Exam Professional Cloud Developer topic 1 question 171 discussion

D is correct.

Storing credentials as a Kubernetes secret + KMS for encryption and decryption of the DB credentials are the best answer.

Storing sensitive information such as database credentials in Kubernetes Secrets is a common and secure way to manage sensitive information in a cluster. The Cloud Key Management Service (KMS) can be used to further protect the secrets by encrypting and decrypting them, ensuring that they are protected both at rest and in transit. This combination of Kubernetes Secrets and Cloud KMS provides a secure way to manage and rotate credentials while following security best practices. Options A and B are not recommended, as they do not provide a secure and centralized way to manage and rotate credentials. Option C is not recommended because storing secrets in an encrypted volume mount is not as secure as using a Key Management Service, as the encryption keys must still be managed and protected within the cluster.

https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets#reencrypt-secrets Answer D

D is the answer. https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets By default, Google Kubernetes Engine (GKE) encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption for you without any additional action on your part. Application-layer secrets encryption provides an additional layer of security for sensitive data, such as Secrets, stored in etcd. Using this functionality, you can use a key managed with Cloud KMS to encrypt data at the application layer. This encryption protects against attackers who gain access to an offline copy of etcd.