The two Kubernetes primitives that decouple configuration from container images. ConfigMaps hold non-sensitive settings; Secrets hold sensitive credentials. Both are namespace-scoped, stored in etcd, and consumed by Pods as environment variables or mounted volumes. A core Architecture & Workloads topic on the CKA exam. Synthesized from CKA Day 19 — Kubernetes ConfigMap and Secret Explained.
Why Decouple Configuration?
Baking environment-specific values (database URLs, API keys, feature flags) into container images violates the twelve-factor app methodology. It forces you to build a new image for every environment and makes rollbacks painful.
Kubernetes solves this with ConfigMaps and Secrets:
Benefit
How It Works
Environment parity
Same image runs in dev, staging, and prod — only the referenced ConfigMap/Secret changes
Dynamic updates
Volume-mounted ConfigMaps/Secrets update in-place without Pod restarts
Secret isolation
Sensitive data lives in Secrets with tighter RBAC and tmpfs mounting
Centralized config
One ConfigMap can feed dozens of Pods via label selectors
ConfigMap
What Is a ConfigMap?
A ConfigMap is an API object that stores plain-text configuration data as key-value pairs. It is not encrypted and should never hold passwords, tokens, or keys.
Creation Methods
ConfigMaps support four creation patterns — know them all for the exam:
Best for: GitOps, version control, reproducible environments.
Exam Trap: The data field only accepts UTF-8 strings. If you need binary data (e.g., a .p12 certificate), use binaryData instead. Source: CKA Day 19
Secret
What Is a Secret?
A Secret is structurally identical to a ConfigMap but designed for sensitive data. Key differences:
Aspect
ConfigMap
Secret
Data field
data (plain UTF-8 strings)
data (base64-encoded bytes)
Size limit
1 MiB
1 MiB
Default volume mount
Regular filesystem
In-memory tmpfs (never touches node disk)
RBAC sensitivity
Low
High — restrict get/list on Secrets
Etcd storage
Plain text
Base64-encoded (not encrypted by default)
Critical Warning: Secrets are base64-encoded, not encrypted. Anyone who can kubectl get secret can decode the values. For production, enable encryption at rest via EncryptionConfiguration. Source: CKA Day 19
Built-in Secret Types
Kubernetes recognizes several Secret types. The type is metadata, not enforcement — but some controllers behave differently based on it.
Type
Purpose
Opaque
Generic user-defined secrets (default)
kubernetes.io/service-account-token
Auto-generated bearer token for ServiceAccount authentication
kubernetes.io/dockercfg
Legacy Docker registry authentication
kubernetes.io/dockerconfigjson
Modern Docker registry authentication (.docker/config.json format)
Caution:envFrom imports every key as an env var. Key names must be valid environment variable names (no hyphens, must start with a letter or underscore). Source: CKA Day 11
Method 2: Volume Mounts
Project ConfigMap or Secret keys as files inside the container:
/etc/nginx/conf.d/
├── default.conf # Key from nginx-config ConfigMap
/etc/nginx/ssl/
├── tls.crt # Key from tls-secret Secret
└── tls.key # Key from tls-secret Secret
Live Updates with Volume Mounts
Object
Volume Mount Updates?
Env Var Updates?
ConfigMap
✅ Yes — kubelet re-syncs files every ~60s
❌ No — Pod must restart
Secret
✅ Yes — kubelet re-syncs files every ~60s
❌ No — Pod must restart
When mounted as a volume, the kubelet watches the referenced ConfigMap/Secret and updates the files in the container without restarting the Pod. The application must detect file changes itself (e.g., via inotify or a configuration reload mechanism).
Production Pattern: Use a sidecar or fsnotify in your app to reload configuration when mounted files change. Sidecar Pattern
ImagePullSecrets
A special Secret type (kubernetes.io/dockerconfigjson) used to authenticate with private container registries. Unlike other Secrets, it is referenced at the Pod spec level, not inside containers: