Day 6: ConfigMaps & Secrets — Managing App Settings and Sensitive Data in Kubernetes
Let’s Begin With What You Might Know
In traditional apps — whether Node.js, Python, Java, or others — you’ve probably done this before:
DB_USERNAME=admin
DB_PASSWORD=1234
APP_ENV=production.envfiles- Docker run commands
- Cloud config panels
And sometimes… you (accidentally or lazily) hardcode passwords into the code itself. 😬
But in Kubernetes, there’s a better and safer way to do this.
Enter: ConfigMaps and Secrets
What’s a ConfigMap?
A ConfigMap is used to store non-sensitive configuration data like:
- Environment variables
- App settings
- File paths
- Feature flags
It keeps your app configs separate from your app code and container image — which is great for flexibility and security.
What’s a Secret?
A Secret is like a ConfigMap — but for sensitive data:
- Passwords
- API tokens
- TLS certificates
- Private keys
Secrets are base64-encoded and can be managed with tighter access controls in Kubernetes.
Why Use Them?
| Without ConfigMaps/Secrets | With ConfigMaps/Secrets |
|---|---|
| Hardcoded values | Clean separation of config from code |
| Rebuilding images for every config change | Update values without touching the image |
| Risky to expose sensitive data | Secrets are encoded and more secure |
| Poor reusability | Reuse configs across multiple apps easily |
How It Works
You:
- Create a ConfigMap or Secret
- Attach it to your Pod using:
- Environment variables
- Mounted volumes
- Your app reads the values from the injected location
Example: Creating a ConfigMap
kubectl create configmap app-config \
--from-literal=APP_ENV=production \
--from-literal=FEATURE_X=trueAnd a Secret:
kubectl create secret generic db-secret \
--from-literal=DB_USER=admin \
--from-literal=DB_PASS=1234Then, in your Pod spec (simplified YAML):
env:
- name: APP_ENV
valueFrom:
configMapKeyRef:
name: app-config
key: APP_ENV
- name: DB_USER
valueFrom:
secretKeyRef:
name: db-secret
key: DB_USERTry It Yourself
👉 Use the KodeKloud Kubernetes Playground
1 - Create a Secret:
kubectl create secret generic mysecret \
--from-literal=password=mypass1232 - Create a Pod using that secret:
apiVersion: v1
kind: Pod
metadata:
name: secret-demo
spec:
containers:
- name: busybox
image: busybox
command: ["sleep", "3600"]
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: passwordApply it with:
kubectl apply -f pod.yaml
kubectl exec -it secret-demo -- printenv DB_PASSWORDYou’ll see the password securely injected.
Real-World Analogy
Imagine you’re deploying an app on a shared team server.
- Hardcoding passwords in the app = leaving your house key in plain sight
- Using ConfigMaps and Secrets = storing your keys in a locked drawer with access logs
Quick Summary
- ConfigMaps store general config data (non-sensitive)
- Secrets store sensitive info (passwords, tokens)
- Both can be injected into Pods via env vars or mounted files
- They help decouple config from code, enable reuse, and improve security
Coming Up...
📅 Day 7: Your Kubernetes Learning Roadmap — What’s Next After the Basics?
You’ll get:
- A printable roadmap for beginners → advanced
- Tips on real-world practice
- Recommended projects, labs, and courses to continue your journey
New here? Start from Day 1 and catch up on the series:
Day 1: What Is Kubernetes & Why Should You Care?
Discover why Kubernetes matters and how it changes the game.
Day 2: What Are Pods in Kubernetes?
Understand the smallest deployable unit in Kubernetes.
Day 3: Understanding Nodes, Clusters & the Kubernetes Control Plane
See how all the pieces connect behind the scenes.
Day 4: Deployments & ReplicaSets — How Kubernetes Runs and Manages Your App
⚙Learn how Kubernetes keeps your apps running smoothly.
Day 5: Kubernetes Services — How Your App Gets a Stable IP or URL
Discover how Services expose and connect your app reliably.
