Kubernetes Environment Variables
How to inject configuration into Kubernetes containers — from literal values to ConfigMap and Secret references. Synthesized from CKA Day 11 — Multi Container Pod Kubernetes: Sidecar vs Init Container.
Why Environment Variables?
Environment variables are the twelve-factor app standard for configuration. In Kubernetes, they allow you to:
- Keep images environment-agnostic (same image for dev/staging/prod)
- Inject dynamic values (Pod IP, node name, namespace)
- Reference centralized configuration stored in ConfigMaps and Secrets
- Pass sensitive data without baking it into container images
Security note: Environment variables are visible in
kubectl describe pod,docker inspect, and/proc/<pid>/environ. For highly sensitive secrets, consider using a secrets manager sidecar or volume-mounted secret files instead of env vars. Source: CKA Day 11
Literal Values
The simplest form — hardcoded in the Pod spec:
spec:
containers:
- name: my-app
image: nginx
env:
- name: ENVIRONMENT
value: "production"
- name: LOG_LEVEL
value: "info"From ConfigMap
Reference a key from an existing ConfigMap:
env:
- name: DATABASE_HOST
valueFrom:
configMapKeyRef:
name: app-config # ConfigMap name
key: db_host # Key inside the ConfigMapConfigMap definition:
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
db_host: "postgres.default.svc.cluster.local"
db_port: "5432"Exam Trap:
configMapKeyRef.namerefers to the ConfigMap object name, not the file name. The key must exist in the ConfigMap or the Pod will fail to start. Source: CKA Day 11
From Secret
Reference a key from an existing Secret:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: passwordSecret definition:
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
password: c2VjcmV0MTIz # base64 encoded valueEncode/decode helper:
echo -n "secret123" | base64 # Encode
echo "c2VjcmV0MTIz" | base64 -d # DecodeWarning: Secrets are base64-encoded, not encrypted, by default. Anyone with
readaccess to the Secret object can decode the values. Enable encryption at rest for production clusters. Source: CKA Day 11
Downward API: Pod-Generated Values
Kubernetes can inject metadata about the Pod itself as environment variables:
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIPfieldPath | Value Injected |
|---|---|
metadata.name | Pod name |
metadata.namespace | Pod namespace |
metadata.uid | Pod unique ID |
spec.nodeName | Node the Pod is running on |
status.podIP | Pod’s internal IP address |
status.hostIP | Node’s IP address |
Injecting All ConfigMap Keys
Instead of referencing keys one by one, you can inject all key-value pairs from a ConfigMap as environment variables:
spec:
containers:
- name: my-app
image: nginx
envFrom:
- configMapRef:
name: app-configThis creates one environment variable per key in the ConfigMap. Caution: Key names must be valid environment variable names (no hyphens, must start with a letter or underscore).
Troubleshooting Environment Variables
# List env vars inside a running container
kubectl exec my-pod -- env | sort
# Check if a specific variable is set
kubectl exec my-pod -- sh -c 'echo $DB_PASSWORD'
# Verify ConfigMap contents
kubectl get configmap app-config -o yaml
# Verify Secret contents (base64 decoded)
kubectl get secret db-secret -o jsonpath='{.data.password}' | base64 -d| Issue | Cause | Fix |
|---|---|---|
| Variable not set | Typo in name or missing valueFrom | Check YAML spelling and indentation |
Invalid value | ConfigMap/Secret key doesn’t exist | Verify the referenced object and key |
CreateContainerConfigError | Secret or ConfigMap missing | Create the referenced object first |
| Base64 garbage | Forgot to encode value in Secret | Use `echo -n “value” |
CKA Exam Patterns
# Quickly create a Pod with an env var
kubectl run debug --image=busybox --env="KEY=VALUE" --restart=Never -- sleep 3600
# Create a ConfigMap from literal values
kubectl create configmap app-config --from-literal=db_host=postgres --from-literal=db_port=5432
# Create a Secret from literal values (auto base64 encodes)
kubectl create secret generic db-secret --from-literal=password=secret123Exam Tip:
kubectl create secretautomatically base64-encodes the value for you. You don’t need to encode manually when using the CLI. Source: CKA Day 11
Related Pages
- Pod Fundamentals — where env vars fit in the Pod spec
- Multi-Container Pods — injecting different env vars per container
- Init Containers — passing config to setup scripts
- Sidecar Pattern — configuring sidecars via env vars
- Deployment, ReplicaSet & Replication Controller — propagating env vars across replicas
- Kubernetes Namespaces — scope of ConfigMaps and Secrets
- Kubernetes Labels and Selectors — labeling Pods for env var injection patterns
- CKA Certification — exam domains where configuration appears
- CKA Study Roadmap — Day 11 in the 40-day plan
Tags: kubernetes environment-variables configmap secret downward-api cka devops configuration