Fatskills
Practice. Master. Repeat.
Study Guide: TECH **Docker & Kubernetes: ConfigMaps & Secrets (envFrom, Volume Mounts) – Zero-Fluff Study Guide**
Source: https://www.fatskills.com/kubernetes/chapter/tech-docker-kubernetes-configmaps-secrets-envfrom-volume-mounts-zero-fluff-study-guide

TECH **Docker & Kubernetes: ConfigMaps & Secrets (envFrom, Volume Mounts) – Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

Docker & Kubernetes: ConfigMaps & Secrets (envFrom, Volume Mounts) – Zero-Fluff Study Guide


1. What This Is & Why It Matters

You’re deploying a microservice in Kubernetes, and your app needs: - A database URL (DB_HOST=postgres.example.com) - An API key (API_KEY=abc123) - A config file (logging.yaml)

Hardcoding these in your Docker image? Bad idea.
- Every change means rebuilding and redeploying.
- Secrets leak into version control.
- Different environments (dev/staging/prod) require different values.

ConfigMaps and Secrets solve this.
- ConfigMaps store non-sensitive configuration (e.g., URLs, feature flags).
- Secrets store sensitive data (e.g., passwords, API keys) in a base64-encoded format (not encrypted by default—more on this later).
- You inject them into containers as environment variables (envFrom) or as files in a volume mount.

Why this matters in production:
- Security: Avoid hardcoding secrets in images or Git.
- Flexibility: Change configs without rebuilding images.
- Separation of concerns: Devs write code; Ops manage configs.
- Compliance: Many security standards (SOC2, HIPAA) require secrets management.

Real-world scenario:
You inherit a legacy app where database credentials are hardcoded in config.py. Your task: 1. Extract configs into ConfigMaps/Secrets.
2. Deploy to Kubernetes without downtime.
3. Rotate the DB password without redeploying the app.


2. Core Concepts & Components


ConfigMap

  • Definition: A Kubernetes object that stores non-sensitive configuration data as key-value pairs.
  • Production insight: If you don’t use ConfigMaps, you’ll end up rebuilding images for every config change (slow, error-prone).

Secret

  • Definition: A Kubernetes object that stores sensitive data (e.g., passwords, tokens) in base64-encoded format.
  • Production insight: Secrets are not encrypted by default—enable encryption at rest or use external tools (AWS Secrets Manager, HashiCorp Vault).

envFrom

  • Definition: Injects all key-value pairs from a ConfigMap or Secret into a container’s environment variables.
  • Production insight: Use envFrom for bulk injection (e.g., all app configs at once). Use env for selective injection.

Volume Mounts

  • Definition: Mounts a ConfigMap or Secret as files in a container’s filesystem.
  • Production insight: Useful for apps that read configs from files (e.g., nginx.conf, application.properties).

Immutable ConfigMaps/Secrets

  • Definition: Prevents updates to ConfigMaps/Secrets after creation (Kubernetes 1.19+).
  • Production insight: Enables better security and auditability (changes require a new object).

SubPath

  • Definition: Mounts a single file from a ConfigMap/Secret into a container (instead of the whole directory).
  • Production insight: Useful when you only need one file (e.g., config.json) and don’t want to overwrite other files in the mount path.

Default Mode (Permissions)

  • Definition: Sets file permissions for mounted ConfigMaps/Secrets (default: 0644).
  • Production insight: If your app runs as a non-root user, you may need to adjust permissions (e.g., 0640).

Kubernetes API vs. kubectl

  • Definition: ConfigMaps/Secrets can be created via YAML manifests (kubectl apply -f) or imperatively (kubectl create configmap).
  • Production insight: Use YAML for GitOps (declarative) and imperative commands for quick testing.


3. Step-by-Step Hands-On


Prerequisites

  • A running Kubernetes cluster (Minikube, Kind, or cloud-based).
  • kubectl installed and configured.
  • A simple app (we’ll use an Nginx container for demo purposes).


Task: Deploy an Nginx Pod with ConfigMaps & Secrets

We’ll: 1. Create a ConfigMap for Nginx configs.
2. Create a Secret for a TLS certificate.
3. Deploy an Nginx Pod that uses both.


Step 1: Create a ConfigMap

Option A: From literal values


kubectl create configmap nginx-config \
  --from-literal=server_name=myapp.example.com \
  --from-literal=log_level=debug

Option B: From a file
Create nginx.conf:


server {
listen 80;
server_name myapp.example.com;
location / {
return 200 "Hello from ConfigMap!";
} }

Then:


kubectl create configmap nginx-config --from-file=nginx.conf

Verify:


kubectl get configmap nginx-config -o yaml


Step 2: Create a Secret

Option A: From literal values


kubectl create secret generic tls-secret \
  --from-literal=tls.crt="$(cat cert.pem)" \
  --from-literal=tls.key="$(cat key.pem)"

Option B: From files


kubectl create secret tls tls-secret \
  --cert=cert.pem \
  --key=key.pem

Verify:


kubectl get secret tls-secret -o yaml

⚠️ Note: Secrets are base64-encoded, not encrypted. To decode:


kubectl get secret tls-secret -o jsonpath='{.data.tls\.crt}' | base64 --decode


Step 3: Deploy Nginx with ConfigMap & Secret

Create nginx-pod.yaml:


apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
image: nginx:alpine
envFrom:
- configMapRef:
name: nginx-config # Inject all ConfigMap keys as env vars
volumeMounts:
- name: nginx-config-volume
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf # Mount only this file (not the whole dir)
- name: tls-secret-volume
mountPath: /etc/nginx/tls
readOnly: true volumes: - name: nginx-config-volume
configMap:
name: nginx-config - name: tls-secret-volume
secret:
secretName: tls-secret

Apply:


kubectl apply -f nginx-pod.yaml

Verify:


kubectl exec -it nginx -- env | grep server_name  # Check env vars
kubectl exec -it nginx -- cat /etc/nginx/nginx.conf  # Check mounted file
kubectl exec -it nginx -- ls /etc/nginx/tls  # Check mounted secret


Step 4: Update ConfigMap/Secret Without Restarting Pod

Problem: You need to change log_level from debug to info without redeploying.

Solution:
1. Update the ConfigMap:
bash
kubectl create configmap nginx-config \
--from-literal=server_name=myapp.example.com \
--from-literal=log_level=info \
--dry-run=client -o yaml | kubectl apply -f -
2. For environment variables (envFrom):
- Pods do not auto-update. You must restart them:
bash
kubectl rollout restart deployment/nginx
3. For volume mounts:
- Kubernetes does auto-update mounted files (after ~1 min).
- Verify:
bash
kubectl exec -it nginx -- cat /etc/nginx/nginx.conf


4. ? Production-Ready Best Practices


Security

  • Never commit Secrets to Git. Use .gitignore and external secret managers (AWS Secrets Manager, HashiCorp Vault).
  • Enable encryption at rest for Secrets: ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources:
    • resources:
      • secrets providers:
      • aescbc:
        keys:
        • name: key1
          secret: ```
  • Use RBAC to restrict access to Secrets: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role rules:
  • apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"] ```
  • Rotate Secrets regularly. Use tools like kubectl create secret --dry-run=client -o yaml | kubectl apply -f - to update without downtime.

Cost Optimization

  • Avoid large ConfigMaps/Secrets. Kubernetes etcd has a 1MB limit per object.
  • Use external secret managers (AWS Secrets Manager, Azure Key Vault) for large secrets.

Reliability & Maintainability

  • Use immutable ConfigMaps/Secrets to prevent accidental updates: yaml apiVersion: v1 kind: ConfigMap metadata:
    name: nginx-config data:
    nginx.conf: |
    server { ... } immutable: true
  • Adopt GitOps. Store ConfigMap/Secret manifests in Git (but never Secrets in plaintext—use Sealed Secrets or SOPS).
  • Use descriptive names. Prefix with the app name (e.g., myapp-nginx-config).

Observability

  • Monitor ConfigMap/Secret usage. Use tools like Prometheus to alert on:
  • Secrets not mounted by any Pod.
  • ConfigMaps with no references.
  • Log changes. Enable Kubernetes audit logs to track who modified ConfigMaps/Secrets.


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Hardcoding secrets in Dockerfiles Secrets leak into image layers (visible in docker history). Use multi-stage builds and .dockerignore.
Using env instead of envFrom for bulk injection Manual key mapping (error-prone). Use envFrom for ConfigMaps/Secrets with many keys.
Forgetting to base64-decode Secrets App fails to read Secrets (e.g., API_KEY=YWJjMTIz instead of abc123). Decode in your app or use stringData in YAML.
Mounting Secrets as environment variables Secrets appear in kubectl describe pod and logs. Use volume mounts for sensitive data.
Not setting readOnly: true for Secret volumes App accidentally modifies Secrets. Always set readOnly: true for Secret volumes.
Assuming Secrets are encrypted Secrets are stored in etcd as base64 (not encrypted). Enable encryption at rest or use external secret managers.


6. ? Exam/Certification Focus


Typical Question Patterns

  1. Scenario: "You need to inject a database password into a Pod. What’s the most secure way?"
  2. Trap: Choosing env over volume mounts (env vars can leak in logs).
  3. Answer: Use a Secret mounted as a volume with readOnly: true.

  4. Scenario: "A Pod fails to start after updating a ConfigMap. Why?"

  5. Trap: Assuming envFrom auto-updates (it doesn’t).
  6. Answer: Pods must be restarted to pick up new env vars.

  7. Scenario: "How do you prevent a ConfigMap from being updated?"

  8. Answer: Set immutable: true.

  9. Scenario: "You need to mount a single file from a ConfigMap. How?"

  10. Answer: Use subPath.

Key Distinctions

Concept ConfigMap Secret
Purpose Non-sensitive configs Sensitive data
Encoding Plaintext Base64
Size Limit 1MB 1MB
Encryption No No (unless enabled)
Use Case nginx.conf, feature flags DB passwords, TLS certs

Common Tricks

  • stringData vs data in Secrets:
  • data: Requires base64-encoded values.
  • stringData: Plaintext (Kubernetes auto-encodes).
  • kubectl create secret generic vs tls:
  • generic: For arbitrary key-value pairs.
  • tls: For TLS certs (expects tls.crt and tls.key).


7. ? Hands-On Challenge

Challenge:
Deploy a Pod that: 1. Uses a ConfigMap to set APP_COLOR=blue.
2. Uses a Secret to set API_KEY=supersecret.
3. Mounts both as environment variables.
4. Runs a simple busybox container that prints both values.

Solution:


apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_COLOR: blue
---
apiVersion: v1
kind: Secret
metadata:
  name: app-secret
stringData:
  API_KEY: supersecret
---
apiVersion: v1
kind: Pod
metadata:
  name: challenge-pod
spec:
  containers:
  - name: busybox
image: busybox
command: ["sh", "-c", "echo APP_COLOR=$APP_COLOR && echo API_KEY=$API_KEY && sleep 3600"]
envFrom:
- configMapRef:
name: app-config
- secretRef:
name: app-secret

Why it works:
- envFrom injects all keys from ConfigMap/Secret as env vars.
- stringData lets you write plaintext Secrets (Kubernetes auto-encodes).


8. ? Rapid-Reference Crib Sheet


ConfigMap Commands

kubectl create configmap <name> --from-literal=key=value
kubectl create configmap <name> --from-file=config.conf
kubectl get configmap <name> -o yaml
kubectl edit configmap <name>  # Live edit (not recommended for prod)

Secret Commands

kubectl create secret generic <name> --from-literal=key=value
kubectl create secret tls <name> --cert=cert.pem --key=key.pem
kubectl get secret <name> -o jsonpath='{.data.key}' | base64 --decode
echo -n "value" | base64  # Encode for `data` field

Pod Injection

envFrom:
- configMapRef:
name: my-config - secretRef:
name: my-secret volumes: - name: config-volume configMap:
name: my-config - name: secret-volume secret:
secretName: my-secret volumeMounts: - name: config-volume mountPath: /etc/config subPath: config.conf # Mount single file readOnly: true

Key Defaults

  • ⚠️ Secrets are base64-encoded, not encrypted.
  • ⚠️ ConfigMaps/Secrets are namespace-scoped.
  • ⚠️ Volume mounts overwrite existing files in the container.
  • ⚠️ envFrom does not auto-update—Pods must restart.


9. ? Where to Go Next

  1. Kubernetes ConfigMaps Docs
  2. Kubernetes Secrets Docs
  3. Sealed Secrets (GitOps for Secrets)
  4. HashiCorp Vault + Kubernetes
  5. AWS Secrets Manager + EKS


ADVERTISEMENT