Configuration Management Quiz

Quiz Center

Kubernetes

Quiz

Question 1 of 20 (0 answered)

Question 1

What is the maximum size limit for a single ConfigMap in Kubernetes?

256KB 512KB 1MB 2MB

✓

Correct!

ConfigMaps have a maximum size limit of 1MB per ConfigMap. For larger configuration files, external storage should be used.

✗

Incorrect

ConfigMaps have a maximum size limit of 1MB per ConfigMap. For larger configuration files, external storage should be used.

Think about the documented size constraints for Kubernetes configuration objects.

Question 2

Kubernetes Secrets are encrypted by default when stored in etcd.

True False

✓

Correct!

By default, Secrets are stored as base64-encoded (not encrypted) in etcd. Base64 encoding is trivially reversible. You must explicitly enable encryption at rest for etcd to secure secrets.

✗

Incorrect

By default, Secrets are stored as base64-encoded (not encrypted) in etcd. Base64 encoding is trivially reversible. You must explicitly enable encryption at rest for etcd to secure secrets.

Base64 encoding and encryption are not the same thing.

Question 3

Which of the following are valid methods to consume ConfigMap data in a Pod?

Environment variables using configMapKeyRef Volume mounts Command-line arguments envFrom with configMapRef

✓

Correct!

ConfigMaps can be consumed via environment variables (using configMapKeyRef or envFrom), and volume mounts. While command-line arguments can reference environment variables that come from ConfigMaps, ConfigMaps aren’t directly consumed as command-line arguments.

✗

Incorrect

Consider how Pods can reference external configuration sources.

Question 4

What field in a ConfigMap or Secret YAML makes it unchangeable after creation?

✓

Correct!

Setting immutable: true prevents modifications to a ConfigMap or Secret after creation. This improves performance (kubelet doesn’t watch for changes) and prevents accidental modifications.

✗

Incorrect

Setting immutable: true prevents modifications to a ConfigMap or Secret after creation. This improves performance (kubelet doesn’t watch for changes) and prevents accidental modifications.

It’s a boolean field that, when set to true, prevents changes.

Question 5

What happens when you run this command?

echo "bXlzZWNyZXQ=" | base64 -d

What will this code output?

bXlzZWNyZXQ= mysecret Error: invalid input mysecret=

✓

Correct!

The string bXlzZWNyZXQ= is the base64 encoding of mysecret. The -d flag decodes it, demonstrating that base64 encoding is trivially reversible and NOT a security measure.

✗

Incorrect

The string bXlzZWNyZXQ= is the base64 encoding of mysecret. The -d flag decodes it, demonstrating that base64 encoding is trivially reversible and NOT a security measure.

Base64 is an encoding scheme, not encryption.

Question 6

Which Secret type should you use for storing Docker registry credentials?

Opaque kubernetes.io/basic-auth kubernetes.io/dockerconfigjson kubernetes.io/tls

✓

Correct!

The kubernetes.io/dockerconfigjson type is specifically designed for Docker registry credentials and is used with imagePullSecrets in Pod specs.

✗

Incorrect

The kubernetes.io/dockerconfigjson type is specifically designed for Docker registry credentials and is used with imagePullSecrets in Pod specs.

There’s a specific type for Docker configuration in JSON format.

Question 7

Arrange these configuration practices from LEAST secure to MOST secure:

Drag to arrange from least secure (top) to most secure (bottom)

⋮⋮ Hardcoded credentials in application code

⋮⋮ Secrets stored in ConfigMap

⋮⋮ Kubernetes Secrets with base64 encoding

⋮⋮ External secrets management (Vault, AWS Secrets Manager)

✓

Correct!

Hardcoded credentials are worst (in code/images). ConfigMaps store data as plain text. K8s Secrets use base64 (not true encryption). External secrets managers provide proper encryption, rotation, and access control.

✗

Incorrect

Question 8

By default, Pods automatically reload when a mounted ConfigMap is updated.

True False

✓

Correct!

By default, Pods do NOT automatically reload when a ConfigMap is updated. Applications need to implement their own configuration reloading logic, or you need to restart the Pod/Deployment.

✗

Incorrect

By default, Pods do NOT automatically reload when a ConfigMap is updated. Applications need to implement their own configuration reloading logic, or you need to restart the Pod/Deployment.

Think about whether Kubernetes handles hot-reloading of configuration.

Question 9

What is the primary purpose of Configuration Management in Kubernetes?

To reduce container image sizes To decouple configuration data from application code To speed up container startup times To enable automatic scaling

✓

Correct!

Configuration Management decouples configuration from container images, enabling the same image to be deployed across different environments (dev, staging, production) with different configurations.

✗

Incorrect

Configuration Management decouples configuration from container images, enabling the same image to be deployed across different environments (dev, staging, production) with different configurations.

Think about the 12-factor app principles.

Question 10

Complete the Pod spec to mount a Secret as a read-only volume:

Fill in the missing boolean value

volumeMounts:
- name: db-credentials
  mountPath: /etc/secrets
  _____: true

Your answer:

✓

Correct!

The readOnly: true field ensures the mounted Secret cannot be modified by the container, which is a security best practice for sensitive data.

✗

Incorrect

The readOnly: true field ensures the mounted Secret cannot be modified by the container, which is a security best practice for sensitive data.

Question 11

Which of the following are valid Kubernetes Secret types?

kubernetes.io/tls kubernetes.io/ssh-auth kubernetes.io/api-key kubernetes.io/service-account-token

✓

Correct!

TLS, SSH auth, and service-account-token are valid Secret types. There is no built-in kubernetes.io/api-key type; API keys would use the generic Opaque type.

✗

Incorrect

TLS, SSH auth, and service-account-token are valid Secret types. There is no built-in kubernetes.io/api-key type; API keys would use the generic Opaque type.

Review the documented Secret types in Kubernetes.

Question 12

What is the key difference between ConfigMap data and stringData fields?

data - Values must be base64-encoded

stringData - Values are plain text; Kubernetes automatically base64-encodes them

stringData is more convenient for writing manifests, but both store data the same way internally.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 13

When using subPath in a volumeMount, what is the primary benefit?

It improves read performance It allows mounting only a specific file from the ConfigMap It enables automatic config reloading It encrypts the mounted file

✓

Correct!

Using subPath allows you to mount a specific key from a ConfigMap as a single file at a specific path, rather than mounting all keys as files in a directory.

✗

Incorrect

Using subPath allows you to mount a specific key from a ConfigMap as a single file at a specific path, rather than mounting all keys as files in a directory.

Think about selective file mounting.

Question 14

What kubectl command decodes a secret value? kubectl get secret db-secret -o jsonpath='{.data.password}' | _____ -d

✓

Correct!

Since Secrets store values as base64-encoded strings, you need to pipe the output to base64 -d to decode and view the actual value.

✗

Incorrect

Since Secrets store values as base64-encoded strings, you need to pipe the output to base64 -d to decode and view the actual value.

Secrets are base64-encoded in Kubernetes.

Question 15

The envFrom field in a Pod spec can load all keys from a ConfigMap as environment variables at once.

True False

✓

Correct!

Using envFrom with configMapRef loads all key-value pairs from a ConfigMap as environment variables, which is more convenient than defining each variable individually with valueFrom.

✗

Incorrect

Using envFrom with configMapRef loads all key-value pairs from a ConfigMap as environment variables, which is more convenient than defining each variable individually with valueFrom.

Think about bulk loading configuration.

Question 16

Given this ConfigMap, what files will be created when mounted at /etc/config?

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  database.host: "db.example.com"
  app.properties: |
    timeout=30
    level=INFO

What will this code output?

One file: app-config containing all data Two files: database.host and app.properties Three files: database, host, and app.properties One directory with nested files

✓

Correct!

When a ConfigMap is mounted as a volume, each key becomes a separate file. So database.host becomes a file containing db.example.com, and app.properties becomes a file containing the multi-line content.

✗

Incorrect

Each key in the ConfigMap data section becomes a file.

Question 17

Why should you use external secrets management systems like HashiCorp Vault instead of native Kubernetes Secrets?

Native K8s Secrets limitations:

Only base64-encoded, not encrypted by default
No automatic rotation
Limited audit capabilities

External systems provide:

True encryption at rest and in transit
Automatic secret rotation
Fine-grained access control
Comprehensive audit logging
Dynamic secret generation

Did you get it right?

✓

Correct!

✗

Incorrect

Question 18

Which are benefits of making ConfigMaps immutable (immutable: true)?

Prevents accidental modifications Improved cluster performance (kubelet doesn’t watch) Automatic secret encryption Clear intent that config shouldn’t change

✓

Correct!

Immutable ConfigMaps prevent accidents, improve performance by eliminating watch overhead, and clearly signal intent. Immutability has nothing to do with encryption.

✗

Incorrect

Immutable ConfigMaps prevent accidents, improve performance by eliminating watch overhead, and clearly signal intent. Immutability has nothing to do with encryption.

Think about operational and performance benefits.

Question 19

What is the recommended approach when you have 50+ configuration values to pass to a container?

Define each as a separate environment variable Use volume mount with configuration files Hardcode them in the container image Use command-line arguments

✓

Correct!

For large numbers of configuration values, volume mounting configuration files is cleaner and more maintainable than defining many individual environment variables. It also makes the Pod spec more readable.

✗

Incorrect

Think about what’s more maintainable and readable.

Question 20

Arrange the steps to create and use a ConfigMap from a file:

Drag to arrange in the correct order

⋮⋮ Create local config file (app.properties)

⋮⋮ Run kubectl create configmap –from-file

⋮⋮ Reference ConfigMap in Pod spec

⋮⋮ Verify with kubectl get configmap -o yaml

✓

Correct!

First create the config file, then create the ConfigMap from it, verify it was created correctly, and finally reference it in your Pod spec.

✗

Incorrect

First create the config file, then create the ConfigMap from it, verify it was created correctly, and finally reference it in your Pod spec.

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on January 6, 2026