SH
SHELL
AI Powered Learning Portal
Module 7 Exercises: Secure Configuration

Module 7 Exercises: Secure Configuration

Lock it down. Practice building immutable configuration pipelines and delivering secrets via secure RAM-backed volumes.

Module 7 Exercises: Secure Configuration

In Module 7, we moved from basic usage to high-security configuration patterns. You learned how to protect your cluster from performance issues and data leaks. These exercises will guide you through implementing these patterns.

Exercise 1: The "Locked Box" Config

Create an Immutable ConfigMap for an AI Agent.

  • Labels: version: v1, app: ai-agent.
  • Data: Set AGENT_TYPE to researcher.
  • Goal: Once applied, try to use kubectl edit configmap to change the AGENT_TYPE to writer.
  • Verification: What error message does the API Server return? Why can't you change it?

Exercise 2: Secret Volume Mounting

  1. Creation: Create a Secret named api-keys containing a dummy OPENAI_API_KEY.
  2. Deployment: Create a Deployment that mounts this secret as a Volume at /etc/keys.
  3. Task:
    • kubectl exec into the pod and run ls /etc/keys.
    • cat /etc/keys/OPENAI_API_KEY.
  • Analysis: Verify that the file content matches your secret value. Then run the env command. Is the secret visible in the environment variables? Why is this safer?

Exercise 3: Drafting an ExternalSecret

(Note: You don't need a real AWS account to write the YAML).

  1. Scenario: You have a secret in AWS Secrets Manager named prod/api/openai-key.
  2. Task: Write the YAML for an ExternalSecret resource that:
    • Connects to a SecretStore named aws-store.
    • Synchronizes that AWS key into a local K8s secret named openai-key-sync.
    • Refreshes the data every 1 hour.

Exercise 4: Atomic Rotation Strategy

  1. Thinking Task: You have 10 pods mounting a secret as a volume. You update the Secret value in Kubernetes.
  2. Question: Do the files inside the containers update immediately?
  3. Observation: If you update the secret, watch the file inside the pod using watch -n 1 cat /etc/keys/SECRET_KEY. How long does it take for the change to appear?
  4. Action: Once the file changes, does your application (e.g. FastAPI) automatically "Pick up" the change, or do you need to write specific Python code to handle it?

Solutions (Self-Check)

Exercise 1 Answer:

The API Server will return an error: Forbidden: field is immutable. To change it, you must delete the ConfigMap or (better) create a new one named ai-agent-v2.

Exercise 2 Solution:

The secret will NOT be visible in the env output! This is safer because it prevents accidental leakage into logs or debugging tools that dump the process environment.

Exercise 3 Hint:

Your remoteRef.key must match exactly the path in AWS (prod/api/openai-key).

Exercise 4 Logic:

  • The file updates within ~60 seconds (controlled by the Kubelet sync period).
  • Critical: Most apps do NOT automatically pick up the change. You must use a filesystem watcher in your code or use a tool that triggers a restart when the secret changes.

Summary of Module 7

Congratulations! You are now a Security-Focused Architect.

  • You can prevent "Configuration Drift" using Immutable objects.
  • You can reduce Control Plane load in large clusters.
  • You can deliver secrets via RAM-backed volumes for maximum security.
  • You understand how to bridge K8s to enterprise vaults via the External Secrets Operator.

In Module 8: Scaling and Autoscaling, we will look at how we automatically grow our cluster to handle the massive demand generated by these secure AI services.

Previous LessonExternal Secrets Operator (ESO) and sidecar injection
Next LessonHorizontal Pod Autoscaler (HPA)

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn