In Kubernetes, managing application configuration and sensitive data is crucial for maintaining flexible and secure deployments. In this hands-on guide, we’ll explore how to use ConfigMaps and Secrets to inject data into your pods, following the official Kubernetes documentation.
Understanding ConfigMaps and Secrets
- ConfigMaps store non-sensitive configuration data in key-value pairs.
- Secrets are similar to ConfigMaps but are intended for storing sensitive information, such as passwords or API keys.
Let’s dive into a practical example of using Secrets to inject sensitive data into a pod.
Step-by-Step Guide: Using Secrets for Secure Data Distribution
Step 1: Create a Secret
First, let’s create a Secret containing some sensitive data:
kubectl create secret generic db-user-pass \
--from-literal=username=admin \
--from-literal=password=S!B\*d$zDsb=This command creates a Secret named db-user-pass with two key-value pairs.
Step 2: Verify the Secret
Check that the Secret was created:
kubectl get secretsYou should see db-user-pass in the list.
Step 3: Create a Pod That Uses the Secret
Now, let’s create a pod that uses this Secret to set environment variables:
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: db-user-pass
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: db-user-pass
key: password
restartPolicy: NeverSave this as secret-env-pod.yaml and apply it:
kubectl apply -f secret-env-pod.yamlStep 4: Verify the Environment Variables
To verify that the environment variables are set correctly:
kubectl exec -it secret-env-pod -- /bin/sh -c 'echo $SECRET_USERNAME && echo $SECRET_PASSWORD'You should see the values you set in the Secret.
Bonus: Using ConfigMaps
While we focused on Secrets in this guide, ConfigMaps work similarly for non-sensitive data. Here’s a quick example:
Create a ConfigMap:
kubectl create configmap app-config --from-literal=APP_COLOR=blue --from-literal=APP_MODE=prodUse it in a pod:
apiVersion: v1
kind: Pod
metadata:
name: configmap-demo-pod
spec:
containers:
- name: demo
image: alpine
command: ["sleep", "3600"]
env:
- name: APP_COLOR
valueFrom:
configMapKeyRef:
name: app-config
key: APP_COLOR
- name: APP_MODE
valueFrom:
configMapKeyRef:
name: app-config
key: APP_MODEKey Takeaways
-
Separation of Concerns: ConfigMaps and Secrets allow you to separate configuration from application code, making it easier to manage and update.
-
Security: Secrets provide a way to handle sensitive information more securely than storing it directly in pod specifications or Docker images.
-
Flexibility: You can use the same ConfigMap or Secret across multiple pods, making it easy to maintain consistent configuration.
-
Environment Variables: Both ConfigMaps and Secrets can be used to set environment variables in pods, which is a common pattern for application configuration.
-
Multiple Formats: While we used literal values in our examples, ConfigMaps and Secrets can also be created from files, which is useful for larger configurations.
Conclusion
ConfigMaps and Secrets are powerful tools in the Kubernetes ecosystem for managing application configuration and sensitive data. By using these resources, you can create more flexible, secure, and maintainable deployments.
As you continue working with Kubernetes, explore other ways to use ConfigMaps and Secrets, such as mounting them as volumes in your pods. Remember, while Secrets provide a more secure way to handle sensitive data compared to ConfigMaps, they are not encrypted by default in etcd. For production environments, consider additional security measures like encryption at rest.
Happy Kuberneting!