IntermediatePhone
2 min
ConfigMap vs Secret in Kubernetes
KubernetesConfigurationSecurity
Advertisement
Interview Question
What is the difference between a ConfigMap and a Secret in Kubernetes, and when do you use each?
Key Points to Cover
- ConfigMap stores non-sensitive configs; Secret stores sensitive data (base64 encoded)
- Secrets can be backed by KMS/CSI providers and have stricter RBAC
- Use volumes or env vars to mount/inject values
Evaluation Rubric
Differentiates ConfigMap vs Secret correctly40% weight
Mentions security/encoding and RBAC30% weight
Explains common mounting/injection patterns30% weight
Hints
- 💡Remember base64 ≠ encryption; use KMS for encryption.
Common Pitfalls to Avoid
- ⚠️Confusing base64 encoding with encryption for Secrets, leading to a false sense of security.
- ⚠️Storing truly sensitive data in ConfigMaps, which are plain-text and easily exposed.
- ⚠️Hardcoding secrets directly into container images or application code, bypassing Kubernetes' dedicated mechanisms.
- ⚠️Not applying strict RBAC policies to restrict access to Secrets, allowing unauthorized users to view sensitive information.
- ⚠️Over-reliance on Kubernetes native Secrets for critical production environments without integrating external secret management solutions or enabling etcd encryption.
Potential Follow-up Questions
- ❓How to rotate a Secret safely?
- ❓What about sealed-secrets?
Advertisement