How to manage configuration with Kubernetes ConfigMaps and Secrets
ConfigMaps hold plain settings and Secrets hold sensitive values, both injectable as env vars or mounted files so one image runs everywhere. Roll pods to pick up env changes and lock down Secret access with RBAC.
Configuration with ConfigMaps and Secrets
Kubernetes separates configuration from images. A ConfigMap holds non-sensitive key-value settings; a Secret holds sensitive values, base64-encoded and access-controlled. Both can be injected as environment variables or mounted as files, so the same image runs in any environment.
Prerequisites
- A Deployment to configure.
- kubectl access to the target namespace.
Steps
1. Create a ConfigMap
kubectl create configmap app-config \
--from-literal=LOG_LEVEL=info \
--from-literal=FEATURE_X=true
You can also build one from a file with --from-file=app.conf.
2. Create a Secret
kubectl create secret generic app-secret \
--from-literal=DB_PASSWORD=s3cr3t
Secrets are base64-encoded, not encrypted at rest unless you enable encryption providers.
3. Inject as environment variables
envFrom:
- configMapRef:
name: app-config
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: DB_PASSWORD
4. Mount as files
For config files or certificates, mount as a volume:
volumes:
- name: config
configMap:
name: app-config
containers:
- volumeMounts:
- name: config
mountPath: /etc/app
5. Roll pods on change
Updating a ConfigMap does not restart pods that consume it via env vars. Trigger a rollout:
kubectl rollout restart deployment myapp
Mounted volumes update in place but the app must reload them.
6. Secure Secret access
Limit who can read Secrets with RBAC, enable encryption at rest, and avoid logging secret values. Prefer an external secret manager for production.
Verification
Apply the manifests and confirm the values reach the container: kubectl exec deploy/myapp -- env | grep LOG_LEVEL. For mounted files, kubectl exec deploy/myapp -- cat /etc/app/.... Confirm a rollout restart picks up changed env values.
Next Steps
Integrate an external secret store such as Vault or a cloud secret manager via the External Secrets Operator, enable encryption at rest for the etcd-backed Secrets, and apply RBAC to restrict Secret access.
Prerequisites
- A Deployment running in the cluster
- kubectl access
Steps
- 1Create a ConfigMap
- 2Create a Secret
- 3Inject as environment variables
- 4Mount as files
- 5Roll pods on change
- 6Secure Secret access