Managing secrets and config maps in Kubernetes involves using two distinct resource types to handle application configuration data. Secrets store sensitive information like passwords and API keys with base64 encoding, whilst config maps hold non-sensitive configuration data in plain text. Both resources can be mounted as volumes or environment variables in pods, enabling secure and flexible configuration management for containerised applications in your cloud infrastructure.
Understanding Kubernetes secrets and config maps fundamentals
Kubernetes provides two primary mechanisms for managing configuration data in container orchestration environments. Config maps handle non-sensitive configuration information, whilst secrets manage sensitive data that requires additional security measures.
These resources separate configuration from application code, following the twelve-factor app methodology. This separation enables you to modify configurations without rebuilding container images, making deployments more flexible and maintainable.
In cloud infrastructure deployments, proper configuration management prevents hardcoded values in applications and reduces security risks. Both resources support dynamic updates, allowing running applications to receive configuration changes without restarts in many cases.
What is the difference between secrets and config maps in Kubernetes?
The primary difference lies in their intended use cases and security handling. Config maps store non-sensitive data like application settings, feature flags, and configuration files in plain text format.
Secrets handle sensitive information including passwords, OAuth tokens, SSH keys, and TLS certificates. Kubernetes stores secrets with base64 encoding and provides additional security features like encryption at rest when properly configured.
| Feature | Config Maps | Secrets |
|---|---|---|
| Data Type | Non-sensitive configuration | Sensitive information |
| Storage Format | Plain text | Base64 encoded |
| Size Limit | 1MB | 1MB |
| Security Features | Basic access controls | Encryption at rest, restricted access |
How do you create and deploy secrets in Kubernetes?
You can create secrets using kubectl commands or YAML manifests. The command-line approach offers quick creation for simple use cases, whilst YAML provides better version control and repeatability.
Using kubectl, create a generic secret with this command:
kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=secretpass
For YAML-based creation, define the secret with base64-encoded values:
The secret becomes available to pods through environment variables or mounted volumes. Mount secrets as volumes when applications need to read certificate files or configuration files directly.
DevOps security practices require limiting secret access through role-based access control (RBAC) and using service accounts with minimal required permissions.
How do you manage config maps for application configuration?
Config maps support multiple creation methods including literal values, files, and directories. This flexibility accommodates various configuration scenarios in your Kubernetes configuration setup.
Create config maps from literal values:
kubectl create configmap app-config --from-literal=database_url=localhost:5432 --from-literal=debug_mode=true
You can also create config maps from entire configuration files, which proves useful for complex application settings. Applications consume config map data through environment variables or volume mounts.
Update config maps using kubectl apply with modified YAML files. Some applications automatically detect configuration changes when mounted as volumes, whilst others require pod restarts to pick up new values.
What are the best practices for Kubernetes secrets management?
Implement secrets management with multiple security layers. Enable encryption at rest in your Kubernetes cluster to protect stored secrets from unauthorised access at the storage level.
Use external secret management systems like HashiCorp Vault or cloud provider secret managers for production environments. These systems provide advanced features including automatic rotation, audit logging, and fine-grained access controls.
Rotate secrets regularly and avoid storing secrets in container images or version control systems. Implement the principle of least privilege by granting secret access only to pods and users that require it.
Monitor secret access through audit logs and set up alerts for unusual access patterns. Consider using sealed secrets or external secret operators for GitOps workflows whilst maintaining security.
Key takeaways for effective Kubernetes configuration management
Successful configuration management in container orchestration requires understanding when to use secrets versus config maps. Use secrets for any sensitive data and config maps for non-sensitive application settings.
Implement proper access controls and monitoring for both resource types. Regular rotation of secrets and systematic organisation of config maps improves security and maintainability.
Consider external secret management solutions for production workloads requiring advanced security features. These solutions integrate well with Kubernetes whilst providing enterprise-grade secret handling capabilities.
Document your configuration management practices and train your team on proper usage patterns. This ensures consistent implementation across your cloud infrastructure and reduces security risks.
At Falconcloud, we provide the robust cloud infrastructure foundation you need to implement secure Kubernetes deployments with proper secrets and configuration management across our global data centres.