ConfigMap & Secrets
ConfigMap stores non-sensitive configuration as key-value pairs. Secret stores sensitive data (passwords, tokens, keys) as base64-encoded values.
ConfigMap = a sticky note on the fridge ('DB_HOST=postgres'). Secret = the same sticky note but written in pig latin — base64 is NOT a lock, it's just backwards writing anyone can read. You need Vault or encryption at rest for an actual safe.
Both can be consumed as: (1) environment variables (envFrom or env.valueFrom), (2) files in a volume mount. ConfigMap: plain text, not encrypted. Secret: base64 encoded (NOT encrypted by default in etcd). Production must enable etcd encryption at rest or use an external secrets manager (HashiCorp Vault, AWS Secrets Manager) with sealed-secrets or external-secrets operator. Secret types: Opaque (generic), kubernetes.io/dockerconfigjson (registry auth), kubernetes.io/tls (TLS cert+key).
Volume-mounted Secrets auto-update when the Secret is updated — without pod restart (with a ~1 minute delay). Environment variable-injected Secrets do NOT auto-update — require pod restart. This makes volume mounts better for rotating credentials. immutable: true on ConfigMap/Secret prevents accidental updates and improves kube-apiserver performance (no watches needed). RBAC restricts which pods can read which Secrets — use per-service ServiceAccounts with minimal permissions. Workload identity (EKS IRSA, GKE Workload Identity) eliminates static credentials entirely — pods get cloud credentials via service account token projection.
ConfigMaps for config, Secrets for credentials — that's the split. Both mount as files or env vars. Critical security point: Secrets are only base64 encoded in etcd by default — readable by anyone with etcd access. Enable encryption at rest, or better, use external-secrets operator to pull from AWS Secrets Manager or Vault. For rotating credentials without pod restarts, use volume-mounted Secrets — they update automatically. For database passwords, the modern approach is workload identity + IAM roles, eliminating static secrets entirely.
base64 is NOT encryption. It's encoding. Anyone who can kubectl get secret -o yaml can read every value in 2 seconds. Treat RBAC access to Secrets as access to plaintext credentials. Use namespace-scoped Roles to restrict secret access to only the pods that need it.