Kubernetes provides many ways to configure pods and containers.
- Environment variables
- Config maps
- Secrets
- Security Context
- Resource requirements
- Service accounts
ConfigMaps
Kubernetes manages application configurations in the form of ConfigMaps. ConfigMaps store configuration data as key/value pairs and provide them to containers.
ConfigMaps can be accessed from a pod using:
- Environment variables (as key/value pairs)
- ConfigMap Volume (as files)
Creating ConfigMaps
- Creating a ConfigMap from literals:
kubectl create configmap <name> --from-literal=<key>=<value>
kubectl create configmap my-config-map \
--from-literal=APP-TYPE=web \
-–from-literal=APP-MODE=dev
kubectl get cm
kubectl describe cm my-config-map
kubectl get cm my-config-map -o yaml > my-config-map.yaml
- Creating a ConfigMap using the definition file:
apiVersion: v1
kind: ConfigMap
metadata:
name: my-config-map
data:
key1: value1
APP-TYPE: web
APP-MODE: dev
- Creating a ConfigMap from a config file: It will create an only 1 entry.
# key: file name, value: the list of key/value pairs
kubectl create cm my-config-map --from-file=my-config.config
# my-config.config
key1=value1
key2=value2
# matching yaml
data:
my-config.config:
key1=value1
key2=value2
- Creating a ConfigMap from a map file: It will create key/value pairs.
# file name is not a key. key: key, value: value
kubectl create cm my-config-map --from-env-file=my-config.env
# my-config.env
key1=value1
key2=value2
# matching yaml
data:
key1: value1
key2: value2
- Checking ConfigMaps:
kubectl get cm
kubectl describe cm my-config-map
kubectl delete cm my-config-map
Secrets
It is not a good idea to save sensitive data (such as passwords) in ConfigMaps. Instead, you can use Secrets.
- Secrets are not encrypted. They are only encoded (base64).
- There are better options to save sensitive data such as Helm Secrets or HashiCorp Vault.
Creating Secrets declaratively
The value is encoded automatically.
kubectl create secret generic my-secret \
--from-literal=pw=mypassword
kubectl get secret
kubectl describe secret my-secret
# with encoded values
kubectl get secret my-secret -o yaml > secret.yaml
Creating Secrets imperatively
You need to encode (base64) values manually.
# encode
echo -n 'root' | base64
# decode
echo -n 'cm9vdA==' | base64 -d
apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
key1: value1
user: cm9vdA==
pw: bXlwYXNzd29yZA==
Using Environment Variables
You can set the environment values in 3 ways. And the you can access the value using $(ENV-NAME).
- Plain Key/Value
- ConfigMap
- Secret
At first, you can simply use the key/value pair.
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(APP-TYPE)']
env:
- name: APP-TYPE
value: prod
You can access the configuration values as environment variables using the “configMapRef” and “configMapKeyRef“
- Configure all key-value pairs
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(APP-TYPE)']
envFrom:
- configMapRef:
name: my-config-map
- Configure a single value:
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(APP-TYPE)']
env:
- name: APP-TYPE
valueFrom:
configMapKeyRef:
name: my-config-map
key: APP-TYPE
Finally, you can retrieve the value from the Secrets.
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(APP-TYPE)']
env:
- name: APP-TYPE
valueFrom:
secretKeyRef:
name: my-secret
key: APP-TYPE
Using Secrets
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(user)']
envFrom:
- secretRef:
name: my-secret
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(user)']
env:
- name: APP-TYPE
valueFrom:
secretKeyRef:
name: my-secret
key: user
Mounting as a volume with ConfigMaps
- Each ConfigMap key becomes a file in the volume.
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(APP-TYPE)']
volumeMounts:
- mountPath: /etc/config
name: config-volume
volumes:
- name: config-volume
configMap:
name: my-config-map
restartPolicy: Never
Mounting as a volume with Secrets
- Each secret becomes a file in the volume.
spec:
containers:
- name: my-container
image: busybox
command: ['echo']
args: ['$(user)']
volumeMounts:
- mountPath: /etc/config
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: my-secret
restartPolicy: Never