π Kubernetes Secrets vs. ConfigMaps β Which One and When? (2025 Guide)
In the world of Kubernetes, separating code from configuration is a best practice. But when it comes to managing settings like environment variables, API tokens, and database credentials β youβll come across two powerful tools:
- β ConfigMaps
- π Secrets
They both store configuration, but they are NOT the same β and using them interchangeably could lead to security issues or operational headaches.
Letβs break them down β from basics to best practices β and figure out which one to use, when.
π§ Whatβs the Difference Between a ConfigMap and a Secret?
| Feature | ConfigMap | Secret |
|---|---|---|
| Purpose | Store non-sensitive config data | Store sensitive data like passwords, tokens |
| Encoding | Stored in plain text | Stored in base64-encoded format |
| Access Control | Readable by default | Can be restricted using RBAC |
| Encryption | Not encrypted at rest | Can be encrypted at rest (KMS or etcd config) |
| Mounting | As files or env vars | Same (files/env), but secured |
| Example Use | App name, log level, config toggles | API keys, DB passwords, SSH keys |
π§ 1. What is a ConfigMap?
ConfigMaps are used to store non-sensitive configuration in a key-value format.
β Common Use Cases:
- Application name, port, timezone
- Feature flags
- JSON configs
- External URLs
βοΈ Example:
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
APP_NAME: "myapp"
LOG_LEVEL: "debug"
π¦ Usage in Pod:
env:
- name: APP_NAME
valueFrom:
configMapKeyRef:
name: app-config
key: APP_NAME
π 2. What is a Secret?
Secrets are used to store sensitive data like passwords, tokens, SSH keys, and TLS certs.
Though theyβre base64-encoded by default (β οΈ not encrypted), Kubernetes supports encryption at rest and RBAC to control access.
β Common Use Cases:
- DB credentials
- OAuth tokens
- TLS certificates
- Service account keys
βοΈ Example:
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
DB_PASSWORD: cGFzc3dvcmQxMjM= # base64 encoded
π
echo -n 'password123' | base64=cGFzc3dvcmQxMjM=
π¦ Usage in Pod:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: DB_PASSWORD
π 3. Are Secrets Really Secure?
Yes, if you configure them properly:
| Feature | Enabled By |
|---|---|
| π Encryption at Rest | Set up in EncryptionConfiguration for etcd |
| β RBAC Access Control | Use Role + RoleBinding to restrict access |
| ποΈ Audit Logging | Log access to Secrets |
| π Automatic Rotation | Use external Secret managers (Vault, AWS Secrets Manager) |
β οΈ By default, Secrets are just base64 β not truly secure.
Always combine them with proper encryption, least-privilege access, and rotation practices.
π 4. How to Choose β ConfigMap or Secret?
| Scenario | Use |
|---|---|
| β Application name | ConfigMap |
| β Logging level (debug/info) | ConfigMap |
| π API token for 3rd-party service | Secret |
| π Database password | Secret |
| β Feature toggle flags | ConfigMap |
| π SSL cert/key pair | Secret (TLS type) |
| β External API URL | ConfigMap |
| π OAuth client secret | Secret |
π§ Rule of Thumb:
If you wouldnβt share the value on a public forum, put it in a Secret.
π οΈ 5. Best Practices
β ConfigMaps:
- Keep unrelated config keys in separate ConfigMaps.
- Use volumes if you want to mount full configs (e.g., YAML or JSON files).
- Version them using labels or annotations.
β Secrets:
- Enable encryption at rest for etcd.
- Store only what is absolutely necessary.
- Integrate with external secret managers like:
- HashiCorp Vault
- AWS Secrets Manager
- Azure Key Vault
- Rotate credentials regularly and use initContainers or sidecars for dynamic secrets.
𧩠Bonus: Use Both Together
Yes, you can β and often should β use ConfigMaps and Secrets together in the same pod.
Example:
env:
- name: ENV
valueFrom:
configMapKeyRef:
name: app-config
key: ENV
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: DB_PASSWORD
This keeps your sensitive data isolated, while making general configuration easily manageable.
πΌ Real-World Example: A Web App in K8s
| Config Item | Source | Reason |
|---|---|---|
| DB_HOST | ConfigMap | Safe to expose |
| DB_PORT | ConfigMap | Non-sensitive |
| DB_PASSWORD | Secret | Needs encryption |
| API_KEY | Secret | Confidential |
| APP_ENV | ConfigMap | Just toggles |
| TLS Key/Cert | Secret (TLS type) | Secure by default |
π§ Final Thoughts
- Use ConfigMaps for whatβs safe to expose
- Use Secrets for anything youβd protect with encryption
- Secure your Secrets with RBAC, encryption, and external managers
- Keep everything version-controlled and auditable
Donβt treat your Kubernetes cluster like a vault.
Treat it like an API-driven operating system, and secure it the same way.
Just let me know!
Leave a Reply