Skip to main content
Career Paths
Concepts
Kubernetes Configmaps Secrets
The Simplified Tech

Role-based learning paths to help you master cloud engineering with clarity and confidence.

Product

  • Career Paths
  • Interview Prep
  • Scenarios
  • AI Features
  • Cloud Comparison
  • Resume Builder
  • Pricing

Community

  • Join Discord

Account

  • Dashboard
  • Credits
  • Updates
  • Sign in
  • Sign up
  • Contact Support

Stay updated

Get the latest learning tips and updates. No spam, ever.

Terms of ServicePrivacy Policy

© 2026 TheSimplifiedTech. All rights reserved.

BackBack
Interactive Explainer

ConfigMaps & Secrets: Externalizing Configuration and Securing Credentials

ConfigMaps store non-sensitive configuration; Secrets store sensitive data (passwords, API keys). Understanding mounting, versioning, and encryption is essential for secure, maintainable deployments.

🎯Key Takeaways
ConfigMaps store non-sensitive config; Secrets store credentials but require encryption and RBAC to be truly secure
Secrets committed to Git cannot be revoked; use external secret management or encrypted templates
Base64 encoding is not encryption; enable etcd encryption at rest for production
Secret changes require Pod restarts if injected as env vars, but auto-update if mounted as files

ConfigMaps & Secrets: Externalizing Configuration and Securing Credentials

ConfigMaps store non-sensitive configuration; Secrets store sensitive data (passwords, API keys). Understanding mounting, versioning, and encryption is essential for secure, maintainable deployments.

~2 min read
Be the first to complete!
What you'll learn
  • ConfigMaps store non-sensitive config; Secrets store credentials but require encryption and RBAC to be truly secure
  • Secrets committed to Git cannot be revoked; use external secret management or encrypted templates
  • Base64 encoding is not encryption; enable etcd encryption at rest for production
  • Secret changes require Pod restarts if injected as env vars, but auto-update if mounted as files

Lesson outline

ConfigMaps: Non-Sensitive Configuration

ConfigMap is a Kubernetes object that stores key-value pairs of configuration data. It can be injected into Pods via environment variables, command-line arguments, or mounted as files.

Examples: database connection strings (non-password parts), feature flags, log levels, application settings.

ConfigMaps are NOT encrypted and should not store sensitive data.

Secrets: Sensitive Credentials

Secret is like ConfigMap but intended for sensitive data: passwords, API keys, tokens, certificates.

Secret types: Opaque (generic key-value), kubernetes.io/service-account-token (created automatically), kubernetes.io/dockercfg (Docker registry credentials), tls (TLS certificates).

WARNING: By default, Secrets are only base64-encoded (NOT encrypted) in etcd. Must enable etcd encryption for production.

Mounting Methods

Environment variables: Pod spec references ConfigMap/Secret keys as env vars. Not ideal for large config (env has size limits).

Volume mount: ConfigMap/Secret is mounted as a directory with files. Changes to ConfigMap are automatically updated in the mount (with kubelet sync delay ~1 minute).

Command-line arguments: ConfigMap/Secret values can be injected into container commands, but this is less flexible.

Versioning and Rotation

ConfigMap changes create new revisions, but old revisions are kept (controlled by revisionHistoryLimit). This can bloat etcd if not managed.

Secret rotation: For managed secrets (API keys, certificates), implement a sidecar or operator that detects changes and reloads them.

Certificate rotation: Use cert-manager to automate TLS certificate renewal.

Best Practices

Never store secrets in ConfigMaps. Use dedicated Secret objects.

Never commit secrets to Git. Use a secrets vault (Vault, AWS Secrets Manager, Sealed Secrets).

Enable etcd encryption at rest to protect Secrets in storage.

Use RBAC to limit who can read Secrets: `kubectl get secrets` should be restricted.

Rotate secrets regularly: certificates every 90 days, API keys every 6 months.

Key takeaways

  • ConfigMaps store non-sensitive config; Secrets store credentials but require encryption and RBAC to be truly secure
  • Secrets committed to Git cannot be revoked; use external secret management or encrypted templates
  • Base64 encoding is not encryption; enable etcd encryption at rest for production
  • Secret changes require Pod restarts if injected as env vars, but auto-update if mounted as files
🧠Mental Model

💡 Analogy

ConfigMap is like a public bulletin board in an office building (anyone can read). Secret is like a locked briefcase with combination (access controlled, but not encrypted by default). To truly secure the briefcase, you need to store it in a vault (encrypted etcd) and limit who knows the combination (RBAC).

⚡ Core Idea

ConfigMaps externalize non-sensitive config. Secrets store sensitive data but require encryption and RBAC to be truly secure. Both support dynamic updates via mounted files.

🎯 Why It Matters

Externalizing configuration from container images makes them reusable across environments. Separating secrets from code prevents accidental commits and credential exposure. Proper secret management is a critical security practice.

Ready to see how this works in the cloud?

Switch to Career Paths for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths

Sign in to track your progress and mark lessons complete.

Discussion

Questions? Discuss in the community or start a thread below.

Join Discord

In-app Q&A

Sign in to start or join a thread.