You want to rotate the encryption key used for Secrets encryption at rest without downtime. Which approach correctly achieves this?

hard📝 Best Practice Q15 of 15

Kubernetes - RBAC and Security

AAdd the new key as the first provider in the encryption config, keep the old key second, then restart the API server

BReplace the old key with the new key in the config and restart the API server immediately

CDelete all Secrets, update the key, then recreate Secrets encrypted with the new key

DUpdate the key in etcd directly without changing the API server config

Step-by-Step Solution

Solution:

Step 1: Understand key rotation in encryption config
To rotate keys safely, add the new key first so new Secrets encrypt with it, and keep the old key to decrypt existing Secrets.
Step 2: Apply config and restart API server
Restarting the API server loads the new config. Existing Secrets remain decryptable with the old key, allowing smooth rotation.
Final Answer:
Add the new key as the first provider in the encryption config, keep the old key second, then restart the API server -> Option A
Quick Check:
New key first, old key second, restart API server [OK]

Quick Trick: New key first, old key second in config for smooth rotation [OK]

Common Mistakes:

Master "RBAC and Security" in Kubernetes

9 interactive learning modes - each teaches the same concept differently

Want More Practice?

15+ quiz questions · All difficulty levels · Free

More Kubernetes Quizzes