0
0
Kubernetesdevops~20 mins

Secrets are not encrypted by default in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Secrets Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
What is the default state of Kubernetes Secrets?
In Kubernetes, what is the default way Secrets are stored in etcd?
ASecrets are stored as plain base64-encoded strings without encryption.
BSecrets are encrypted using AES-256 by default.
CSecrets are hashed with SHA-256 before storage.
DSecrets are stored in an external vault by default.
Attempts:
2 left
💡 Hint
Think about how base64 encoding works and if it is a form of encryption.
💻 Command Output
intermediate
1:30remaining
Output of viewing a Kubernetes Secret
What is the output of the command kubectl get secret mysecret -o yaml if the secret contains a password 'mypassword'?
Kubernetes
kubectl get secret mysecret -o yaml
A
data:
  password: mypassword
metadata:
  name: mysecret
B
data:
  password: encrypted:mypassword
metadata:
  name: mysecret
C
data:
  password: bXlwYXNzd29yZA==
metadata:
  name: mysecret
D
data:
  password: SHA256:mypassword
metadata:
  name: mysecret
Attempts:
2 left
💡 Hint
Remember how base64 encoding looks for the string 'mypassword'.
Configuration
advanced
2:30remaining
Enable encryption of Secrets at rest in Kubernetes
Which configuration snippet correctly enables encryption of Secrets at rest in Kubernetes using AES-CBC with a key named 'mykey'?
A
apiVersion: v1
kind: EncryptionConfig
resources:
- secrets
providers:
- aescbc:
    keys:
    - name: mykey
      secret: c2VjcmV0a2V5MTIzNDU2Nzg5MA==
B
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: mykey
        secret: c2VjcmV0a2V5MTIzNDU2Nzg5MA==
  - identity: {}
C
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- secrets
providers:
- aescbc:
    keys:
    - name: mykey
      secret: c2VjcmV0a2V5MTIzNDU2Nzg5MA==
D
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: mykey
        secret: c2VjcmV0a2V5MTIzNDU2Nzg5MA==
Attempts:
2 left
💡 Hint
Check the indentation and structure carefully; 'resources' is nested under the first list item.
Troubleshoot
advanced
2:00remaining
Why are Secrets still visible in plain text after enabling encryption?
After configuring encryption at rest for Secrets, you still see base64-encoded Secrets in plain text when running kubectl get secret. Why?
AEncryption only works for ConfigMaps, not Secrets.
BEncryption configuration was not applied to the API server; it needs a restart.
CSecrets are cached in the client and not refreshed after encryption enabled.
Dkubectl shows Secrets decoded from etcd; encryption is only for storage, not for kubectl output.
Attempts:
2 left
💡 Hint
Think about where encryption applies and what kubectl displays.
Best Practice
expert
3:00remaining
Best practice to secure Kubernetes Secrets beyond encryption at rest
Which approach is the best practice to enhance Kubernetes Secrets security beyond enabling encryption at rest?
AIntegrate an external secrets management system like HashiCorp Vault and use Kubernetes External Secrets.
BStore Secrets as plain text in ConfigMaps for easier access.
CDisable RBAC to allow all users to access Secrets freely.
DUse base64 encoding with longer keys for Secrets.
Attempts:
2 left
💡 Hint
Think about centralized secret management and access control.