A microservice running as a Deployment in a Kubernetes cluster needs to authenticate to a third-party API using a static API key. Which is the most secure way to store and inject this secret into the container?
Trap 1: Store the API key in a ConfigMap and expose it as an environment…
ConfigMaps are for non-sensitive configuration data, not secrets.
Trap 2: Hardcode the API key in the container image
Hardcoding secrets in images is insecure and makes rotation impossible without rebuilding.
Trap 3: Store the API key in a Kubernetes Secret and expose it as an…
Environment variables from Secrets can be leaked through process dumps or logs.
- A
Store the API key in a ConfigMap and expose it as an environment variable
Why wrong: ConfigMaps are for non-sensitive configuration data, not secrets.
- B
Hardcode the API key in the container image
Why wrong: Hardcoding secrets in images is insecure and makes rotation impossible without rebuilding.
- C
Store the API key in a Kubernetes Secret and mount it as a volume inside the container
Secrets are designed for sensitive data; volume mounts avoid exposure in environment variable listings.
- D
Store the API key in a Kubernetes Secret and expose it as an environment variable
Why wrong: Environment variables from Secrets can be leaked through process dumps or logs.