Sensitive Data Access and Secret Exposure

Kubernetes Secrets are base64-encoded and stored unencrypted in etcd by default. That single fact creates a cascade of exposure risks that most clusters never fully address. A compromised etcd backup, an overly broad RBAC role, or a debug log that dumps environment variables can all turn your "secret" data into plaintext that an attacker reads in seconds.

The KCSA exam maps this directly to the MITRE ATT&CK Credential Access tactic. You need to know not just that secrets are at risk, but exactly how they get exposed and which Kubernetes-native controls block each path.