ConfigMaps and Secrets in Kubernetes: Complete Guide

Separating configuration from code is a best practice. Kubernetes provides ConfigMaps for non-sensitive data and Secrets for sensitive data.

ConfigMaps

Creating ConfigMaps

# From literal values
kubectl create configmap my-config --from-literal=KEY1=value1 --from-literal=KEY2=value2

# From file
kubectl create configmap my-config --from-file=config.properties

# From directory
kubectl create configmap my-config --from-file=./config-dir/

YAML Definition

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DATABASE_URL: "postgres://db:5432"
  LOG_LEVEL: "info"
  config.json: |
    {
      "feature": true,
      "timeout": 30
    }

Using ConfigMaps in Pods

As environment variables:

spec:
  containers:
  - name: app
    envFrom:
    - configMapRef:
        name: app-config

Specific keys:

env:
- name: DB_URL
  valueFrom:
    configMapKeyRef:
      name: app-config
      key: DATABASE_URL

As volume mount:

volumes:
- name: config-volume
  configMap:
    name: app-config
containers:
- name: app
  volumeMounts:
  - name: config-volume
    mountPath: /etc/config

Secrets

Creating Secrets

# Generic secret
kubectl create secret generic my-secret --from-literal=password=mysecret

# TLS secret
kubectl create secret tls my-tls --cert=tls.crt --key=tls.key

# Docker registry secret
kubectl create secret docker-registry my-registry \
  --docker-server=registry.io \
  --docker-username=user \
  --docker-password=pass

Using Secrets

spec:
  containers:
  - name: app
    env:
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-secret
          key: password
    volumeMounts:
    - name: secret-volume
      mountPath: /etc/secrets
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: db-secret

Best Practices

1. Never commit secrets to git
2. Use RBAC to restrict secret access
3. Enable encryption at rest
4. Consider external secret managers (Vault, AWS Secrets Manager)
5. Set readOnly: true for secret mounts

Common Exam Tasks

• Create ConfigMap from file
• Mount ConfigMap as volume
• Inject Secret as environment variable
• Update ConfigMap and observe pod behavior

Practice ConfigMaps and Secrets

These concepts appear frequently in CKAD exams. Practice at Sailor.sh with real scenarios.

Start Free Practice