ConfigMaps and Secrets

May 22, 2026

Decoupled from Pod lifecycle: change config without redeploying Pod
env: single key; envFrom: all keys from ConfigMap/Secret
Volume mount: auto-refreshes; env: needs Pod restart to pick up changes
Secrets: Base64 encoded, NOT encrypted by default: etcd encryption at rest can be enabled by cluster admins but is not on by default

ConfigMap

No spec: data in data: section
Create sources: --from-literal, --from-env-file, --from-file (file name = key)

kubectl create cm db-config --from-literal=DB_HOST=mysql --from-file=app.json

# env: all keys
envFrom:
- configMapRef:
    name: db-config

# volume: each key = file
volumes:
- name: cfg
  configMap:
    name: db-config
volumeMounts:
- mountPath: /etc/config
  name: cfg

Secret

Type	Use
`generic` (Opaque)	Passwords, keys
`docker-registry`	Private image pull
`tls`	TLS cert + key

kubectl create secret generic db-creds --from-literal=pwd=s3cre!   # auto base64
echo -n 's3cre!' | base64   # manual encode for declarative data:

data:
  pwd: czNjcmUh        # base64 in live object
stringData:
  pwd: s3cre!          # plain text in manifest: K8s encodes on create

# env
envFrom:
- secretRef:
    name: db-creds

# remap key
env:
- name: USER
  valueFrom:
    secretKeyRef:
      name: secret-basic-auth
      key: username

# volume: note secretName (not name)
volumes:
- name: ssh-vol
  secret:
    secretName: secret-ssh-auth

Env/volume: K8s decodes Base64 before injecting

imagePullSecrets (private registry)

Create the registry secret:

kubectl create secret docker-registry regcred \
  --docker-server=registry.example.com \
  --docker-username=myuser \
  --docker-password=mypassword \
  --docker-email=me@example.com

Reference it on the Pod/Deployment template:

spec:
  imagePullSecrets:
  - name: regcred
  containers:
  - name: app
    image: registry.example.com/myapp:1.0

imagePullSecrets is on spec (Pod-level), not inside containers[]
Can also be attached to a ServiceAccount so all Pods using that SA auto-get it:

kubectl patch serviceaccount default \
  -p '{"imagePullSecrets": [{"name": "regcred"}]}'

ConfigMap vs Secret

	ConfigMap	Secret
Data	Plain	Base64 (`stringData` convenience)
Env	`configMapRef`	`secretRef`
Key remap	`configMapKeyRef`	`secretKeyRef`
Volume	`configMap.name`	`secret.secretName`

Failures

Symptom	Cause
Env empty / app misconfig	Wrong key name
`CreateContainerConfigError` / crash	ConfigMap/Secret not mounted or missing
`ImagePullBackOff` on private image	Missing or wrong imagePullSecrets

Exam tips

--from-env-file ≠ --from-file (KEY=value vs arbitrary content)
Service must exist before Pod for env-based service discovery
CreateContainerConfigError: missing/wrong ConfigMap/Secret name or NS
imagePullSecrets is Pod-level (spec.imagePullSecrets), not container-level