PersistentVolumes, ConfigMaps and Kubernetes Secrets

PersistentVolumes, ConfigMaps, and Secrets are three fundamental resources for managing storage and configuration in Kubernetes. As a beginner, understanding these concepts allows you to deploy applications that retain their data and use externalized configurations.

TL;DR: PersistentVolumes manage durable storage (data that survives Pod deletion), ConfigMaps store configuration (URLs, parameters), and Secrets protect sensitive data (passwords). This module is covered in the Kubernetes Fundamentals training.

---

PersistentVolumes: Storing Data Durably

The ephemeral data problem

By default, a container's data disappears when the Pod is deleted. This is problematic for a database or user files.

A PersistentVolume (PV) is a storage space provisioned in the cluster. A PersistentVolumeClaim (PVC) is a user's request to use that space.

Key takeaway: The PV is the disk, the PVC is the rental request.

Create and use a PVC

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-storage
spec:
accessModes:
- ReadWriteOnce      # Only one node can write
resources:
requests:
storage: 5Gi       # Requested size

Then mount this volume in your Pod:

apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: app
image: nginx
volumeMounts:
- mountPath: /data    # Where to mount in the container
name: my-volume
volumes:
- name: my-volume
persistentVolumeClaim:
claimName: my-storage

---

ConfigMaps: Externalizing Configuration

A ConfigMap stores key-value pairs to configure your applications without modifying the Docker image.

Create a ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
DATABASE_HOST: "postgres.default.svc"
LOG_LEVEL: "info"

Or via kubectl:

kubectl create configmap app-config --from-literal=LOG_LEVEL=info

Inject into a Pod

spec:
containers:
- name: app
image: myapp:1.0
env:
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: app-config
key: LOG_LEVEL

Key takeaway: ConfigMaps allow you to change configuration without rebuilding the image.

---

Secrets: Protecting Sensitive Data

A Secret is similar to a ConfigMap but designed for sensitive data: passwords, API tokens, SSH keys.

Create a Secret

apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
stringData:
username: admin
password: "MySecretPassword123"

Or via kubectl:

kubectl create secret generic db-credentials \
--from-literal=username=admin \
--from-literal=password=MySecretPassword123

Inject into a Pod

spec:
containers:
- name: app
image: myapp:1.0
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password

Key takeaway: Secrets are base64-encoded, not encrypted by default. It's a first layer of protection, not a complete security solution.

---

Summary: When to Use What?

---

Essential kubectl Commands

# List PersistentVolumeClaims
kubectl get pvc

# Create a ConfigMap from a file
kubectl create configmap nginx-conf --from-file=nginx.conf

# View ConfigMap contents
kubectl describe configmap app-config

# Display a Secret (decoded)
kubectl get secret db-credentials -o jsonpath='{.data.password}' | base64 -d

---

Going Further

This page covers storage and configuration basics. For advanced concepts:

---

Take Action

The Kubernetes Fundamentals training includes a practical lab where you configure a Spring application with ConfigMaps, under the guidance of an expert trainer.

Contact our advisors to schedule your training.