Introduction
When working with Kubernetes, one of the most important practices is separating your application code from configuration data. In real-world projects, applications need different configurations depending on environments like development, testing, or production.
For example, your application may need:
Instead of hardcoding these values inside your application, Kubernetes provides two powerful tools:
In this article, we will understand how to use Kubernetes ConfigMap and Secret in a deployment step by step in simple words with practical examples.
What is a ConfigMap in Kubernetes?
A ConfigMap is used to store non-sensitive configuration data in key-value format.
Simple understanding
Think of ConfigMap as a settings file for your application.
Instead of writing configuration inside your code, you store it separately and Kubernetes injects it into your application when needed.
Example use cases
What is a Secret in Kubernetes?
A Secret is used to store sensitive data securely.
Simple understanding
Think of Secret as a locked version of ConfigMap.
It stores:
Kubernetes encodes this data (base64) and allows controlled access.
Key Difference Between ConfigMap and Secret
Both are used in a similar way inside deployments.
Step-by-Step: Using ConfigMap in Kubernetes Deployment
Let’s start with ConfigMap.
Step 1: Create a ConfigMap YAML File
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
APP_ENV: production
APP_DEBUG: "false"
API_URL: "https://api.example.com"
What this means
Step 2: Apply ConfigMap to Kubernetes
Run this command:
kubectl apply -f configmap.yaml
Now your ConfigMap is created inside the cluster.
Step 3: Use ConfigMap in Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-container
image: nginx
envFrom:
- configMapRef:
name: app-config
What is happening here
Step-by-Step: Using Secret in Kubernetes Deployment
Now let’s handle sensitive data.
Step 4: Create Secret YAML File
Before creating a secret, values must be base64 encoded.
Example:
apiVersion: v1
kind: Secret
metadata:
name: app-secret
type: Opaque
data:
DB_USERNAME: YWRtaW4=
DB_PASSWORD: MTIzNDU=
Step 5: Apply Secret to Kubernetes
kubectl apply -f secret.yaml
Step 6: Use Secret in Deployment
envFrom:
- secretRef:
name: app-secret
Or use individually:
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: app-secret
key: DB_USERNAME
Combined Example: ConfigMap + Secret in One Deployment
containers:
- name: my-container
image: nginx
envFrom:
- configMapRef:
name: app-config
- secretRef:
name: app-secret
Real-world scenario
Accessing Values Inside Application
Inside your application, you can read these as environment variables.
Example in Node.js:
process.env.APP_ENV
process.env.DB_USERNAME
Best Practices
Never store secrets in plain text in code
Use Secrets for passwords and tokens
Use ConfigMaps for general configuration
Keep configuration environment-specific
Advantages
Improves security
Keeps application flexible
Easy to update configs without changing code
Supports cloud-native best practices
Disadvantages
Secrets are only base64 encoded (not fully encrypted by default)
Requires proper access control
Slight learning curve for beginners
When to Use ConfigMap vs Secret
Use ConfigMap when:
Use Secret when:
Data is sensitive
Security is important
Summary
Kubernetes ConfigMap and Secret help you separate configuration from application code, making your deployments cleaner, more secure, and easier to manage. ConfigMap is ideal for storing non-sensitive settings, while Secret is used for sensitive information like passwords and API keys. By using both together in your deployments, you can build scalable, secure, and production-ready Kubernetes applications. Understanding how to use them step by step is essential for anyone working with modern DevOps and cloud-native systems.