ConfigMaps and Secrets

Hard-coding configuration values or credentials inside a container image is a bad practice: it ties the image to a specific environment and exposes sensitive data in your source repository. Kubernetes provides two resources for externalising configuration: ConfigMaps for non-sensitive data and Secrets for sensitive data.

ConfigMaps

A ConfigMap stores arbitrary key-value pairs that pods can consume as environment variables or mounted files.

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: "info"
  MAX_CONNECTIONS: "100"
  config.yaml: |
    server:
      port: 8080
      timeout: 30s

Consuming a ConfigMap as Environment Variables

spec:
  containers:
    - name: app
      image: my-app:1.0.0
      envFrom:
        - configMapRef:
            name: app-config

Mounting a ConfigMap as a File

spec:
  containers:
    - name: app
      image: my-app:1.0.0
      volumeMounts:
        - name: config-vol
          mountPath: /etc/config
  volumes:
    - name: config-vol
      configMap:
        name: app-config

The file config.yaml from the ConfigMap appears at /etc/config/config.yaml inside the container.

Secrets

Secrets work like ConfigMaps but are intended for sensitive values such as passwords, API keys, and TLS certificates. By default, Kubernetes stores Secret values base64-encoded in etcd. For stronger protection, enable encryption at rest and use an external secrets manager (Vault, AWS Secrets Manager) via a CSI driver or the External Secrets Operator.

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
stringData:
  DB_PASSWORD: "supersecret"
  DB_USER: "appuser"

spec:
  containers:
    - name: app
      image: my-app:1.0.0
      envFrom:
        - secretRef:
            name: db-secret

Working with ConfigMaps and Secrets

# Create a ConfigMap from literal values
kubectl create configmap app-config --from-literal=LOG_LEVEL=info

# Create a Secret from literal values
kubectl create secret generic db-secret --from-literal=DB_PASSWORD=supersecret

# List configmaps
kubectl get configmaps

# List secrets (values are not shown)
kubectl get secrets

# Describe a secret (values remain encoded)
kubectl describe secret db-secret

Immutable ConfigMaps and Secrets

Setting immutable: true on a ConfigMap or Secret prevents any further changes and improves performance because the kubelet no longer needs to watch for updates. Use immutable resources for configuration that should never change after deployment.

Best Practices