ConfigMap is used to store non-sensitive configuration data, and Secret is used to store sensitive information. Both manage data through key-value pairs and mount it into a pod, but Secret stores data in Base64 encoding by default and requires additional protection. ConfigMap can be used to store database connection strings, function switches or configuration files, etc., and can be created through literals, files or directories, and mounted as environment variables or volume files. Secret is suitable for sensitive data such as passwords, API keys or TLS certificates, and can also be mounted as environment variables or files, but its data is not encrypted. It is recommended to combine encrypted data at rest or external tools to enhance security. When using it, you should avoid hard-code sensitive information in YAML, and pay attention to the permission control and update that you need to manually restart the pod to take effect changes.
In Kubernetes, ConfigMaps and Secrets are two core resources used to manage configuration data and sensitive information separately from application code. They help keep your deployments clean, secure, and easier to maintain.
What Are ConfigMaps?
ConfigMaps are used to store non-sensitive configuration data in key-value pairs. This can include things like feature flags, environment variables, or configuration files that your app needs to run but aren't tied directly to the container image.
For example:
- Database connection strings (if not sensitive)
- Feature toggle settings
- Application config files like
app.conforsettings.json
You can create a ConfigMap from literal values, files, or even directories. Then, you can mount it into a Pod either as environment variables or as files in a volume.
Some ways to use ConfigMaps:
- Pass configuration as environment variables to containers
- Mount config files via volumes for apps that read from disk
This makes it easy to change configurations without rebuilding images.
What Are Secrets?
Secrets work similarly to ConfigMaps, but they're meant for sensitive data. Examples include:
- Passwords
- API keys
- TLS certificates
By default, Secret data is stored as base64-encoded strings. While this isn't encryption (so don't rely on it for high-security environments), it does separate sensitive values ??from application code and Pod specs.
Like ConfigMaps, you can mount Secrets into Pods as environment variables or files.
Important note:
Even though Secrets are encoded, they're not encrypted by default. If you need stronger security, you should enable encryption at rest or use external secret management tools like HashiCorp Vault or AWS Secrets Manager.
How Do You Use Them in Practice?
Let's say you have a web app that connects to a database.
- The database host and port might go into a ConfigMap
- The username and password would go into a Secret
Then, when defining your Deployment or Pod spec, you reference those values:
env:
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: app-config
key: db_host
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: db_passwordOr if you're using volume mounts:
volumeMounts:
- name: config
mountPath: /etc/config
Volumes:
- name: config
configMap:
name: app-configA Couple of Gotchas
- Don't hardcode secrets in YAML files. Always refer to them through the Secret object.
- Be careful with permissions. Anyone who can read Pods or access logs might see environment variables.
- Base64 encoding ≠ encryption. Treat Secrets carefully and consider additional protections if needed.
- Update behavior. If you update a ConfigMap or Secret, existing Pods won't automatically pick up the changes. You'll usually need to restart them.
Basically that's it. ConfigMaps and Secrets give you a clean way to manage both regular and sensitive configuration data in Kubernetes—just make sure you understand how they work and what their limitations are.
The above is the detailed content of What are ConfigMaps and Secrets in Kubernetes?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How to troubleshoot DNS issues on a Linux machine?
Jul 07, 2025 am 12:35 AM
When encountering DNS problems, first check the /etc/resolv.conf file to see if the correct nameserver is configured; secondly, you can manually add public DNS such as 8.8.8.8 for testing; then use nslookup and dig commands to verify whether DNS resolution is normal. If these tools are not installed, you can first install the dnsutils or bind-utils package; then check the systemd-resolved service status and configuration file /etc/systemd/resolved.conf, and set DNS and FallbackDNS as needed and restart the service; finally check the network interface status and firewall rules, confirm that port 53 is not
Install Guacamole for Remote Linux/Windows Access in Ubuntu
Jul 08, 2025 am 09:58 AM
As a system administrator, you may find yourself (today or in the future) working in an environment where Windows and Linux coexist. It is no secret that some big companies prefer (or have to) run some of their production services in Windows boxes an
How to find my private and public IP address in Linux?
Jul 09, 2025 am 12:37 AM
In Linux systems, 1. Use ipa or hostname-I command to view private IP; 2. Use curlifconfig.me or curlipinfo.io/ip to obtain public IP; 3. The desktop version can view private IP through system settings, and the browser can access specific websites to view public IP; 4. Common commands can be set as aliases for quick call. These methods are simple and practical, suitable for IP viewing needs in different scenarios.
How to Install NodeJS 14 / 16 & NPM on Rocky Linux 8
Jul 13, 2025 am 09:09 AM
Built on Chrome’s V8 engine, Node.JS is an open-source, event-driven JavaScript runtime environment crafted for building scalable applications and backend APIs. NodeJS is known for being lightweight and efficient due to its non-blocking I/O model and
System requirements to install linux
Jul 20, 2025 am 03:49 AM
Linuxcanrunonmodesthardwarewithspecificminimumrequirements.A1GHzprocessor(x86orx86_64)isneeded,withadual-coreCPUrecommended.RAMshouldbeatleast512MBforcommand-lineuseor2GBfordesktopenvironments.Diskspacerequiresaminimumof5–10GB,though25GBisbetterforad
How to Install MySQL 8.0 on Rocky Linux and AlmaLinux
Jul 12, 2025 am 09:21 AM
Written in C, MySQL is an open-source, cross-platform, and one of the most widely used Relational Database Management Systems (RDMS). It’s an integral part of the LAMP stack and is a popular database management system in web hosting, data analytics,
Ubuntu 25.04 'Plucky Puffin”: A Bold Leap Forward with GNOME 48 and HDR Brilliance
Jul 12, 2025 am 09:28 AM
Ubuntu has long stood as a bastion of accessibility, polish, and power in the Linux ecosystem. With the arrival of Ubuntu 25.04, codenamed “Plucky Puffin”, Canonical has once again demonstrated its commitment to delivering a
How to Install MongoDB on Rocky Linux and AlmaLinux
Jul 12, 2025 am 09:29 AM
MongoDB is a high-performance, highly scalable document-oriented NoSQL database built to manage heavy traffic and vast amounts of data. Unlike traditional SQL databases that store data in rows and columns within tables, MongoDB structures data in a J
