Table of contents
Introduction
In the intricate landscape of Kubernetes, efficient configuration management is a key to success. ConfigMaps and Secrets are powerful tools that play a pivotal role in storing and managing configuration data, whether non-sensitive or confidential. This guide will not only walk you through the fundamentals but also equip you with practical knowledge to implement these essential Kubernetes resources effectively.
What are ConfigMaps in K8s?
A ConfigMap is an API object utilized to store non-sensitive data in key-value pairs. It serves as a means to maintain configuration data that can be readily accessed by pods or other Kubernetes resources.
Typically, ConfigMaps are employed for storing non-confidential configuration details like environment variables, command-line arguments, or configuration files. This data can be made available to pods either as environment variables or mounted as files.
It is worth noting that a ConfigMap is not intended to hold large volumes of data; the stored information within a ConfigMap cannot exceed 1 MiB.
ConfigMaps offer four distinct methods for configuring a container within a Pod:
Inside a container command and args: This method involves directly referencing ConfigMap values within the command or arguments of a container.
Environment variables for a container: ConfigMap values can be set as environment variables for a container, allowing them to be accessed within the application.
Add a file in a read-only volume, for the application to read: ConfigMap values can be mounted as files in a Pod's filesystem, enabling the application to read them.
Write code to run inside the Pod that uses the Kubernetes API to read a ConfigMap: This method involves writing code within the Pod that interacts with the Kubernetes API to retrieve values from a ConfigMap.
For additional information, please refer to the documentation here.
What are Secrets in k8s?
Secrets in Kubernetes, serve as a secure means to store and manage sensitive information like passwords, tokens, or keys. They are specialized objects designed for safeguarding confidential data within a cluster.
Secrets enable you to securely pass this sensitive information to your applications without embedding them directly in your code or configuration files. They are crucial for maintaining the security of your applications in a Kubernetes environment.
There are several ways for a Pod to utilize a Secret:
As environment variables: Secrets can be exposed as environment variables within a Pod, allowing applications to access sensitive information.
As files in a volume: Secrets can be mounted as files in a Pod's filesystem, providing a secure way for applications to read confidential data.
As an image pull secret: This type of secret allows Pods to pull private container images from container registries securely.
As a service account token: Secrets can be automatically created for each service account in a namespace, providing a secure way for Pods to authenticate with the Kubernetes API.
For additional information, please refer to the documentation here.
Difference Between ConfigMaps and Secrets in Kubernetes
| Criteria | ConfigMaps | Secrets |
| Data Sensitivity | Non-sensitive configuration data | Sensitive information |
| Data Types | Text files, key-value pairs, environment vars | Text files, key-value pairs, base64-encoded |
| Data Visibility | Data is visible in plain text format | Data is encrypted and stored securely |
| Use Cases | Configuration files, environment variables | Passwords, API keys, TLS certificates, secrets |
| Security | No encryption, data is plain text | Data is encrypted and stored securely |
| Accessing Data | Accessed as environment variables, or files | Accessed as environment variables, or files |
| Update Dynamics | Requires pod restarts for changes to take effect | Dynamically updated without pod restarts |
| Namespaces | Can be shared across namespaces | Limited to a single namespace |
| Kubernetes Objects | Represented as ConfigMap objects | Represented as Secret objects |
| Creation | Data is provided directly in YAML or from files | Data is provided directly in YAML or from files |
| Access Control | No built-in access control mechanisms | Can be granted specific access controls |
| Use in Pods | Can be used in any pod | Primarily used by pods for sensitive data |
| Volume Mounts | Can be mounted as volumes in pods | Can be mounted as volumes in pods |
| Data Size | Can store larger amounts of data | Size limitations based on backend storage |
| Backup and Restore | Easily backed up and restored | Requires additional security measures for backup and restoration |
| Purpose | Store non-sensitive configuration data | Store sensitive information |
This detailed table provides a comprehensive overview of the differences between ConfigMaps and Secrets in Kubernetes, along with their specific characteristics and use cases.
Choosing Between ConfigMaps and Secrets in Kubernetes
| Criteria | When to Use ConfigMaps | When to Use Secrets |
| Sensitivity | Non-sensitive data | Sensitive data |
| Confidentiality | Information not requiring encryption | Confidential information requiring encryption |
| Data Size Limit | < 1 MiB | < 1 MiB |
| Example Use Cases | Configuration files, environment variables | Passwords, API keys, tokens, TLS certificates |
| Encryption | Data is not encrypted | Data is encrypted at rest |
| Access Control | No special handling for access control | Restricted access, only accessible by pods |
Tasks:
Task 1: Configuring a ConfigMap for Deployment
We use ConfigMap and Secret in Kubernetes to store configuration data and sensitive information like MySQL credentials securely.
Create a ConfigMap for your Deployment using a file or the command line
apiVersion: v1 kind: ConfigMap metadata: name: mysql-config namespace: mysql labels: app: mysql data: MYSQL_DATABASE: "cooldb"type: Opaquein a Kubernetes Secret signifies that the secret contains arbitrary, unstructured data without any specific interpretation by Kubernetes.Update the deployment.yml file to include the ConfigMap
apiVersion: apps/v1 kind: Deployment metadata: name: mysql-deployment namespace: mysql labels: app: mysql spec: replicas: 1 selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - name: mysql image: mysql:8 ports: - containerPort: 3306 env: - name: MYSQL_DATABASE valueFrom: configMapKeyRef: name: mysql-config key: MYSQL_DATABASEApply the updated deployment using the command:
kubectl apply -f deployment.yml -n <namespace-name>kubectl apply -f deployment.yaml
Verify that the ConfigMap has been created by checking the status of the ConfigMaps in your Namespace.
kubectl get configmap -n mysql
Task 2: Creating and Using a Secret in Your Deployment
Before jumping into creating Secrets
Password Encryption: Begin by ensuring the security of sensitive information. For instance, let's take the password
test@123as an example.Base64 Encoding: Utilize the
base64encoding method to encrypt the data, enhancing its protection.Terminal Command: Execute the following command in your terminal to perform the encryption:
echo -n 'test@123' | base64.echo -n 'test@123' | base64 # The -n option ensures that no trailing newline character is added to the string before encoding.Create a Secret for your Deployment using a file or the command line
apiVersion: v1 kind: Secret metadata: name: mysql-secret namespace: mysql labels: app: mysql type: Opaque data: MYSQL_PASSWORD: dGVzdEAxMjM=
Update the deployment.yml file to include the Secret
apiVersion: apps/v1 kind: Deployment metadata: name: mysql-deployment namespace: mysql labels: app: mysql spec: replicas: 1 selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - name: mysql image: mysql:8 ports: - containerPort: 3306 env: - name: MYSQL_DATABASE valueFrom: configMapKeyRef: name: mysql-config key: MYSQL_DATABASE - name: MYSWL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mysql-secret key: MYSQL_ROOT_PASSWORDApply the updated deployment using the command:
kubectl apply -f deployment.yml -n <namespace-name>kubectl apply -f deployment.yaml
Verify that the Secret has been created by checking the status of the Secrets in your Namespace.
kubectl get secrets -n <namespace>
Conclusion
Congratulations on mastering ConfigMaps and Secrets in Kubernetes! You're now equipped to manage configuration settings and secure sensitive information effectively in your deployments. Use these tools to fine-tune your applications, making sure they perform smoothly in ever-changing environments.
To learn more about creating Kubernetes Secrets using kubectl and other methods go through this LINK
Thank you for diving into this blog with me! I trust you found the information both helpful and enlightening. To stay updated on the latest in DevOps ๐, make sure to follow me. Remember, staying informed means staying ahead in the dynamic world of DevOps!
Feel free to connect with me on LinkedIn for more updates and discussions on DevOps and Kubernetes! ๐
Happy Learning! Keep pushing those boundaries! ๐
