0
0
Kubernetesdevops~20 mins

Secrets encryption at rest in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Secrets Encryption Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
What is the primary purpose of enabling secrets encryption at rest in Kubernetes?

Why do Kubernetes clusters use encryption at rest for secrets?

ATo automatically rotate secrets without user intervention
BTo speed up the retrieval of secrets from the API server
CTo allow secrets to be shared publicly without risk
DTo protect secret data stored on disk from unauthorized access if the storage medium is compromised
Attempts:
2 left
💡 Hint

Think about what happens if someone gets physical access to the storage where secrets are saved.

💻 Command Output
intermediate
2:00remaining
What is the output of enabling encryption providers in Kubernetes API server config?

Given the following snippet in the EncryptionConfiguration file, what will be the effect on stored secrets?

apiVersion: apiserver.config.k8s.io/v1
encryptionConfig:
  resources:
  - resources:
    - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: c2VjcmV0a2V5MTIzNDU2Nzg5MA==
    - identity: {}
ASecrets will be deleted automatically after encryption
BSecrets will be stored unencrypted because identity provider is last
CSecrets will be encrypted using AES-CBC with the provided key before storage
DSecrets will be encrypted using a random key each time
Attempts:
2 left
💡 Hint

The order of providers matters. The first provider that can encrypt is used.

Troubleshoot
advanced
2:30remaining
Why might secrets appear unencrypted in etcd after enabling encryption at rest?

You enabled encryption at rest for secrets in Kubernetes, but when you check etcd data, secrets appear in plain text. What could be the cause?

AThe API server was not restarted after updating the encryption config
BThe encryption key is too short and was rejected silently
CSecrets are always stored unencrypted in etcd regardless of config
DThe kubelet is caching old secrets and showing unencrypted data
Attempts:
2 left
💡 Hint

Think about what is required for the API server to apply new config changes.

🔀 Workflow
advanced
3:00remaining
What is the correct order of steps to enable secrets encryption at rest in Kubernetes?

Arrange the following steps in the correct order to enable encryption at rest for secrets in a Kubernetes cluster.

A4,1,2,3
B1,4,2,3
C4,2,1,3
D1,2,4,3
Attempts:
2 left
💡 Hint

Think about safety first, then config, then restart, then verify.

Best Practice
expert
3:00remaining
Which practice improves security when rotating encryption keys for Kubernetes secrets at rest?

You need to rotate the encryption keys used for secrets at rest. Which practice ensures minimal downtime and data safety?

ARotate keys by changing the key name but keeping the same secret value
BAdd the new key as the first provider in the EncryptionConfiguration, keep the old key as second, then restart API server
CRotate keys by deleting all secrets and recreating them with new keys
DRemove the old key immediately and add the new key only, then restart API server
Attempts:
2 left
💡 Hint

Consider how Kubernetes decrypts and re-encrypts secrets during key rotation.