Secrets Management: Encryption and External Stores

Run etcdctl get /registry/secrets/default/my-secret on a default Kubernetes cluster. What comes back is your "secret" data, sitting in etcd as plaintext. The base64 encoding Kubernetes applies is not encryption. It is a transport encoding that any terminal can reverse in under a second.

The CKS exam tests this directly. The "Minimize Microservice Vulnerabilities" domain (20% of the exam) includes configuring encryption at rest, verifying it works, and understanding external secret store integration. These are hands-on tasks on a real cluster, not multiple choice questions about theory.