CKS Question #16: Real Exam Question with Answer & Explanation

Question

a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace. Store the value of the token in the token.txt. b. Create a new secret named test-db-secret in the DB namespace with the following content: username: mysql password: password@123 Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

Explanation

This question tests your ability to manage Kubernetes Secrets: retrieving and decoding an existing secret, creating a new generic secret imperatively, and mounting that secret into a Pod as a volume.

Approach. Part (a): Secret values are stored base64-encoded in etcd. You must decode on extraction: kubectl get secret default-token-xxxxx -n testing -o jsonpath='{.data.token}' | base64 --decode > token.txt. Part (b): Create the secret imperatively with kubectl create secret generic test-db-secret -n db --from-literal=username=mysql --from-literal=password=password@123, then define the Pod manifest with a volumes block referencing the secret and a volumeMounts block on the nginx container pointing to /etc/mysql-credentials. The key distinction is that a volume-mounted secret exposes each key as a separate file inside the mount path, unlike environment variable injection which exposes them as env vars.

Concept tested. Kubernetes Secrets lifecycle: reading/decoding existing secrets with kubectl and jsonpath, imperatively creating generic secrets with --from-literal flags, and consuming secrets in Pods via volume mounts (secretVolumeSource) rather than environment variables - a common exam scenario testing both the CLI and Pod spec authoring skills.

Reference. https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

No community discussion yet for this question.