ConfigMaps vs Secrets in Kubernetes: Managing Configuration & Sensitive Data
ConfigMaps vs Secrets in Kubernetes: Managing Configuration & Sensitive Data
Introduction
Modern applications require configuration data such as database URLs, API endpoints, environment variables, usernames, and passwords. Hardcoding these values inside application code is not considered a good practice because changing configurations would require rebuilding and redeploying applications.
Kubernetes provides two resources to manage application data:
ConfigMaps
Secrets
ConfigMaps are used for non-sensitive configuration data, while Secrets are used for sensitive information such as passwords, API keys, and tokens.
In this guide, we will learn ConfigMaps, Secrets, their differences, architecture, real-world use cases, and interview questions.
Why Do We Need ConfigMaps and Secrets?
Without ConfigMaps or Secrets:
DATABASE_URL=mysql.example.com
USERNAME=admin
PASSWORD=admin123
Problems:
Sensitive data exposed
Difficult configuration management
Frequent application rebuilds
Security risks
Kubernetes solves this using ConfigMaps and Secrets.
What is a ConfigMap?
A ConfigMap is a Kubernetes resource used to store non-confidential configuration data.
Examples:
Application URLs
Environment Names
Port Numbers
Feature Flags
Configuration Files
ConfigMap Architecture
ConfigMap
│
▼
Deployment
│
▼
Pod
│
▼
Container
The container reads configuration from the ConfigMap.
Creating a ConfigMap
YAML Example
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
APP_ENV: production
APP_PORT: "8080"
DATABASE_HOST: mysql-service
Apply ConfigMap:
kubectl apply -f configmap.yaml
Viewing ConfigMaps
kubectl get configmaps
Describe ConfigMap:
kubectl describe configmap app-config
Using ConfigMap as Environment Variables
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
envFrom:
- configMapRef:
name: app-config
The container automatically receives ConfigMap values as environment variables.
Using ConfigMap as a Volume
volumes:
- name: config-volume
configMap:
name: app-config
Mount inside container:
volumeMounts:
- name: config-volume
mountPath: /etc/config
The application can read configuration files directly.
What is a Secret?
A Secret is a Kubernetes resource used to store sensitive information securely.
Examples:
Passwords
API Keys
Database Credentials
OAuth Tokens
SSH Keys
TLS Certificates
Secret Architecture
Secret
│
▼
Deployment
│
▼
Pod
│
▼
Container
Secrets provide sensitive data to applications securely.
Creating a Secret
Using YAML
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
username: YWRtaW4=
password: cGFzc3dvcmQ=
Note:
Values are Base64 encoded.
Example:
echo -n "admin" | base64
Output:
YWRtaW4=
Apply Secret:
kubectl apply -f secret.yaml
Viewing Secrets
kubectl get secrets
Describe Secret:
kubectl describe secret db-secret
Using Secrets as Environment Variables
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
Applications can securely access credentials.
Using Secrets as Volumes
volumes:
- name: secret-volume
secret:
secretName: db-secret
Mount Secret:
volumeMounts:
- name: secret-volume
mountPath: /etc/secret
Real-World Example
Consider a Node.js application.
Configuration Data
APP_ENV=production
APP_PORT=3000
DATABASE_HOST=mysql-service
Store in:
ConfigMap
Sensitive Data
DB_USERNAME=admin
DB_PASSWORD=password123
API_KEY=xxxxxxxx
Store in:
Secret
This separation improves security and maintainability.
ConfigMaps vs Secrets
| Feature | ConfigMap | Secret |
|---|---|---|
| Purpose | Configuration Data | Sensitive Data |
| Stores Passwords | ❌ | ✅ |
| Stores API Keys | ❌ | ✅ |
| Environment Variables | ✅ | ✅ |
| Volume Mount Support | ✅ | ✅ |
| Security Focus | Low | High |
| Data Encoding | Plain Text | Base64 Encoded |
Best Practices
Use ConfigMaps for Non-Sensitive Data
Examples:
URLs
Ports
Feature Flags
Use Secrets for Credentials
Examples:
Passwords
Tokens
API Keys
Avoid Hardcoding Credentials
Bad:
DB_PASSWORD=password123
Good:
Secret Resource
Use RBAC
Restrict access to Secrets using Kubernetes RBAC policies.
Encrypt Secrets
Enable encryption at rest for better security.
Common Mistakes
❌ Storing passwords in ConfigMaps
❌ Hardcoding credentials in Deployment YAML
❌ Sharing Secrets unnecessarily
❌ Committing Secrets to GitHub repositories
❌ Ignoring RBAC permissions
Real-World CI/CD Workflow
Developer
│
▼
GitHub
│
▼
Jenkins
│
▼
Docker Image
│
▼
Kubernetes Deployment
│
├── ConfigMap
│
└── Secret
│
▼
Application Running
This architecture is commonly used in production Kubernetes environments.
Kubernetes Interview Questions
What is a ConfigMap?
A ConfigMap stores non-sensitive configuration data used by Kubernetes applications.
What is a Secret?
A Secret stores sensitive information such as passwords, API keys, and tokens.
What is the difference between ConfigMap and Secret?
ConfigMaps store non-sensitive data, while Secrets store sensitive data.
Can Secrets be mounted as volumes?
Yes. Secrets can be mounted as volumes inside containers.
Are Kubernetes Secrets encrypted?
By default, they are Base64 encoded. Additional encryption at rest should be enabled for stronger security.
Can ConfigMaps be used as environment variables?
Yes. ConfigMaps can provide environment variables to containers.
Conclusion
ConfigMaps and Secrets are essential Kubernetes resources for managing application configuration and sensitive information. They help separate configuration from application code, improve security, and simplify application management.
Use ConfigMaps for non-sensitive settings.
Use Secrets for passwords, API keys, and credentials.
Follow security best practices to protect sensitive data.
Mastering ConfigMaps and Secrets is critical before learning Ingress Controllers, Helm, Persistent Volumes, and advanced Kubernetes security concepts.
Comments
Post a Comment