You are responsible for securing a multi-tenant Kubernetes cluster that uses kubeadm for bootstrapping. The cluster has three control plane nodes and five worker nodes, all running Ubuntu 22.04. A recent security scan discovered that the etcd data directory is not encrypted at rest. The cluster stores sensitive customer data in secrets. You plan to enable encryption at rest for etcd. You have already created an encryption configuration file and placed it at /etc/kubernetes/encryption-config.yaml. The cluster is currently running Kubernetes v1.28.0 with etcd v3.5.9. You need to ensure that all existing and new secrets are encrypted. You also want to minimize downtime. Which of the following steps should you take?
Correct flag and automatic restart by kubelet.
Why this answer
Option D is correct because in Kubernetes v1.28, the `--experimental-encryption-provider-config` flag has been graduated to stable and renamed to `--encryption-provider-config`. Adding this flag to the kube-apiserver manifest (static pod YAML) causes the kubelet to automatically restart the static pod when the manifest file changes, minimizing downtime. This ensures both existing and new secrets are encrypted using the configured provider (e.g., AES-CBC or secretbox) as the apiserver rewrites existing secrets on startup.
Exam trap
The trap here is that candidates may confuse the deprecated `--experimental-encryption-provider-config` flag with the stable `--encryption-provider-config` flag, or think they need to manually restart the kubelet or modify etcd directly, when in fact the kubelet auto-restarts static pods and the apiserver handles encryption transparently.
How to eliminate wrong answers
Option A is wrong because etcd does not directly consume the encryption configuration file; the kube-apiserver is the component that encrypts/decrypts data before storing it in etcd. Option B is wrong because `--experimental-encryption-provider-config` is deprecated in Kubernetes v1.28 and the correct flag is `--encryption-provider-config`; additionally, restarting the kubelet is unnecessary as the kubelet automatically restarts static pods when their manifest changes. Option C is wrong because moving the etcd data directory to an encrypted filesystem (e.g., LUKS) encrypts data at the filesystem level, not at the Kubernetes API level, and does not satisfy the requirement to encrypt secrets at rest via the encryption configuration; it also requires etcd downtime and does not leverage the native Kubernetes encryption provider mechanism.