A Linux administrator is writing a Deployment manifest for the company's internal CRM application. The container image reads the database user name and password from the environment variables DB_USER and DB_PASS. Security policy states that these credentials must not appear in plaintext in the YAML file and must not be written to persistent storage on any node. Which Kubernetes-native solution meets the requirement while still injecting the variables into every pod at startup?
Add the DB_USER and DB_PASS values directly under the env: section of the Deployment YAML.
Mount a read-only hostPath volume from /etc/secure on every node and read the credentials from that directory.
Store the credentials in a Secret object and reference that Secret with an envFrom section in the Pod template.
Create a ConfigMap that contains the credentials and mount it as a volume at /etc/creds inside each container.
The most secure Kubernetes-native way to inject sensitive values as environment variables is to create a Secret and reference it with the envFrom (or env/secretKeyRef) stanza inside the Pod template. When a Secret is consumed this way:
The secret data is omitted from the Deployment YAML (only the Secret's name is referenced), so the credentials never appear in plaintext in the manifest.
Kubernetes stores the secret material in an in-memory tmpfs on each node, meaning it is not written to non-volatile disk storage.
ConfigMaps are designed for non-confidential data and store values in plaintext, so they do not satisfy the security requirement. Declaring literal env variables in the manifest would expose the credentials directly in the YAML. A hostPath volume requires placing the credentials on every node's filesystem, which violates the "no persistent storage" rule. Therefore, using a Secret with envFrom is the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Kubernetes Secret object and why is it secure?
Open an interactive chat with Bash
How does the `envFrom` section in a Pod template work with Secrets?
Open an interactive chat with Bash
Why is a ConfigMap not suitable for storing secrets in Kubernetes?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Automation, Orchestration, and Scripting
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access