🎀Speaking at KubeCon EU 2026Lessons Learned Orchestrating Multi-Tenant GPUs on OpenShift AIView Session
KubernetesRecipes
Configuration beginner ⏱ 20 minutes K8s 1.28+

How to Manage ConfigMaps and Secrets Effectively

Master Kubernetes ConfigMaps and Secrets for application configuration. Learn creation methods, mounting strategies, and security best practices.

By Luca Berton β€’

The Problem

You need to manage application configuration and sensitive data separately from your container images.

The Solution

Use ConfigMaps for non-sensitive configuration and Secrets for sensitive data like passwords, API keys, and certificates.

ConfigMaps

Creating ConfigMaps

From literal values:

kubectl create configmap app-config \
  --from-literal=APP_ENV=production \
  --from-literal=LOG_LEVEL=info \
  --from-literal=MAX_CONNECTIONS=100

From a file:

kubectl create configmap nginx-config --from-file=nginx.conf

From YAML manifest:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_ENV: "production"
  LOG_LEVEL: "info"
  MAX_CONNECTIONS: "100"
  config.yaml: |
    database:
      host: postgres.default.svc
      port: 5432
    cache:
      enabled: true
      ttl: 3600

Using ConfigMaps in Pods

As environment variables:

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: myapp
    image: myapp:latest
    envFrom:
    - configMapRef:
        name: app-config

Individual keys as environment variables:

env:
- name: DATABASE_HOST
  valueFrom:
    configMapKeyRef:
      name: app-config
      key: DB_HOST

As a volume mount:

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: myapp
    image: myapp:latest
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
  - name: config-volume
    configMap:
      name: app-config

Secrets

Creating Secrets

From literal values:

kubectl create secret generic db-credentials \
  --from-literal=username=admin \
  --from-literal=password='S3cur3P@ss!'

From YAML (values must be base64 encoded):

apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
data:
  username: YWRtaW4=      # base64 encoded
  password: UzNjdXIzUEBzcyE=

Using stringData (auto-encodes):

apiVersion: v1
kind: Secret
metadata:
  name: db-credentials
type: Opaque
stringData:
  username: admin
  password: S3cur3P@ss!

TLS Secrets

kubectl create secret tls my-tls-secret \
  --cert=path/to/cert.pem \
  --key=path/to/key.pem

Docker Registry Secrets

kubectl create secret docker-registry regcred \
  --docker-server=https://index.docker.io/v1/ \
  --docker-username=myuser \
  --docker-password=mypassword \
  --docker-email=myemail@example.com

Using Secrets in Pods

As environment variables:

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: myapp
    image: myapp:latest
    env:
    - name: DB_USERNAME
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: username
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-credentials
          key: password

As a volume mount:

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: myapp
    image: myapp:latest
    volumeMounts:
    - name: secrets-volume
      mountPath: /etc/secrets
      readOnly: true
  volumes:
  - name: secrets-volume
    secret:
      secretName: db-credentials
      defaultMode: 0400

Auto-Reloading Configuration

Using Reloader

Install Reloader to automatically restart pods when ConfigMaps change:

helm repo add stakater https://stakater.github.io/stakater-charts
helm install reloader stakater/reloader

Annotate your deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  annotations:
    reloader.stakater.com/auto: "true"
spec:
  # ...

Manual Rollout

Trigger a rollout after ConfigMap update:

kubectl rollout restart deployment/myapp

Best Practices

1. Never Store Secrets in Git

Use tools like:

  • Sealed Secrets
  • External Secrets Operator
  • SOPS
  • Vault

2. Set Proper File Permissions

volumes:
- name: secrets-volume
  secret:
    secretName: db-credentials
    defaultMode: 0400  # Read-only for owner

3. Use Immutable ConfigMaps/Secrets

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config-v1
immutable: true
data:
  APP_ENV: "production"

4. Namespace Isolation

Secrets are namespace-scoped. Use RBAC to restrict access:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["db-credentials"]
  verbs: ["get"]

Viewing ConfigMaps and Secrets

# List ConfigMaps
kubectl get configmaps

# View ConfigMap content
kubectl describe configmap app-config

# View Secret (base64 encoded)
kubectl get secret db-credentials -o yaml

# Decode Secret value
kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 -d

Key Takeaways

  • Use ConfigMaps for non-sensitive configuration
  • Use Secrets for sensitive data (still base64, not encrypted!)
  • Mount as volumes for file-based config
  • Use envFrom for environment variables
  • Consider external secret management for production

πŸ“˜ Go Further with Kubernetes Recipes

Love this recipe? There’s so much more! This is just one of 100+ hands-on recipes in our comprehensive Kubernetes Recipes book.

Inside the book, you’ll master:

  • βœ… Production-ready deployment strategies
  • βœ… Advanced networking and security patterns
  • βœ… Observability, monitoring, and troubleshooting
  • βœ… Real-world best practices from industry experts

β€œThe practical, recipe-based approach made complex Kubernetes concepts finally click for me.”

πŸ‘‰ Get Your Copy Now β€” Start building production-grade Kubernetes skills today!

#configmap #secrets #configuration #environment-variables #volume-mounts

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

πŸ“š Get the Book ← More Configuration Recipes
← Back to All Recipes