ConfigMaps and Kubernetes Secrets: Configuration Best Practices

TL;DR: ConfigMaps store non-sensitive configuration data; Secrets protect critical information. Structured ConfigMaps and Secrets Kubernetes training helps you avoid costly errors: improperly injected environment variables, credentials exposed in logs, and unnecessary pod restarts. Master the 10 best practices below to secure and simplify your deployments.

This topic is at the heart of the LFD459 Kubernetes for Application Developers training.

Why is Kubernetes Configuration Management Critical in Production?

With 82% of container users running Kubernetes in production, Kubernetes configuration management becomes a major challenge. IT teams spend an average of 34 working days per year resolving Kubernetes problems. A significant portion of these incidents stems from poor ConfigMaps and Secrets practices.

Remember: A misconfigured Secret can expose credentials in production. A poorly structured ConfigMap can cause cascading restarts. Invest in best practices from the start.

Practice 1: How to Separate ConfigMaps and Secrets by Sensitivity Level?

Why: ConfigMaps are not encrypted in etcd by default. Secrets benefit from base64 encoding and can be encrypted at rest with etcd encryption.

How: Classify your data into three categories:

• Public: API URLs, service names, feature flags → ConfigMap
• Sensitive: Passwords, API tokens, TLS certificates → Secret
• Critical: Encryption keys, banking credentials → Secret + external secrets manager

# ConfigMap for non-sensitive data
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
LOG_LEVEL: "info"
API_ENDPOINT: "https://api.example.com"
---
# Secret for credentials
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
stringData:
DATABASE_PASSWORD: "your-secure-password"

This separation is fundamental for any Backend Kubernetes developer working on cloud-native applications.

Practice 2: How to Use Volume Mounts Rather Than Environment Variables?

Why: Environment variables are visible via kubectl describe pod and can appear in crash logs. File mounts limit exposure.

How: Prefer volumes for sensitive Secrets. Reserve environment variables for simple, non-critical configurations.

apiVersion: v1
kind: Pod
metadata:
name: secure-app
spec:
containers:
- name: app
image: myapp:1.0
volumeMounts:
- name: secrets-volume
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secrets-volume
secret:
secretName: app-secrets
defaultMode: 0400  # Read-only for owner

The application then reads /etc/secrets/DATABASE_PASSWORD as a file. This approach is recommended in CKAD certification training.

Practice 3: How to Enable etcd Encryption for Kubernetes Secrets Security?

Why: By default, Secrets are stored in base64 in etcd. This is not encryption. Anyone with etcd access can read them.

How: Enable encryption at rest in the kube-apiserver configuration.

# /etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-32-byte-key>
- identity: {}

Add the flag to kube-apiserver:

--encryption-provider-config=/etc/kubernetes/encryption-config.yaml

This configuration is part of the skills evaluated in the LFS458 Kubernetes Administration training.

Remember: etcd encryption protects against unauthorized access to cluster backups and snapshots.

Practice 4: How to Implement ConfigMaps and Secrets Immutability?

Why: Since Kubernetes 1.21, immutable ConfigMaps and Secrets reduce API server load and prevent accidental modifications.

How: Add immutable: true and use a versioning pattern for updates.

apiVersion: v1
kind: ConfigMap
metadata:
name: app-config-v2
labels:
app: myapp
version: "2"
immutable: true
data:
LOG_LEVEL: "debug"
FEATURE_X_ENABLED: "true"

To update, create a new version and modify the reference in the Deployment. This approach integrates well with Helm or Kustomize.

Practice 5: How to Use External Secrets Operators for Multi-Cloud Environments?

Why: 70% of organizations use Kubernetes in cloud environments. External secrets managers (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) offer automatic rotation, audit, and compliance.

How: Deploy the External Secrets Operator and synchronize your secrets from the external provider.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: aws-secrets-manager
target:
name: db-secret
data:
- secretKey: password
remoteRef:
key: prod/database
property: password

This advanced practice is detailed in Kubernetes cluster administration paths.

Practice 6: How to Structure ConfigMaps by Environment?

Why: Mixing dev, staging, and prod configurations in the same file causes deployment errors.

How: Use dedicated namespaces and clear naming conventions.

# Recommended structure
├── base/
│   └── configmap.yaml
├── overlays/
│   ├── dev/
│   │   └── configmap-patch.yaml
│   ├── staging/
│   │   └── configmap-patch.yaml
│   └── prod/
│       └── configmap-patch.yaml

With Kustomize:

# overlays/prod/configmap-patch.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
LOG_LEVEL: "warn"
REPLICAS: "5"

This approach helps avoid common deployment errors related to configurations.

Practice 7: How to Limit Secret Access with RBAC?

Why: By default, a ServiceAccount can list all Secrets in the namespace. This is a major risk if a pod is compromised.

How: Create granular Roles that limit access to only necessary Secrets.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-secret-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["app-secrets", "db-credentials"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-secret-reader-binding
namespace: production
subjects:
- kind: ServiceAccount
name: app-service-account
namespace: production
roleRef:
kind: Role
name: app-secret-reader
apiGroup: rbac.authorization.k8s.io

Remember: Use resourceNames to limit access to specific Secrets rather than all Secrets in the namespace.

Practice 8: How to Automate Secrets Rotation?

Why: Static credentials represent a security risk. Regular rotation limits the impact of a leak.

How: Combine External Secrets Operator with your secrets manager for automatic rotation.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: rotating-api-key
spec:
refreshInterval: 15m  # Sync every 15 minutes
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
name: api-key-secret
template:
metadata:
annotations:
rotated-at: "{{ .RefreshTime }}"
data:
- secretKey: API_KEY
remoteRef:
key: secret/data/api-key

This skill is part of the LFD459 Kubernetes for Application Developers program.

Practice 9: How to Validate ConfigMaps Before Deployment?

Why: A syntax error in a ConfigMap can crash your application after deployment.

How: Integrate validation in your CI/CD pipeline with kubeval or kubeconform.

# Install kubeconform
brew install kubeconform

# Validate manifests
kubeconform -strict -summary manifests/

# Validation with custom schemas
kubeconform -schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
manifests/

This preventive validation reduces incidents documented in the complete Kubernetes Training guide.

Practice 10: How to Monitor ConfigMap and Secret Changes?

Why: Untracked modifications are a major source of incidents. 71% of Fortune 100 companies run Kubernetes in production. Observability is critical.

How: Configure alerts on modification events.

# Example Prometheus rule to detect modifications
groups:
- name: kubernetes-secrets
rules:
- alert: SecretModified
expr: |
sum(changes(kube_secret_created[5m])) > 0
for: 1m
labels:
severity: warning
annotations:
summary: "Secret modified in cluster"
description: "A Secret was recently created or modified."

Combine with an audit tool like Falco for complete Kubernetes security.

Anti-Patterns to Absolutely Avoid

Comparison Table: ConfigMap vs Secret

Validate Your Skills with a Recognized Certification

These best practices form the foundation of skills evaluated during CKAD certification. L&D teams that structure their training budget around these certifications see a reduction in configuration incidents.

For HR directors integrating training into their talent strategy, Kubernetes certifications represent a competitive advantage in the market. The average salary of a Kubernetes developer reaches $152,640 per year globally.

Remember: Mastering ConfigMaps and Secrets distinguishes junior cloud-native developers from confirmed professionals. Invest in structured training.

Take Action: SFEIR Institute Training

Develop your ConfigMaps and Secrets Kubernetes expertise:

• LFD459 Kubernetes for Application Developers: 3 days to master Deployments, ConfigMaps, Secrets, and prepare for CKAD
• LFS458 Kubernetes Administration: 4 days to manage etcd encryption, RBAC, and cluster security
• Kubernetes Fundamentals: 1 day to discover essential concepts before moving to advanced practices

Contact our advisors to build your certification path.