Skip to main content

How to manage configuration with Kubernetes ConfigMaps and Secrets

ConfigMaps hold plain settings and Secrets hold sensitive values, both injectable as env vars or mounted files so one image runs everywhere. Roll pods to pick up env changes and lock down Secret access with RBAC.

Difficulty
Beginner
Duration
35 minutes
Steps
6

Configuration with ConfigMaps and Secrets

Kubernetes separates configuration from images. A ConfigMap holds non-sensitive key-value settings; a Secret holds sensitive values, base64-encoded and access-controlled. Both can be injected as environment variables or mounted as files, so the same image runs in any environment.

Prerequisites

  • A Deployment to configure.
  • kubectl access to the target namespace.

Steps

1. Create a ConfigMap

kubectl create configmap app-config \
  --from-literal=LOG_LEVEL=info \
  --from-literal=FEATURE_X=true

You can also build one from a file with --from-file=app.conf.

2. Create a Secret

kubectl create secret generic app-secret \
  --from-literal=DB_PASSWORD=s3cr3t

Secrets are base64-encoded, not encrypted at rest unless you enable encryption providers.

3. Inject as environment variables

envFrom:
  - configMapRef:
      name: app-config
env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: app-secret
        key: DB_PASSWORD

4. Mount as files

For config files or certificates, mount as a volume:

volumes:
  - name: config
    configMap:
      name: app-config
containers:
  - volumeMounts:
      - name: config
        mountPath: /etc/app

5. Roll pods on change

Updating a ConfigMap does not restart pods that consume it via env vars. Trigger a rollout:

kubectl rollout restart deployment myapp

Mounted volumes update in place but the app must reload them.

6. Secure Secret access

Limit who can read Secrets with RBAC, enable encryption at rest, and avoid logging secret values. Prefer an external secret manager for production.

Verification

Apply the manifests and confirm the values reach the container: kubectl exec deploy/myapp -- env | grep LOG_LEVEL. For mounted files, kubectl exec deploy/myapp -- cat /etc/app/.... Confirm a rollout restart picks up changed env values.

Next Steps

Integrate an external secret store such as Vault or a cloud secret manager via the External Secrets Operator, enable encryption at rest for the etcd-backed Secrets, and apply RBAC to restrict Secret access.

Prerequisites

  • A Deployment running in the cluster
  • kubectl access

Steps

  • 1
    Create a ConfigMap
  • 2
    Create a Secret
  • 3
    Inject as environment variables
  • 4
    Mount as files
  • 5
    Roll pods on change
  • 6
    Secure Secret access

Category

Containers