Question 8
Domain 2: Workloads & SchedulingWhich Kubernetes approach best mounts database credentials from a Secret into a Pod as environment variables rather than files?
Correct answer: A
Explanation
Kubernetes Secrets can be injected into a container as environment variables using the Pod or Deployment spec with `env` or `envFrom`, instead of mounting them as files. This matches the goal of populating the container environment from a Secret while keeping the credentials out of the filesystem.
Why each option is right or wrong
A. Create a Secret and use env or envFrom in the Pod/Deployment spec to populate the container environment variables
Kubernetes supports projecting Secret data into a container’s process environment via the Pod/Deployment spec, using `env` with `valueFrom.secretKeyRef` for individual keys or `envFrom` with `secretRef` for all keys in the Secret. This is the correct mechanism when the requirement is to expose database credentials as environment variables rather than as a mounted volume, which would place them on the filesystem instead.
B. Mount the Secret as a volume and read the credentials from files under /etc/secret
C. Store the credentials in a ConfigMap and use valueFrom.configMapKeyRef for sensitive data
D. Pass the credentials as plain-text arguments in the container command so they are available in the shell