus: Synced<br>Last Sync Time: 2024-06-01T12:00:00Z

CStatus: Pending<br>Last Sync Time: N/A

Dkubectl: error: the server doesn't have a resource type "externalsecret"

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Which ExternalSecret YAML correctly references a secret from AWS Secrets Manager?

You want to create an ExternalSecret resource that fetches a secret named prod/db-password from AWS Secrets Manager and stores it in a Kubernetes secret named db-password. Which YAML snippet is correct?

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-password
spec:
  secretStoreRef:
    name: aws-secret-store
    kind: SecretStore
  target:
    name: db-password
  data:
  - secretKey: password
    remoteRef:
      key: prod/db-password
      property: password

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-password
spec:
  secretStoreRef:
    name: aws-secret-store
    kind: ClusterSecretStore
  target:
    name: db-password
  dataFrom:
  - key: prod/db-password

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-password
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secret-store
    kind: SecretStore
  target:
    name: db-password
  data:
  - secretKey: password
    remoteRef:
      key: prod/db-password

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-password
spec:
  secretStoreRef:
    name: aws-secret-store
    kind: SecretStore
  target:
    name: db-password
  data:
  - secretKey: password
    remoteRef:
      key: prod/db-password
      version: latest

Attempts:

2 left

❓ Troubleshoot

advanced

2:00remaining

Why does the ExternalSecret fail to sync with this error?

You see this error in the External Secrets Operator logs:

failed to get secret from provider: AccessDeniedException: User is not authorized to perform: secretsmanager:GetSecretValue

What is the most likely cause?

AThe ExternalSecret resource YAML is missing the <code>refreshInterval</code> field

BThe Kubernetes service account does not have permission to read secrets in the cluster

CThe AWS IAM role or user used by the External Secrets Operator lacks permission to access the secret in AWS Secrets Manager

DThe secret name in ExternalSecret does not match the Kubernetes secret name

Attempts:

2 left

🔀 Workflow

advanced

3:00remaining

What is the correct order of steps to integrate External Secrets Operator with HashiCorp Vault?

Arrange the steps in the correct order to set up External Secrets Operator to fetch secrets from HashiCorp Vault.

A2,4,1,3

B4,2,1,3

C2,1,4,3

D4,1,2,3

Attempts:

2 left

✅ Best Practice

expert

2:30remaining

Which practice is best for securely managing external secret access in Kubernetes?

You want to ensure the External Secrets Operator accesses external secrets securely and with least privilege. Which practice is best?

AUse a single AWS IAM user with full Secrets Manager access for all namespaces and workloads.

BDisable authentication in External Secrets Operator to simplify access.

CStore AWS credentials as plain text in Kubernetes secrets and mount them to pods.

DCreate separate IAM roles with minimal permissions per namespace and use Kubernetes service account annotations for role assumption.

Attempts:

2 left