A cluster administrator has configured EncryptionConfiguration to encrypt secrets at rest using a local key. After applying the configuration, the administrator creates a new secret. How can they verify that the secret is encrypted at rest?
Directly reading from etcd shows the encrypted value, verifying encryption at rest.
Why this answer
The encryption is transparent to clients; you can verify by reading the raw data from etcd or enabling audit logging. Option A is correct: direct etcd access shows encrypted data.