Certified Kubernetes Application Developer (CKAD) Practice Test

The correct answer is that secrets in Kubernetes are encrypted at rest primarily using etcd.

Kubernetes stores its configuration data, including secrets, in etcd, which is a key-value store. While etcd alone does not inherently encrypt the data it holds, Kubernetes allows you to enable encryption of secrets before they are stored in etcd. This is done through configuring encryption at rest in the Kubernetes API server. When this feature is enabled, any secrets created or modified in the cluster are encrypted using specified encryption providers and then stored in etcd. This ensures that sensitive data remains secure, even if an unauthorized party gains access to the etcd data store.

Using Docker, config maps, or external storage does not directly relate to the encryption of secrets at rest within the Kubernetes ecosystem. Docker is primarily concerned with containerization and does not handle secrets management specifically. Config maps are used for storing non-sensitive configuration data, while external storage systems could be used for persistent storage, but they do not directly facilitate the encryption of Kubernetes secrets by themselves. Thus, etcd is the fundamental component related to the storage and encryption of secrets in Kubernetes.