Google Associate Cloud Engineer

Google Associate Cloud Engineer

Get started today

Ultimate access to all questions.

In a Kubernetes Engine deployment, your engineers have hardcoded database credentials in the YAML configuration as shown below. What is Google's recommended best practice for handling sensitive information like this in Kubernetes?

apiVersion: "extensions/v1beta1"
kind: "Deployment"
metadata:
  name: "products-service"
  namespace: "default"
  labels:
    app: "products-service"
spec:
  replicas: 3
  selector:
    matchLabels:
      app: "products-service"
  template:
    metadata:
      labels:
        app: "products-service"
    spec:
      containers:
      - name: "products"
        image: "gcr.io/find-seller-app-dev/products:latest"
        env:
        - name: "database_user"
          value: "admin"
        - name: "database_password"
          value: "TheB3stP@ssW0rd"

Explanation:

The correct answer is D because Kubernetes provides the Secret resource type specifically for storing and managing sensitive information, such as passwords and OAuth tokens, in a secure manner. This approach is safer and more flexible than hardcoding credentials in Pod definitions or container images.

  • Option A is incorrect because mounting credentials in a volume is not a recommended practice for handling sensitive information.
  • Option B is incorrect because ConfigMaps are intended for non-sensitive configuration data and not for securing credentials.
  • Option C is incorrect because environment variables do not provide a secure method for storing sensitive information.
Powered ByGPT-5