Module 6: Kubernetes ConfigMaps & Secrets

DevOpsLaunchpadDevOpsLaunchpad
3 min read

In modern applications, separating configuration data and sensitive information from the application code is a best practice. Kubernetes provides two important resources for this: ConfigMaps and Secrets.

This module will cover:

  • What are ConfigMaps?

  • What are Secrets?

  • When to use ConfigMaps vs. Secrets

  • How to create & use them in pods

  • Real-world best practices

๐Ÿ”น 1. What is a ConfigMap?

  • A ConfigMap is an API object used to store non-confidential configuration data in key-value pairs.

  • Example: database connection string, app settings, feature flags.

  • ConfigMaps allow you to keep environment-specific configuration separate from container images.

๐Ÿ‘‰ Benefits:

  • Reusable across pods.

  • Keeps code and configuration separate.

  • Easy updates without redeploying applications.

๐Ÿ”น 2. What is a Secret?

  • A Secret is similar to a ConfigMap but designed to hold sensitive information such as:

    • Passwords

    • API keys

    • TLS certificates

  • Data inside Secrets is base64 encoded (not encrypted by default, but can be encrypted at rest).

๐Ÿ‘‰ Benefits:

  • Prevents exposing sensitive data in plain text.

  • Can be mounted into pods as environment variables or files.

  • Kubernetes RBAC helps restrict access.

๐Ÿ”น 3. ConfigMap vs. Secret

FeatureConfigMapSecret
Data TypeNon-sensitive (configs, flags)Sensitive (passwords, keys)
Storage FormatPlaintext key-valueBase64 encoded key-value
Use CaseApp settings, URLs, file pathsAPI keys, tokens, credentials

๐Ÿ”น 4. Creating a ConfigMap

Example: YAML definition

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_MODE: "production"
  LOG_LEVEL: "debug"

Apply it:

kubectl apply -f configmap.yaml

Use it in a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: configmap-pod
spec:
  containers:
    - name: myapp
      image: nginx
      envFrom:
        - configMapRef:
            name: app-config

๐Ÿ”น 5. Creating a Secret

Example: YAML definition

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  DB_USER: YWRtaW4=      # base64 for "admin"
  DB_PASSWORD: cGFzc3dvcmQ=   # base64 for "password"

Apply it:

kubectl apply -f secret.yaml

Use it in a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: secret-pod
spec:
  containers:
    - name: myapp
      image: mysql:5.7
      env:
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: db-secret
              key: DB_USER
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-secret
              key: DB_PASSWORD

๐Ÿ”น 6. Best Practices

โœ… Keep Secrets encrypted at rest using KMS (AWS KMS, GCP KMS, Vault). โœ… Do not commit Secrets to GitHub or version control. โœ… Use RBAC to limit access. โœ… Use ConfigMaps for environment configs, Secrets only for sensitive data.

โœ… Conclusion

  • Use ConfigMaps for general application configuration.

  • Use Secrets for sensitive data.

  • Together, they make Kubernetes apps more secure, portable, and manageable.

0
Subscribe to my newsletter

Read articles from DevOpsLaunchpad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

KubernetesconfigmapsecretsKubernetes Securityapplication configurationDevopscloud native

Written by

DevOpsLaunchpad
DevOpsLaunchpad