Answer: Store the credential in Secret Manager. Create a Google service account (GSA) to read the credential from Secret Manager. Create a Kubernetes service account (KSA) to run the container. Use Workload Identity to configure your KSA to act as a GSA.

The question asks for a secure approach to add a secret to an application running in GKE. Option D is the best choice because it uses Secret Manager (a dedicated service for secrets) and leverages Workload Identity to grant the Kubernetes service account (KSA) temporary access via a Google service account (GSA). This avoids storing secrets in Kubernetes Secrets (which are base64-encoded but not encrypted by default) and eliminates the need for static credentials like .json files (as in Option C). While Option B enhances cluster security by encrypting secrets in etcd, it does not directly address how the application securely accesses the secret. Option A uses environment variables with Kubernetes Secrets, which is less secure than dynamically retrieving secrets from Secret Manager. Thus, Option D follows best practices for secure secret management in GKE.

Author: LeetQuiz Editorial Team