Interactive Lab ยท CKA ยท Beginner

CONFIGMAPS & SECRETS

$ kubectl create configmap app-config --from-literal=ENV=production
๐Ÿ“‹ What is a ConfigMap?
  • 1A ConfigMap stores non-sensitive configuration as key-value pairs. App name, environment, log level, feature flags anything that changes between environments but is not secret.
  • 2ConfigMaps decouple configuration from container images. You build one image and configure it differently per environment using ConfigMaps.
  • 3They can be injected as environment variables, mounted as files in a volume, or used as command-line arguments.
๐Ÿ’ก ConfigMaps are not encrypted. Never store passwords, API keys, or tokens in a ConfigMap. Use Secrets for that.
Create a ConfigMap
# Imperative fastest on the exam kubectl create configmap app-config \ --from-literal=ENV=production \ --from-literal=LOG_LEVEL=info \ --from-literal=PORT=8080 # From a file kubectl create configmap nginx-config --from-file=nginx.conf # Verify kubectl get configmap app-config -o yaml
terminalLIVE
๐Ÿ” What is a Secret?
  • 1A Secret stores sensitive data: passwords, API keys, TLS certificates, SSH keys. Kubernetes stores them base64-encoded and can restrict access via RBAC.
  • 2Base64 is encoding, not encryption. Anyone with cluster access can decode a Secret. Enable etcd encryption at rest for true security.
  • 3Common Secret types: Opaque (generic), kubernetes.io/tls (TLS certs), kubernetes.io/dockerconfigjson (registry credentials).
โš  Never commit Secrets to git. Use Sealed Secrets, HashiCorp Vault, or External Secrets Operator for production.
Create a Secret
# Imperative kubectl create secret generic db-secret \ --from-literal=DB_PASSWORD=s3cur3pass \ --from-literal=DB_USER=admin # TLS secret from cert files kubectl create secret tls my-tls \ --cert=tls.crt --key=tls.key # Decode a secret value kubectl get secret db-secret -o jsonpath='{.data.DB_PASSWORD}' | base64 -d
terminalLIVE
๐Ÿ’‰ Three ways to inject config into a Pod
  • 1envFrom inject all keys from a ConfigMap or Secret as env vars at once. Fastest and cleanest.
  • 2env.valueFrom inject specific keys individually. Gives you control over the env var name.
  • 3volumeMount mount ConfigMap or Secret as files. Each key becomes a file. Used for config files like nginx.conf or certificates.
All three injection patterns
spec: containers: - name: app image: nginx:1.25 # Pattern 1: inject ALL keys as env vars envFrom: - configMapRef: name: app-config - secretRef: name: db-secret # Pattern 2: inject specific keys env: - name: DB_HOST valueFrom: configMapKeyRef: name: app-config key: DB_HOST # Pattern 3: mount as files volumeMounts: - name: config-vol mountPath: /etc/config volumes: - name: config-vol configMap: name: app-config
ConfigMap commands
create configmap --from-literalCreate from key=value pairs
create configmap --from-fileCreate from a file, key=filename
get configmap -o yamlSee all keys and values
envFrom.configMapRefInject all keys as env vars
env.valueFrom.configMapKeyRefInject specific key
Secret commands
create secret genericCreate opaque secret
create secret tlsCreate TLS secret from cert+key
get secret -o yamlValues are base64 encoded
base64 -dDecode a secret value on CLI
envFrom.secretRefInject all secret keys as env vars
Done