Kubernetes Secrets and ConfigMaps: Managing Configuration and Sensitive Data Securely

3 min read

Kubernetes Secrets and ConfigMaps

In Kubernetes, managing configuration and sensitive data securely and effectively is essential for deploying applications. Kubernetes provides two critical objects, Secrets and ConfigMaps, to handle configuration data and sensitive information separately, allowing for better security, flexibility, and scalability. These two objects are often used together to separate configuration from the application code, enabling more efficient and secure management of environments.

What are Kubernetes ConfigMaps?

ConfigMaps are used to store non-sensitive configuration data as key-value pairs. ConfigMaps can store configuration information such as environment variables, command-line arguments, or configuration files that the applications running inside Kubernetes pods need to function.

Key Features of ConfigMaps:

  • Environment Variables: ConfigMaps can inject environment variables into pods.
  • Command-line Arguments: ConfigMaps can pass configuration as command-line arguments.
  • Configuration Files: ConfigMaps can be used to store entire configuration files and mount them inside containers as volumes.
  • Decouples Configuration: They allow you to decouple configuration data from your application code, making it easier to update configuration without changing code.

Creating a ConfigMap

ConfigMaps can be created in several ways, including from literal key-value pairs, files, or directories.

  1. Create a ConfigMap from Literal Key-Value Pairs:
   kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2
  1. Create a ConfigMap from a File:
   kubectl create configmap my-config --from-file=path/to/config/file
  1. Create a ConfigMap from a Directory:
   kubectl create configmap my-config --from-file=path/to/config/directory/

Using ConfigMaps in Pods

You can use ConfigMaps in Pods by mounting them as environment variables, command-line arguments, or volumes.

  • Injecting as Environment Variables:
    You can reference the ConfigMap keys as environment variables in your Pod specification:
   apiVersion: v1
   kind: Pod
   metadata:
     name: my-pod
   spec:
     containers:
     - name: my-container
       image: my-image
       envFrom:
       - configMapRef:
           name: my-config
  • Mounting as Volumes:
    You can mount a ConfigMap as a file inside a container:
   apiVersion: v1
   kind: Pod
   metadata:
     name: my-pod
   spec:
     containers:
     - name: my-container
       image: my-image
       volumeMounts:
       - name: config-volume
         mountPath: /etc/config
     volumes:
     - name: config-volume
       configMap:
         name: my-config

What are Kubernetes Secrets?

Secrets are similar to ConfigMaps but are designed to store sensitive data like passwords, OAuth tokens, SSH keys, and API keys. Unlike ConfigMaps, Secrets are encoded (base64) and should be treated as sensitive information.

Key Features of Secrets:

  • Sensitive Information: Secrets store sensitive data and prevent storing plain text secrets in your application code or repository.
  • Base64 Encoding: Secrets are encoded in base64, though this is not encryption. Base64 encoding is just for transporting binary data. For additional security, Kubernetes Secrets should be managed with encryption at rest.
  • Controlled Access: You can control access to Secrets using RBAC (Role-Based Access Control) to ensure only authorized services and users can access them.
  • Environment Variables or Volumes: Similar to ConfigMaps, Secrets can be injected into Pods either as environment variables or mounted as volumes.

Creating a Secret

Secrets can be created in several ways, just like ConfigMaps.

  1. Create a Secret from Literal Key-Value Pairs:
   kubectl create secret generic my-secret --from-literal=username=myuser --from-literal=password=mypassword
  1. Create a Secret from a File:
   kubectl create secret generic my-secret --from-file=path/to/secret/file
  1. Create a Secret from a Directory:
   kubectl create secret generic my-secret --from-file=path/to/secret/directory/

Using Secrets in Pods

You can use Secrets in Pods by injecting them as environment variables or mounting them as volumes.

  • Injecting as Environment Variables:
   apiVersion: v1
   kind: Pod
   metadata:
     name: my-pod
   spec:
     containers:
     - name: my-container
       image: my-image
       envFrom:
       - secretRef:
           name: my-secret
  • Mounting as Volumes:
    You can mount a Secret as a file inside a container:
   apiVersion: v1
   kind: Pod
   metadata:
     name: my-pod
   spec:
     containers:
     - name: my-container
       image: my-image
       volumeMounts:
       - name: secret-volume
         mountPath: /etc/secrets
     volumes:
     - name: secret-volume
       secret:
         secretName: my-secret

Key Differences Between ConfigMaps and Secrets

Feature ConfigMap Secret
Purpose Stores non-sensitive configuration data Stores sensitive information like passwords, tokens, and keys
Encoding Plain-text key-value pairs Base64 encoded (not encrypted)
Security Not meant for sensitive data Designed for storing sensitive data
Use Cases Configurations for applications API keys, passwords, certificates, etc.
Storage Stored in plain text within Kubernetes Encoded in base64 format
Access Control Can be accessed by any pod (with permission) Access is controlled and must be restricted
Best Practices Use for application settings and configurations Use for storing sensitive data that needs extra security

Best Practices for Using Secrets and ConfigMaps

  1. Do Not Store Secrets in Source Control: Avoid checking Secrets and ConfigMaps with sensitive data into source control. Use environment-specific files or management tools.

  2. Use Encryption at Rest: Kubernetes Secrets are base64 encoded, not encrypted. For extra security, ensure that your cluster is set up to encrypt Secrets at rest.

  3. Access Control: Use RBAC (Role-Based Access Control) to restrict who can access and manage your Secrets and ConfigMaps. Only authorized users and services should have access.

  4. Use Namespaces: Consider using Kubernetes namespaces to isolate resources (including Secrets and ConfigMaps) for different environments or applications.

  5. Limit Pod Permissions: Limit which pods can access the Secrets and ConfigMaps by specifying ServiceAccount and RBAC rules.

  6. Monitor Changes: Set up monitoring to detect changes in ConfigMaps and Secrets. Unauthorized changes can indicate potential security issues.

Conclusion

Kubernetes Secrets and ConfigMaps are essential resources for managing configuration and sensitive data within a Kubernetes environment. While ConfigMaps store non-sensitive configuration data, Secrets offer a more secure way of handling sensitive information. By decoupling configuration from application code and using Kubernetes to manage this data securely, you can ensure better security, flexibility, and maintainability for your containerized applications.