Using ConfigMaps and Secrets to Store Sensitive Information in Kubernetes

In any application or system, it is crucial to store sensitive information, such as passwords, API keys, and certificates, in a secure and reliable manner. Kubernetes provides two resources, ConfigMaps and Secrets, which allow you to manage and securely store sensitive information within your cluster.


A ConfigMap is an API object used to store non-sensitive configuration data as key-value pairs. These pairs can be used by containers running in a Kubernetes cluster. While ConfigMaps are not designed to store sensitive information, they are useful for managing environment-specific settings, command-line arguments, or configuration files.

To create a ConfigMap, you can use either the kubectl create configmap command or define a manifest file in YAML format. Here's an example of a ConfigMap manifest:

apiVersion: v1
kind: ConfigMap
  name: my-config-map
  app_config.ini: |
    database_url = my-database-url
    api_key = my-api-key

In this example, we create a ConfigMap named my-config-map, which contains a file named app_config.ini. The file content includes key-value pairs defining the database URL and API key.

To consume the ConfigMap within a Pod, you can mount it as a volume or pass individual values as environment variables. This allows you to access the configuration data from within your application code.

However, it's important to note that ConfigMaps are stored in plain text and considered non-sensitive. Therefore, they should not be used to hold any sensitive information like passwords or access tokens.


A Secret is an API object used to safely store sensitive data, such as database passwords, API access tokens, or SSH keys, as key-value pairs. Kubernetes automatically ensures that secrets are encrypted at rest and provides a secure way to handle these sensitive values.

Similar to ConfigMaps, you can create a Secret using either the kubectl create secret command or by defining a manifest file. Here's an example of a Secret manifest:

apiVersion: v1
kind: Secret
  name: my-secret
type: Opaque
  password: bXlzcGFzc3dvcmQ= # base64 encoded "myspassword"

In this example, we create a Secret named my-secret with a key-value pair containing a base64-encoded password.

To use the Secret within a Pod, you can mount it as a volume or pass individual values as environment variables. Kubernetes automatically decodes base64-encoded values before exposing them to containers.

For extra security, Secrets are stored in memory and only exposed to the respective Pods. They are also automatically synced across all nodes in the cluster.

Best Practices

When using ConfigMaps and Secrets to store sensitive information, it's essential to follow some best practices:

  1. Encrypt sensitive data: Even though Kubernetes encrypts Secrets at rest, it's advisable to encrypt sensitive data before storing them using tools like HashiCorp Vault or AWS KMS.

  2. Limit access: Ensure that only authorized users or applications have permissions to create or access the ConfigMaps and Secrets. Implement RBAC (Role-Based Access Control) to restrict access to sensitive information.

  3. Avoid hardcoding: While it might be tempting to directly reference secrets in your application code, it's best to use environment variables to access the sensitive data. This approach decouples the configuration from the application code and makes it easier to manage and rotate secrets when necessary.

  4. Rotate secrets regularly: To enhance security, regularly change passwords, API keys, or any credentials stored in Secrets. This ensures that compromised or leaked secrets have a limited lifespan.

By leveraging ConfigMaps and Secrets, you can effectively store and securely manage sensitive data within your Kubernetes cluster. Following best practices ensures that you maintain a robust and secure environment for your applications and services.

noob to master © copyleft