CKA Day 19 — Kubernetes ConfigMap and Secret Explained

Day 19 of the 40-day CKA course by Tech Tutorials with Piyush.

Core Synthesis

This lesson is the dedicated deep-dive into Kubernetes’ two configuration primitives: ConfigMap for non-sensitive data and Secret for sensitive data. These objects decouple configuration from container images, enabling the same image to run across dev, staging, and production without rebuilds.

ConfigMap: Non-Sensitive Configuration

A ConfigMap is a Kubernetes API object that stores key-value pairs of configuration data. It is namespace-scoped and can be consumed by Pods in three ways:

  1. Environment variables — inject specific keys or all keys via envFrom
  2. Volume mounts — project ConfigMap keys as files inside the container filesystem
  3. Command-line arguments — reference ConfigMap values in Pod args

ConfigMaps support multiple creation methods:

MethodCommandBest For
Literalkubectl create configmap app-config --from-literal=key=valueQuick exam tasks
Filekubectl create configmap app-config --from-file=app.confLarge configuration files
Directorykubectl create configmap app-config --from-file=config/Bundling multiple config files
YAMLkubectl apply -f configmap.yamlGitOps, version-controlled config

Size Limit: A ConfigMap cannot exceed 1 MiB (etcd limit). For larger configuration, use volumes or external configuration stores.

Secret: Sensitive Configuration

Secrets are structurally identical to ConfigMaps but designed for sensitive data (passwords, tokens, keys). The main differences:

AspectConfigMapSecret
Data encodingPlain text (UTF-8 strings)Base64-encoded bytes
Default mountingReadable filesIn-memory tmpfs (not on node disk)
Etcd storagePlain textBase64 (not encrypted by default)
Typical useApp settings, feature flagsDB passwords, TLS certs, API tokens

Built-in Secret Types:

TypePurpose
OpaqueGeneric user-defined secrets (default)
kubernetes.io/service-account-tokenService account authentication tokens
kubernetes.io/dockercfgDocker registry authentication (legacy)
kubernetes.io/dockerconfigjsonDocker registry authentication (modern)
kubernetes.io/basic-authUsername/password pairs
kubernetes.io/ssh-authSSH private keys
kubernetes.io/tlsTLS certificate and key pairs
bootstrap.kubernetes.io/tokenkubeadm bootstrap tokens

Security Warning: Secrets are base64-encoded, not encrypted, by default. Anyone with read access to the Secret object can decode the values. Enable encryption at rest (EncryptionConfiguration) for production clusters.

Volume Mounting vs Environment Variables

Injection MethodUpdates Live?Use Case
env / envFrom❌ No — Pod must restart to see changesSimple key-value injection, exam speed
Volume mount✅ Yes — kubelet re-syncs mounted filesHot-reloading config, large files, templates

When a ConfigMap or Secret is mounted as a volume, kubelet watches for changes and updates the mounted files in the container without restarting the Pod. The application must detect file changes itself (e.g., via inotify or periodic reload).

ImagePullSecrets

A special Secret type (kubernetes.io/dockerconfigjson) used to authenticate with private container registries. It is referenced in the Pod spec, not in containers:

spec:
  imagePullSecrets:
  - name: regcred

This tells kubelet to use the Docker registry credentials stored in the regcred Secret when pulling images.

CKA Exam Patterns

  • Create ConfigMaps and Secrets imperatively with --from-literal and --from-file
  • Mount them as volumes in Pod/Deployment YAML
  • Inject them as environment variables with configMapKeyRef and secretKeyRef
  • Use envFrom with configMapRef to inject all keys at once
  • Remember: kubectl create secret auto base64-encodes; manual YAML requires pre-encoding
  • Secrets mounted as volumes appear as files under the mount path; file names are the keys

See Also

Wiki Concepts

Creator / Entity


Tags: cka kubernetes configmap secret configuration devops security