CKA Day 19 — Kubernetes ConfigMap and Secret Explained
Day 19 of the 40-day CKA course by Tech Tutorials with Piyush.
Core Synthesis
This lesson is the dedicated deep-dive into Kubernetes’ two configuration primitives: ConfigMap for non-sensitive data and Secret for sensitive data. These objects decouple configuration from container images, enabling the same image to run across dev, staging, and production without rebuilds.
ConfigMap: Non-Sensitive Configuration
A ConfigMap is a Kubernetes API object that stores key-value pairs of configuration data. It is namespace-scoped and can be consumed by Pods in three ways:
- Environment variables — inject specific keys or all keys via
envFrom - Volume mounts — project ConfigMap keys as files inside the container filesystem
- Command-line arguments — reference ConfigMap values in Pod
args
ConfigMaps support multiple creation methods:
| Method | Command | Best For |
|---|---|---|
| Literal | kubectl create configmap app-config --from-literal=key=value | Quick exam tasks |
| File | kubectl create configmap app-config --from-file=app.conf | Large configuration files |
| Directory | kubectl create configmap app-config --from-file=config/ | Bundling multiple config files |
| YAML | kubectl apply -f configmap.yaml | GitOps, version-controlled config |
Size Limit: A ConfigMap cannot exceed 1 MiB (etcd limit). For larger configuration, use volumes or external configuration stores.
Secret: Sensitive Configuration
Secrets are structurally identical to ConfigMaps but designed for sensitive data (passwords, tokens, keys). The main differences:
| Aspect | ConfigMap | Secret |
|---|---|---|
| Data encoding | Plain text (UTF-8 strings) | Base64-encoded bytes |
| Default mounting | Readable files | In-memory tmpfs (not on node disk) |
| Etcd storage | Plain text | Base64 (not encrypted by default) |
| Typical use | App settings, feature flags | DB passwords, TLS certs, API tokens |
Built-in Secret Types:
| Type | Purpose |
|---|---|
Opaque | Generic user-defined secrets (default) |
kubernetes.io/service-account-token | Service account authentication tokens |
kubernetes.io/dockercfg | Docker registry authentication (legacy) |
kubernetes.io/dockerconfigjson | Docker registry authentication (modern) |
kubernetes.io/basic-auth | Username/password pairs |
kubernetes.io/ssh-auth | SSH private keys |
kubernetes.io/tls | TLS certificate and key pairs |
bootstrap.kubernetes.io/token | kubeadm bootstrap tokens |
Security Warning: Secrets are base64-encoded, not encrypted, by default. Anyone with
readaccess to the Secret object can decode the values. Enable encryption at rest (EncryptionConfiguration) for production clusters.
Volume Mounting vs Environment Variables
| Injection Method | Updates Live? | Use Case |
|---|---|---|
| env / envFrom | ❌ No — Pod must restart to see changes | Simple key-value injection, exam speed |
| Volume mount | ✅ Yes — kubelet re-syncs mounted files | Hot-reloading config, large files, templates |
When a ConfigMap or Secret is mounted as a volume, kubelet watches for changes and updates the mounted files in the container without restarting the Pod. The application must detect file changes itself (e.g., via inotify or periodic reload).
ImagePullSecrets
A special Secret type (kubernetes.io/dockerconfigjson) used to authenticate with private container registries. It is referenced in the Pod spec, not in containers:
spec:
imagePullSecrets:
- name: regcredThis tells kubelet to use the Docker registry credentials stored in the regcred Secret when pulling images.
CKA Exam Patterns
- Create ConfigMaps and Secrets imperatively with
--from-literaland--from-file - Mount them as volumes in Pod/Deployment YAML
- Inject them as environment variables with
configMapKeyRefandsecretKeyRef - Use
envFromwithconfigMapRefto inject all keys at once - Remember:
kubectl create secretauto base64-encodes; manual YAML requires pre-encoding - Secrets mounted as volumes appear as files under the mount path; file names are the keys
See Also
Wiki Concepts
- Kubernetes ConfigMaps and Secrets — Deep-dive page with creation methods, volume mounting, built-in types, and security best practices
- Kubernetes Environment Variables — Injection patterns: env, envFrom, configMapKeyRef, secretKeyRef
- Pod Fundamentals — Where ConfigMaps and Secrets are referenced in the Pod spec
- Deployment, ReplicaSet & Replication Controller — Propagating config across replicas
- Kubernetes Namespaces — ConfigMaps and Secrets are namespace-scoped
- Kubernetes Architecture — etcd stores ConfigMaps and Secrets; API server serves them
- Kubernetes Health Probes — Apps may need config loaded before probes should pass
- Kubernetes Labels and Selectors — Labeling ConfigMaps for organization
- Kubernetes Services — Service discovery complements configuration injection
- CKA Certification — Exam structure where ConfigMaps and Secrets appear
- CKA Study Roadmap — 40-day plan: Day 19 covers ConfigMaps and Secrets
Related Sources
- CKA Day 18 — Kubernetes Health Probes Explained — Preceding day in the series
- CKA Day 11 — Multi Container Pod Kubernetes — Earlier coverage of env var injection from ConfigMap/Secret
Creator / Entity
- Tech Tutorials with Piyush — Creator of the 40-day CKA course
Tags: cka kubernetes configmap secret configuration devops security