Complete the code to enable encryption of Kubernetes secrets at rest by specifying the encryption provider.
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- [1]:
keys:
- name: key1
secret: <base64-encoded-secret>The aescbc provider enables AES-CBC encryption for secrets at rest in Kubernetes. Other options like plaintext or identity do not encrypt data.
Complete the command to restart the Kubernetes API server to apply the encryption configuration.
kubectl -n kube-system delete pod -l component=[1]The Kubernetes API server pod must be restarted to apply the encryption configuration. The label component=kube-apiserver targets the API server pods.
Fix the error in the encryption configuration by choosing the correct key format for the secret.
providers:
- aescbc:
keys:
- name: key1
secret: [1]The secret key must be base64 encoded. Option D is a valid base64 string, while others are plain text or invalid formats.
Fill both blanks to complete the command that checks if secrets are encrypted in etcd by querying etcd directly.
ETCDCTL_API=3 etcdctl --endpoints=[1] get /registry/secrets --prefix --keys-only | grep [2]
The etcd endpoint is usually at https://127.0.0.1:2379. To filter secret keys, grep for secrets in the keys output.
Fill all three blanks to create a Kubernetes manifest snippet that enables encryption at rest with the 'aescbc' provider and a base64 key.
apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - [1]: keys: - name: [2] secret: [3]
This manifest enables AES-CBC encryption for secrets using a key named 'key1' with a base64 encoded secret key.