ITGSS Certified DevOps Engineer Practice Test

The recommended practice for handling sensitive data in containers is to mount them into read-only volumes. This approach enhances security by allowing sensitive information, such as configuration files or secrets, to be stored outside of the container image. By mounting sensitive data as a read-only volume, you ensure that the application running in the container has access to the data it needs without the risk of modifying it during runtime.

Using read-only volumes also helps to minimize the attack surface, as it reduces the chances of exposing sensitive information through environment variables or other means that could be exploited. Additionally, this practice allows for better management of secrets, as they can be updated or rotated independently of the container's underlying image, promoting a more secure and flexible deployment process.

In contrast, passing sensitive data as environment variables may expose that data unnecessarily in logs, process listings, or other outputs. Storing sensitive data in plain text, as well as using them directly in code, poses significant security risks by embedding secrets within the application, increasing the likelihood of accidental exposure.