Kubernetes

Secrets and ConfigMaps in Kubernetes using YAML File Configuration

shoomer
By shoomer

Managing application configuration and sensitive data securely is critical when deploying containerized workloads. Kubernetes provides Secrets and ConfigMaps as core resources for managing configuration and sensitive information seamlessly. Both are designed to streamline application deployments, but they serve distinct purposes.

Contents
Table of ContentsWhat are Secrets and ConfigMaps?SecretsConfigMapsWhen to Use EachMounting Secrets and ConfigMapsMounting as Environment VariablesStep 1 – Creating a SecretStep 2 – Creating a ConfigMapStep 3 – Mounting ThemMounting as VolumesMounting Secrets as FilesMounting ConfigMaps as FilesEncrypting Kubernetes SecretsEnable Encryption at RestUsing Third-Party ToolsBest Practices for Secrets and ConfigMapsSecurity Best PracticesConfig Management Best PracticesFinal Thoughts

This guide helps you understand the differences between Secrets and ConfigMaps, how to use them effectively, methods for mounting them, encrypting secrets, and best practices to enhance security and usability.

Table of Contents

  1. What are Secrets and ConfigMaps?
  2. Mounting Secrets and ConfigMaps
  3. Encrypting Kubernetes Secrets
  4. Best Practices for Secrets and ConfigMaps
  5. Final Thoughts

What are Secrets and ConfigMaps?

Both Secrets and ConfigMaps simplify configuration management. The key difference lies in the type of data they manage.

Secrets

Secrets are designed to store sensitive information like API keys, passwords, and credentials. Kubernetes encodes these values in Base64 before storing them, offering a measure of obfuscation but not encryption by default.

Example of Sensitive Data (Kubernetes Secrets):

  • Database passwords
  • TLS certificates
  • Private API tokens

ConfigMaps

ConfigMaps are used to store non-sensitive configuration data in key-value pairs. They are ideal for environment-specific settings or any data that doesn’t require encryption, such as application settings or paths.

Example of Non-Sensitive Configuration (Kubernetes ConfigMaps):

  • Logging levels
  • External URLs
  • Feature toggle settings

When to Use Each

ResourceUse CaseSecurity Level
SecretsStoring passwords, credentials, tokens, or certificates.Secured data encoded in Base64. Can be encrypted (see below).
ConfigMapsManaging application settings, non-sensitive environment variables, or file paths.Plaintext, not encoded or encrypted.

A practical rule of thumb is to use Secrets whenever confidentiality is essential, and ConfigMaps for general-purpose configurations.

Mounting Secrets and ConfigMaps

Mounting as Environment Variables

Both secrets and ConfigMaps can be injected into Pods as environment variables. This approach is straightforward and useful for applications expecting configurations in the environment.

Step 1 – Creating a Secret

Example YAML for a Secret:

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
data:
  username: YWRtaW4=     # Base64 for 'admin'
  password: cGFzc3dvcmQ= # Base64 for 'password'

Step 2 – Creating a ConfigMap

Example YAML for a ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  log_level: DEBUG
  api_endpoint: "https://api.example.com"

Step 3 – Mounting Them

Deployment YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sample-app
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: sample-app
    spec:
      containers:
      - name: sample-container
        image: my-app-image
        env:
        - name: DB_USERNAME
          valueFrom:
            secretKeyRef:
              name: db-secret
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-secret
              key: password
        - name: LOG_LEVEL
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: log_level

Mounting as Volumes

Secrets and ConfigMaps can also be mounted as files within containers. This is useful for applications that expect configuration files or certificates.

Mounting Secrets as Files

Modify the Deployment to include a volumes section and reference it in the container:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: file-mount-app
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: file-mount-app
    spec:
      volumes:
      - name: secret-volume
        secret:
          secretName: db-secret
      containers:
      - name: app-container
        image: my-app-image
        volumeMounts:
        - name: secret-volume
          mountPath: "/etc/secret"

Outcome:
Mounted files:

  • /etc/secret/username
  • /etc/secret/password

Mounting ConfigMaps as Files

Using the same approach, ConfigMaps can be mounted as volumes:

volumes:
- name: config-volume
  configMap:
    name: app-config
volumeMounts:
- name: config-volume
  mountPath: "/etc/config"

Outcome:
Mounted files:

  • /etc/config/log_level
  • /etc/config/api_endpoint

Encrypting Kubernetes Secrets

While Secrets are encoded by default, they are not encrypted at rest unless explicitly configured.

Enable Encryption at Rest

  1. Modify Encryption Config:
    Create an encryption-config.yaml file to enable encryption: apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: <BASE64_ENCODED_SECRET> - identity: {}
  2. Configure the API Server:
    On the Kubernetes API server, add the following flag: --encryption-provider-config=/path/to/encryption-config.yaml
  3. Verify Encryption:
    Inspect the etcd database to ensure secrets are encrypted.

Using Third-Party Tools

  • HashiCorp Vault or AWS Secrets Manager: External tools for managing highly secure secrets.
  • Sealed Secrets: A Kubernetes custom resource from Bitnami that allows encrypting secrets natively.

Best Practices for Secrets and ConfigMaps

Security Best Practices

  1. Enable Encryption: Always encrypt Secrets at rest to prevent unauthorized access.
  2. Limit Access: Use Role-Based Access Control (RBAC) to restrict access to Secrets and ConfigMaps.
  3. Use Dedicated Namespaces: Separate different environments by namespaces (e.g., prod, dev).

Config Management Best Practices

  1. Use ConfigMaps for Non-Sensitive Data: Prevent storing passwords or tokens in ConfigMaps.
  2. Version Control Secrets Safely: Use tools like Sealed Secrets to manage encrypted data in Git.
  3. Centralize Configuration: Align configurations for microservices under logical, centralized ConfigMaps.

Visual Reference:
Below is a diagram showing how Secrets and ConfigMaps integrate with Pods in Kubernetes:

Secrets and ConfigMaps Diagram

Final Thoughts

Secrets and ConfigMaps are essential components of Kubernetes for managing sensitive and non-sensitive configurations respectively. By understanding their differences, leveraging mounting options, securing sensitive data with encryption, and following best practices, you can build secure and effective Kubernetes environments.

Use this guide as a reference to handle application configuration with confidence and secure your Kubernetes deployments effectively!

Share This Article
Previous Article Exposing Kubernetes Services to the Outside World ClusterIP, NodePort, LoadBalancer
Next Article Docker Networking Deep Dive | Bridge, Host, Overlay
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Empowering Tomorrow's Leaders through Understanding Child Development and Learning

Learning to thrive

Daily Feed

You Might Also Like