Which THREE options are valid methods to secure etcd in a Kubernetes cluster?
Encrypts communication and authenticates clients.
Why this answer
Option B is correct because enabling TLS with peer and client certificates encrypts all communication between etcd members and between etcd and the Kubernetes API server, preventing man-in-the-middle attacks and unauthorized access. This is a fundamental security requirement for etcd in production clusters, as etcd stores all cluster state and secrets.
Exam trap
The trap here is that candidates may confuse etcd's maintenance features (like compaction) with security controls, or assume that Kubernetes RBAC extends to etcd, when in fact etcd has its own separate access control mechanisms.