ConfigMaps & Secrets

Kubernetes lets you decouple application configuration from container images using two key resources:

  • ConfigMaps for non-sensitive data (settings, URLs, etc.)
  • Secrets for sensitive data (passwords, tokens, certificates)

These resources allow you to define environment-specific values once and reuse them across multiple workloads — improving security, consistency, and portability.


ConfigMaps (Non-Sensitive Configuration)

A ConfigMap is a key-value store for plain-text configuration. Use it for:

  • Environment-specific settings (LOG_LEVEL, API_BASE_URL)
  • Hostnames, ports, feature flags
  • Complete config files or CLI arguments

Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: debug
  DB_HOST: db.default.svc.cluster.local

Secrets (Sensitive Data)

Secrets are also key-value stores — but intended for private data such as:

  • Passwords, tokens, and API keys
  • SSH keys or TLS certs
  • Docker registry credentials

Kubernetes encodes all Secret values in base64. Note: this is for transport, not security.

Example

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  DB_PASSWORD: c3VwZXJzZWNyZXQ=

ⓘ Decode with: echo c3VwZXJzZWNyZXQ= | base64 -d
Use stringData: if you want Kubernetes to handle the encoding automatically.


Ways to Use ConfigMaps and Secrets

There are three main ways to expose values inside your Pods:


1. Environment Variables

Inject all key-value pairs from a ConfigMap or Secret:

envFrom:
  - configMapRef:
      name: app-config
  - secretRef:
      name: db-secret

Or reference individual keys:

env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: db-secret
        key: DB_PASSWORD

2. Mounted Volumes

Map each key to a file inside the container:

volumes:
  - name: config-vol
    configMap:
      name: app-config
containers:
  - name: app
    volumeMounts:
      - name: config-vol
        mountPath: /etc/config

In the container, this results in:

/etc/config/LOG_LEVEL
/etc/config/DB_HOST

You can do the same for Secrets:

volumes:
  - name: creds
    secret:
      secretName: db-secret

⚠️ Secrets mounted as files on disk are only base64-decoded. They are not encrypted unless you've enabled encryption at rest.


3. CLI Arguments or Command Overrides

containers:
  - name: app
    image: myapp
    args:
      - "--log-level=$(LOG_LEVEL)"
    env:
      - name: LOG_LEVEL
        valueFrom:
          configMapKeyRef:
            name: app-config
            key: LOG_LEVEL

Best Practices

  • Use ConfigMaps for plain-text configuration and Secrets for anything private.
  • Use RBAC to control access to Secrets.
  • Enable encryption at rest for Secret resources (EncryptionConfiguration).
  • Avoid committing secrets to Git — even in base64 form.
  • Use tools like Sealed Secrets, Vault, or external-secrets to integrate with cloud-native secrets managers.

Summary

  • ConfigMaps store non-sensitive values like app settings and hostnames.
  • Secrets store sensitive data like passwords and certificates — encoded, but not encrypted by default.
  • Both can be used via environment variables, mounted volumes, or command overrides.
  • Combine with proper RBAC and encryption settings for production use.