K8S-Data: Config Management
Intro
In Kubernetes, managing application configuration is essential for building flexible and scalable deployments. Kubernetes provides ConfigMap, Secret, and Downward API to manage configuration data efficiently without modifying container images.
ConfigMap: Stores non-sensitive configuration data such as environment variables, command-line arguments, and config files. It allows applications to be reconfigured without needing redeployment.
Secret: Similar to ConfigMap but designed for sensitive data like passwords, API keys, and tokens. Secrets are stored in an encoded format and provide secure access control.
Downward API: Allows Pods to access their own metadata (e.g., labels, annotations, resource limits) as environment variables or files inside the container. This helps applications dynamically adjust based on their runtime environment.
By leveraging these configuration management tools, Kubernetes enables decoupling application code from configuration, improving portability, security, and maintainability.
ConfigMap Demo
Define ConfigMap v1
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
nginx.conf: |
events {}
http {
server {
listen 80;
location / {
return 200 "Hello from ConfigMap Nginx!\n";
}
}
}
Define Pod that uses the ConfigMap
apiVersion: v1
kind: Pod
metadata:
name: nginx-cm
spec:
containers:
- name: nginx
image: nginx-k8s:latest
volumeMounts:
- name: config-volume
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: config-volume
configMap:
name: nginx-config
Apply the first version
$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-cm 1/1 Running 0 5m45s 10.244.1.55 kind-worker2 <none> <none>
# curl 10.244.1.55
Hello from ConfigMap Nginx!
Change the ConfigMap to v2
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
nginx.conf: |
events {}
http {
server {
listen 80;
location / {
return 200 "Hello from ConfigMap Nginx v2!\n";
}
}
}
Delete, restart the pod, apply new configs
$ kubectl delete pod nginx-cm
pod "nginx-cm" deleted
$ kubectl apply -f nginx-cm.yaml
pod/nginx-cm created
$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-cm 1/1 Running 0 8s 10.244.1.56 kind-worker2 <none> <none>
# curl 10.244.1.56
Hello from ConfigMap Nginx v2!
Secret
Define a secret
$ cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: dXNlcm5hbWU= # Base64 encoded: "username"
password: cGFzc3dvcmQ= # Base64 encoded: "password"
Define a pod that uses this secret
$ cat nginx-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-secret
spec:
containers:
- name: nginx
image: nginx-k8s:latest
imagePullPolicy: Never
volumeMounts:
- name: secret-volume
mountPath: "/etc/nginx/creds"
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: my-secret
Apply and try to see the secret in pod
We cannot see anything!
root@nginx-secret:/# ls -l /etc/nginx/creds/
total 0
lrwxrwxrwx 1 root root 15 Feb 8 19:51 password -> ..data/password
lrwxrwxrwx 1 root root 15 Feb 8 19:51 username -> ..data/username
root@nginx-secret:/# cat /etc/nginx/creds/username
username
root@nginx-secret:/# cat /etc/nginx/creds/password
password