Have been using Kubernetes secrets up to date. Now we have ConfigMaps as well. What is the preferred way forward - secrets or config maps? P.S. After a few iterations we have stabilised at the following rule: configMaps are per solution domain (can be shared across microservices within the domain, but ultimately are single purpose config entries) secrets are shared across solution domains, usually represent third party systems or databases

I'm the author of both of these features. The idea is that you should: Use Secrets for things which are actually secret like API keys, credentials, etc Use ConfigMaps for not-secret configuration data In the future, there will likely be some differentiators for secrets like rotation or support for backing the secret API w/ HSMs, etc. In general, we like intent-based APIs, and the intent is definitely different for secret data vs. plain old configs.

kubernetes

Evgeny Minkevich

Reputation: 2459

When to use Secrets as opposed to ConfigMaps in Kubernetes?

Have been using Kubernetes secrets up to date. Now we have ConfigMaps as well.

What is the preferred way forward - secrets or config maps?

P.S. After a few iterations we have stabilised at the following rule:

configMaps are per solution domain (can be shared across microservices within the domain, but ultimately are single purpose config entries)
secrets are shared across solution domains, usually represent third party systems or databases

Upvotes: 97

Answers (4)

Mohsin

Reputation: 89

Both, ConfigMaps and Secrets store data as a key value pair. The major difference is, Secrets store data in base64 format meanwhile ConfigMaps store data in a plain text.

If you have some secret data like, API secrets, sa accounts, etc then you should always go for Secrets rather than Configs.

And if you want to do some application configuration using environment variables which you don't want to keep secret/hidden like, app theme, base platform url, etc then you can go for ConfigMaps

Upvotes: -8

Abhishek Kushwaha

Reputation: 17

Kubernetes secrets are used to store information in encrypted form . So that even if is any unauthorised access is made the attacker is not able to do anything as he needs decryption key . They are used to store sensitive information.

Kubernetes Config Maps are used store non confidential info in key value store . Pods may use them cli, env variables.

Upvotes: -4

Paul Morie

Reputation: 15788

I'm the author of both of these features. The idea is that you should:

Use Secrets for things which are actually secret like API keys, credentials, etc
Use ConfigMaps for not-secret configuration data

In the future, there will likely be some differentiators for secrets like rotation or support for backing the secret API w/ HSMs, etc. In general, we like intent-based APIs, and the intent is definitely different for secret data vs. plain old configs.

Upvotes: 190

Michael Cole

Reputation: 16257

One notable difference in the implementation is that kubectl apply -f:

ConfigMaps are "unchanged" if the data hasn't changed.
Secrets are always "configured" - even if the file hasn't changed

Upvotes: 15

When to use Secrets as opposed to ConfigMaps in Kubernetes?

Answers (4)

Related Questions