0
0
KubernetesComparisonBeginner · 3 min read

ConfigMap vs Secret in Kubernetes: Key Differences and Usage

ConfigMap stores non-sensitive configuration data in plain text, while Secret stores sensitive data like passwords encoded in base64 for security. Both provide configuration to pods but differ mainly in data sensitivity and handling.
⚖️

Quick Comparison

This table summarizes the main differences between ConfigMap and Secret in Kubernetes.

FactorConfigMapSecret
PurposeStore non-sensitive configuration dataStore sensitive data like passwords, tokens
Data EncodingPlain textBase64 encoded
SecurityNot encrypted, visible in plain textEncoded, can be encrypted at rest
Use CaseApplication settings, environment variablesCredentials, keys, tokens
Access ControlStandard RBACStandard RBAC with additional encryption options
Size Limit1MB per object1MB per object
⚖️

Key Differences

ConfigMap is designed to hold configuration data that is not sensitive. It stores data as plain text key-value pairs and is used to pass environment variables or configuration files to pods. Because the data is not encrypted, it should never contain secrets.

Secret, on the other hand, is intended for sensitive information such as passwords, API keys, or certificates. The data is base64 encoded, which is not encryption but prevents casual viewing. Kubernetes can also encrypt secrets at rest if configured. Secrets provide better security controls and are handled differently by Kubernetes to reduce exposure.

While both are used to inject configuration into pods, Secret adds a layer of security and is the recommended way to store sensitive data. Access to secrets can be restricted more tightly using Kubernetes RBAC and encryption features.

⚖️

Code Comparison

Here is an example of creating a ConfigMap to store application configuration.

yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: "info"
  MAX_CONNECTIONS: "100"
Output
ConfigMap 'app-config' created with keys LOG_LEVEL and MAX_CONNECTIONS
↔️

Secret Equivalent

Here is the equivalent Secret storing sensitive data encoded in base64.

yaml
apiVersion: v1
kind: Secret
metadata:
  name: app-secret
type: Opaque
data:
  DB_PASSWORD: c2VjdXJlUGFzc3dvcmQ=
  API_KEY: YXBpa2V5MTIzNDU=
Output
Secret 'app-secret' created with keys DB_PASSWORD and API_KEY
🎯

When to Use Which

Choose ConfigMap when you need to store non-sensitive configuration like feature flags, URLs, or environment variables that do not require encryption.

Choose Secret when you need to store sensitive information such as passwords, tokens, or certificates that require protection and controlled access.

Using the right resource helps keep your application secure and your configuration organized.

Key Takeaways

Use ConfigMap for non-sensitive configuration data in plain text.
Use Secret for sensitive data with base64 encoding and optional encryption.
Secrets provide better security controls and should protect credentials.
Both ConfigMap and Secret can be injected into pods as environment variables or files.
Choose based on data sensitivity to keep your Kubernetes environment secure.

Related by keyword

Ingress vs Load Balancer in Kubernetes: Key Differences and UsageIngressEmptyDir vs hostPath Volume in Kubernetes: Key Differences and UsageVolumesVolume vs Persistent Volume in Kubernetes: Key Differences and UsageVolumesDeployment vs ReplicaSet in Kubernetes: Key Differences and UsageReplicaSet and DaemonSetDeployment vs StatefulSet in Kubernetes: Key Differences and UsageReplicaSet and DaemonSet

Up next

What is Service in Kubernetes: Definition and UsageWhen to Use Headless Service in Kubernetes: Explained SimplyHow to Create Namespace in Kubernetes: Simple StepsHow to Delete Namespace in Kubernetes: Simple Commands & Tips

More in ConfigMaps and Secrets

How to Create ConfigMap from File in KubernetesHow to Create ConfigMap from Literal in KubernetesHow to Create ConfigMap in Kubernetes: Simple GuideHow to Create Kubernetes Secret from Literal Values