Securely Managing Application Configuration with Kubernetes Secrets and ConfigMaps

Introduction

When deploying applications in Kubernetes, managing configuration data securely and efficiently is critical. Kubernetes provides Secrets for handling sensitive data like passwords and API keys, and ConfigMaps for storing non-sensitive configuration data such as environment variables and application settings.

In this blog, we’ll explore:

  • How to use Kubernetes Secrets for sensitive data.
  • How to use ConfigMaps for general configuration.
  • A real-world scenario where both are used effectively.

Using Kubernetes Secrets for Secure Data Management

Secrets in Kubernetes allow you to securely store and manage sensitive information like database credentials, API keys, and TLS certificates.

Example: Creating a Secret for Database Credentials

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
  namespace: my-app-namespace
  labels:
    app: my-app
 
type: Opaque

data:
  DB_PASSWORD: c3VwZXJzZWNyZXQ=  # Base64 encoded value of ‘supersecret’

Injecting the Secret into a Pod

apiVersion: v1
kind: Pod
metadata:
  name: my-app-pod
spec:
  containers:
    – name: my-app-container
      image: my-app:latest
      env:
        – name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-secret
              key: DB_PASSWORD

🔹 Security Benefits: This method keeps credentials out of plain text configurations, reducing the risk of accidental exposure.

Using ConfigMaps for General Configuration Management

ConfigMaps store non-sensitive configuration data and can be used to decouple configuration from application code.

Example: Creating a ConfigMap for App Settings

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
  namespace: my-app-namespace

data:
  APP_MODE: “production”
  LOG_LEVEL: “debug”

Injecting the ConfigMap into a Pod

apiVersion: v1
kind: Pod
metadata:
  name: my-app-pod
spec:
  containers:
    – name: my-app-container
      image: my-app:latest
      env:
        – name: APP_MODE
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: APP_MODE
        – name: LOG_LEVEL
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: LOG_LEVEL

Real-World Scenario: Securing a Database Connection in a Microservices App

Imagine a microservices-based e-commerce application that requires secure database credentials and configurable logging levels. The application architecture consists of:

  • A backend API service that connects to a PostgreSQL database.
  • A logging service that uses environment variables to control log levels.

Implementing the Solution

  1. Use Kubernetes Secrets to store database credentials:
    • Securely store the database password using Secrets.
    • Inject the secret into the backend API pod as an environment variable.
  2. Use ConfigMaps for application configuration:
    • Define log levels and app mode in a ConfigMap.
    • Mount the ConfigMap as an environment variable in both the API and logging services.

Deployment Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend-api
spec:
  replicas: 2
  selector:
    matchLabels:
      app: backend-api
  template:
    metadata:
      labels:
        app: backend-api
    spec:
      containers:
        – name: backend-api
          image: backend-api:v1
          env:
            – name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: db-secret
                  key: DB_PASSWORD
            – name: APP_MODE
              valueFrom:
                configMapKeyRef:
                  name: app-config
                  key: APP_MODE

Best Practices for Managing Secrets and ConfigMaps

  • Use Role-Based Access Control (RBAC): Restrict access to Secrets to only authorized services.
  • Encrypt Secrets at Rest: Use Kubernetes encryption providers to protect stored secrets.
  • Avoid Hardcoding Configurations: Always use ConfigMaps and Secrets to separate configurations from code.
  • Rotate Secrets Regularly: Implement secret rotation policies to enhance security.

Conclusion

By leveraging Kubernetes Secrets and ConfigMaps, organizations can improve security and configuration management within their Kubernetes environments. These tools help maintain flexibility, security, and scalability while reducing risks associated with misconfigured applications.

Would you like to explore how to integrate ConfigMaps and Secrets with Helm charts for even more efficient deployment? Let us know in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *