Secrets Management Quiz
This quiz tests your understanding of Kubernetes Secrets, AWS Secrets Manager, External Secrets Operator, and encryption.
Quiz Questions
1. What is the default encoding method for Kubernetes Secrets?
A. AES-256 encryption B. Base64 encoding C. SHA-256 hash D. RSA encryption
Show Answer
Answer: B. Base64 encoding
Explanation: Kubernetes Secrets are Base64 encoded by default. Base64 is simple encoding, not encryption, so you should enable etcd encryption or use an external secrets management system.
2. Which AWS service is used for etcd encryption in EKS?
A. AWS Secrets Manager B. AWS KMS (Key Management Service) C. AWS Certificate Manager D. AWS CloudHSM
Show Answer
Answer: B. AWS KMS (Key Management Service)
Explanation: EKS uses AWS KMS to encrypt Kubernetes Secrets stored in etcd. Envelope encryption can be enabled during cluster creation or afterwards:
aws eks associate-encryption-config \
--cluster-name my-cluster \
--encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"arn:aws:kms:..."}}]'3. Which resources reference AWS Secrets Manager secrets in External Secrets Operator?
A. SecretStore B. ExternalSecret C. ClusterSecretStore D. A and B or C and B
Show Answer
Answer: D. A and B or C and B
Explanation: External Secrets Operator components:
- SecretStore/ClusterSecretStore: External secret store connection settings
- ExternalSecret: Actual secret reference and Kubernetes Secret creation
SecretStore is namespace-scoped, ClusterSecretStore is cluster-scoped.
4. Which is NOT a way to use Secrets in a Pod?
A. Inject as environment variables B. Mount as volumes C. Image pull secrets D. Convert to ConfigMap
Show Answer
Answer: D. Convert to ConfigMap
Explanation: Ways to use Secrets in a Pod:
- Environment variables:
envFrom.secretReforenv.valueFrom.secretKeyRef - Volume mount: Mount as files
- Image pull secrets:
imagePullSecrets
Secrets are not automatically converted to ConfigMaps. They are separate resources.
5. Which AWS service is used to configure automatic rotation in AWS Secrets Manager?
A. AWS EventBridge B. AWS Lambda C. AWS Step Functions D. AWS SNS
Show Answer
Answer: B. AWS Lambda
Explanation: AWS Secrets Manager automatic rotation uses Lambda functions. AWS provides pre-built rotation functions for RDS, Redshift, etc., and custom rotation can be implemented with Lambda.
6. What is the main feature of Sealed Secrets?
A. Encryption in etcd B. Safe to store in Git C. AWS only D. Automatic rotation support
Show Answer
Answer: B. Safe to store in Git
Explanation: Sealed Secrets encrypts secrets with a public key so they can be safely stored in Git repositories. Only the Sealed Secrets controller in the cluster can decrypt with the private key. It's suitable for GitOps workflows.
7. What is the role of ExternalSecret's refreshInterval field?
A. Set secret expiration time B. Set synchronization interval with external secret C. Set cache retention time D. Set retry interval
Show Answer
Answer: B. Set synchronization interval with external secret
Explanation:refreshInterval defines how often External Secrets Operator synchronizes with the external secret store:
spec:
refreshInterval: 1h # Sync every 1 hourWhen secrets change externally, the Kubernetes Secret is updated according to this interval.
8. What happens when Kubernetes Secret's immutable field is set to true?
A. Secret cannot be deleted B. Secret cannot be modified C. Secret cannot be read D. Secret cannot be copied
Show Answer
Answer: B. Secret cannot be modified
Explanation:immutable: true setting prevents modification after the Secret is created:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
immutable: true
data:
password: cGFzc3dvcmQ=To change it, you must delete and recreate the Secret. This prevents accidental changes and improves performance.
9. What is the main function of CSI Secrets Store Driver?
A. Encrypt secrets in etcd B. Mount external secrets as volumes C. Auto-generate secrets D. Backup secrets
Show Answer
Answer: B. Mount external secrets as volumes
Explanation: Secrets Store CSI Driver mounts external secrets from AWS Secrets Manager, Azure Key Vault, etc. directly as CSI volumes. Pods can use secrets without creating Kubernetes Secrets.
10. What is the advantage of using External Secrets with IRSA (IAM Roles for Service Accounts)?
A. Faster secret access B. No need to hardcode IAM credentials in Pods C. Automatic secret rotation D. Free usage
Show Answer
Answer: B. No need to hardcode IAM credentials in Pods
Explanation: IRSA allows attaching IAM roles to Service Accounts. External Secrets Operator Pods can securely access AWS Secrets Manager without AWS credentials. This is a security best practice.
11. What is the characteristic of defining Secret data with stringData?
A. Encrypted B. No Base64 encoding required C. More secure D. Compressed
Show Answer
Answer: B. No Base64 encoding required
Explanation: The stringData field allows specifying values in plain text:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
stringData:
password: mypassword # Plain text, auto Base64 encodedKubernetes automatically handles Base64 encoding. However, when queried, it appears as Base64 in the data field.
12. Which is NOT a secrets management best practice?
A. Enable etcd encryption B. Restrict Secret access with RBAC C. Commit secrets to source code D. Use external secrets management system
Show Answer
Answer: C. Commit secrets to source code
Explanation: Secrets management best practices:
- Enable etcd encryption
- Restrict Secret access with RBAC
- Use external secrets management systems (AWS Secrets Manager, HashiCorp Vault, etc.)
- Enable audit logging
- Regular secret rotation
Never commit secrets to source code. Plain text secrets would be exposed in version control systems.