By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
You’re deploying a microservice in Kubernetes, and your app needs: - A database URL (DB_HOST=postgres.example.com) - An API key (API_KEY=abc123) - A config file (logging.yaml)
DB_HOST=postgres.example.com
API_KEY=abc123
logging.yaml
Hardcoding these in your Docker image? Bad idea.- Every change means rebuilding and redeploying.- Secrets leak into version control.- Different environments (dev/staging/prod) require different values.
ConfigMaps and Secrets solve this.- ConfigMaps store non-sensitive configuration (e.g., URLs, feature flags).- Secrets store sensitive data (e.g., passwords, API keys) in a base64-encoded format (not encrypted by default—more on this later).- You inject them into containers as environment variables (envFrom) or as files in a volume mount.
envFrom
Why this matters in production:- Security: Avoid hardcoding secrets in images or Git.- Flexibility: Change configs without rebuilding images.- Separation of concerns: Devs write code; Ops manage configs.- Compliance: Many security standards (SOC2, HIPAA) require secrets management.
Real-world scenario:You inherit a legacy app where database credentials are hardcoded in config.py. Your task: 1. Extract configs into ConfigMaps/Secrets.2. Deploy to Kubernetes without downtime.3. Rotate the DB password without redeploying the app.
config.py
env
nginx.conf
application.properties
config.json
0644
0640
kubectl apply -f
kubectl create configmap
kubectl
We’ll: 1. Create a ConfigMap for Nginx configs.2. Create a Secret for a TLS certificate.3. Deploy an Nginx Pod that uses both.
Option A: From literal values
kubectl create configmap nginx-config \ --from-literal=server_name=myapp.example.com \ --from-literal=log_level=debug
Option B: From a fileCreate nginx.conf:
server { listen 80; server_name myapp.example.com; location / { return 200 "Hello from ConfigMap!"; } }
Then:
kubectl create configmap nginx-config --from-file=nginx.conf
Verify:
kubectl get configmap nginx-config -o yaml
kubectl create secret generic tls-secret \ --from-literal=tls.crt="$(cat cert.pem)" \ --from-literal=tls.key="$(cat key.pem)"
Option B: From files
kubectl create secret tls tls-secret \ --cert=cert.pem \ --key=key.pem
kubectl get secret tls-secret -o yaml
⚠️ Note: Secrets are base64-encoded, not encrypted. To decode:
kubectl get secret tls-secret -o jsonpath='{.data.tls\.crt}' | base64 --decode
Create nginx-pod.yaml:
nginx-pod.yaml
apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - name: nginx image: nginx:alpine envFrom: - configMapRef: name: nginx-config # Inject all ConfigMap keys as env vars volumeMounts: - name: nginx-config-volume mountPath: /etc/nginx/nginx.conf subPath: nginx.conf # Mount only this file (not the whole dir) - name: tls-secret-volume mountPath: /etc/nginx/tls readOnly: true volumes: - name: nginx-config-volume configMap: name: nginx-config - name: tls-secret-volume secret: secretName: tls-secret
Apply:
kubectl apply -f nginx-pod.yaml
kubectl exec -it nginx -- env | grep server_name # Check env vars kubectl exec -it nginx -- cat /etc/nginx/nginx.conf # Check mounted file kubectl exec -it nginx -- ls /etc/nginx/tls # Check mounted secret
Problem: You need to change log_level from debug to info without redeploying.
log_level
debug
info
Solution:1. Update the ConfigMap: bash kubectl create configmap nginx-config \ --from-literal=server_name=myapp.example.com \ --from-literal=log_level=info \ --dry-run=client -o yaml | kubectl apply -f - 2. For environment variables (envFrom): - Pods do not auto-update. You must restart them: bash kubectl rollout restart deployment/nginx 3. For volume mounts: - Kubernetes does auto-update mounted files (after ~1 min). - Verify: bash kubectl exec -it nginx -- cat /etc/nginx/nginx.conf
bash kubectl create configmap nginx-config \ --from-literal=server_name=myapp.example.com \ --from-literal=log_level=info \ --dry-run=client -o yaml | kubectl apply -f -
bash kubectl rollout restart deployment/nginx
bash kubectl exec -it nginx -- cat /etc/nginx/nginx.conf
.gitignore
kubectl create secret --dry-run=client -o yaml | kubectl apply -f -
yaml apiVersion: v1 kind: ConfigMap metadata: name: nginx-config data: nginx.conf: | server { ... } immutable: true
myapp-nginx-config
docker history
.dockerignore
API_KEY=YWJjMTIz
abc123
stringData
kubectl describe pod
readOnly: true
Answer: Use a Secret mounted as a volume with readOnly: true.
Scenario: "A Pod fails to start after updating a ConfigMap. Why?"
Answer: Pods must be restarted to pick up new env vars.
Scenario: "How do you prevent a ConfigMap from being updated?"
Answer: Set immutable: true.
immutable: true
Scenario: "You need to mount a single file from a ConfigMap. How?"
subPath
data
kubectl create secret generic
tls
generic
tls.crt
tls.key
Challenge:Deploy a Pod that: 1. Uses a ConfigMap to set APP_COLOR=blue.2. Uses a Secret to set API_KEY=supersecret.3. Mounts both as environment variables.4. Runs a simple busybox container that prints both values.
APP_COLOR=blue
API_KEY=supersecret
busybox
Solution:
apiVersion: v1 kind: ConfigMap metadata: name: app-config data: APP_COLOR: blue --- apiVersion: v1 kind: Secret metadata: name: app-secret stringData: API_KEY: supersecret --- apiVersion: v1 kind: Pod metadata: name: challenge-pod spec: containers: - name: busybox image: busybox command: ["sh", "-c", "echo APP_COLOR=$APP_COLOR && echo API_KEY=$API_KEY && sleep 3600"] envFrom: - configMapRef: name: app-config - secretRef: name: app-secret
Why it works:- envFrom injects all keys from ConfigMap/Secret as env vars.- stringData lets you write plaintext Secrets (Kubernetes auto-encodes).
kubectl create configmap <name> --from-literal=key=value kubectl create configmap <name> --from-file=config.conf kubectl get configmap <name> -o yaml kubectl edit configmap <name> # Live edit (not recommended for prod)
kubectl create secret generic <name> --from-literal=key=value kubectl create secret tls <name> --cert=cert.pem --key=key.pem kubectl get secret <name> -o jsonpath='{.data.key}' | base64 --decode echo -n "value" | base64 # Encode for `data` field
envFrom: - configMapRef: name: my-config - secretRef: name: my-secret volumes: - name: config-volume configMap: name: my-config - name: secret-volume secret: secretName: my-secret volumeMounts: - name: config-volume mountPath: /etc/config subPath: config.conf # Mount single file readOnly: true
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.