CNCFKubernetesApplication DevelopmentBeginner22 min read

What Does ConfigMap Usage Mean?

Also known as: ConfigMap Usage, Kubernetes ConfigMap, CKAD ConfigMap, ConfigMap vs Secret, Kubernetes configuration management

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

ConfigMap Usage means using a Kubernetes object called a ConfigMap to keep configuration settings, such as database addresses or feature flags, separate from your application code. This lets you update settings without rebuilding your application image. You can inject these settings into your pods as environment variables, command-line arguments, or mounted files. It helps make applications more portable and easier to manage across different environments.

Must Know for Exams

For the CNCF CKAD (Certified Kubernetes Application Developer) exam, ConfigMap Usage is a fundamental skill that appears in multiple sections of the curriculum. The CKAD exam specifically tests your ability to create, configure, and use ConfigMaps to manage application configuration. According to the official CNCF curriculum, ConfigMaps fall under the topic of Configuration, which accounts for roughly 18 percent of the exam.

In the CKAD exam, you will encounter tasks that ask you to create a ConfigMap from literal values, from files, or from directories. You may be asked to inject ConfigMap data into a pod as environment variables, as command-line arguments, or as mounted volumes. The exam expects you to know the exact YAML syntax, the kubectl commands for creating and viewing ConfigMaps, and how to reference them in pod specs.

ConfigMaps are also tested in the CKA (Certified Kubernetes Administrator) exam, though less directly. The CKA exam focuses more on cluster administration, but you may encounter scenarios where you need to troubleshoot a misconfigured ConfigMap or update one as part of a deployment task.

For CKAD, a typical exam objective is: Understand ConfigMaps. You must be able to define a ConfigMap, inject its data into a pod, and understand the different consumption methods. The exam does not test ConfigMaps in isolation; you often combine them with other concepts like Deployments, Services, and Secrets. For example, you might be asked to deploy a multi-container pod that reads configuration from a ConfigMap and writes logs to a volume.

The CKAD exam emphasizes time management, so knowing the fastest way to create and use ConfigMaps is important. Imperative commands like kubectl create configmap are often quicker than writing YAML from scratch. The exam also tests your understanding of the immutable ConfigMap feature, which can be used to improve performance and prevent accidental changes.

Because ConfigMaps are a core Kubernetes resource, you can expect at least one or two questions that require ConfigMap knowledge in the CKAD exam. Mastering this topic is not optional; it is a critical part of passing the exam.

Simple Meaning

Imagine you move into a new apartment and you have a set of keys that unlock different doors: the front door, your mailbox, and a storage room. If you wanted to change which key opens which door, you would need a new set of keys, which is inconvenient. Now imagine instead that the lock system reads a small card that tells it which key pattern to use. To change the door that opens, you simply swap the card, without changing the keys themselves. That card is like a ConfigMap.

In the world of cloud applications, a ConfigMap works like that card. When you build an application, you usually want to keep the code the same, but you might need different settings when running in a test environment versus a production environment. Rather than building a separate version of your application for each environment, you use a ConfigMap to store those settings. The ConfigMap holds key-value pairs, like a dictionary or a list of settings. You can then tell your containerized application to read from the ConfigMap when it starts.

For example, think of a library that has a sign on the wall telling visitors which floor holds which book genre. If the library reorganizes its books, staff just update the sign instead of moving all the books. In Kubernetes, the ConfigMap is that sign. You can change the sign (update the ConfigMap), and applications that read the sign automatically learn the new location. This approach makes managing configurations clean, simple, and independent of the application code.

The key idea is separation of concerns: the application code is the engine, and the configuration is the fuel mixture. By using ConfigMaps, you can change the fuel mixture without touching the engine. This makes deployments more flexible, reduces the risk of errors, and helps teams work faster.

Full Technical Definition

In Kubernetes, a ConfigMap is an API object used to store non-confidential configuration data as key-value pairs. Pods can consume this data as environment variables, command-line arguments, or configuration files mounted as volumes. The ConfigMap resource is defined in YAML or JSON and belongs to the core/v1 API group.

The ConfigMap object can hold data of various types. The data field contains key-value pairs where both key and value are strings. The binaryData field is used for binary data encoded in base64, though ConfigMaps are primarily intended for text-based configuration. The immutable field, introduced in Kubernetes 1.19, prevents accidental updates to the ConfigMap, which can improve performance and reliability by reducing API server watch traffic.

When a pod references a ConfigMap, the Kubelet on the node where the pod runs fetches the ConfigMap data and injects it into the container. For environment variables, the Kubelet sets the variable directly in the container runtime. For volume mounts, the Kubelet creates a temporary filesystem that contains the keys as filenames and values as file contents. These files are updated dynamically only if the ConfigMap is not marked as immutable, but there is a delay because the Kubelet periodically syncs.

ConfigMaps have a size limit of 1 MiB, which is enforced by the API server. This limit exists because ConfigMaps are stored in etcd, Kubernetes' distributed key-value store, and large objects can degrade cluster performance. For larger configuration data, consider using a separate volume or an external configuration service.

ConfigMaps are namespace-scoped, meaning they exist within a specific Kubernetes namespace. Pods can only reference ConfigMaps in the same namespace. This ensures isolation between different teams or environments within the same cluster. ConfigMaps do not provide encryption, so sensitive data like passwords or API keys should be stored in Secrets, not ConfigMaps.

In real-world IT environments, ConfigMaps are used to centralize configuration for microservices. A common pattern is to deploy a ConfigMap that holds database connection strings, feature flags, logging levels, and external service URLs. When a configuration change is needed, an operator updates the ConfigMap and then performs a rolling restart of the pods to pick up the new values. This avoids rebuilding container images, which saves time and reduces the risk of introducing bugs.

Real-Life Example

Think of a hotel room key card system. When you check into a hotel, you receive a key card that is programmed to open your specific room and maybe the gym or pool. The card itself does not contain the lock mechanisms; it only holds a code that tells the door to unlock. If the hotel wants to change which rooms you can access, they simply reprogram the card. They do not need to change the locks on every door.

In Kubernetes, the ConfigMap is like that programmed key card. Your application is the room door, and the configuration settings are the access codes. When you deploy an application, you provide a ConfigMap that tells the application which database to connect to, which features to enable, and which log level to use. Just like the hotel can reprogram your card to grant access to different floors, you can update the ConfigMap to change the database address or enable a new feature flag.

Step by step, here is how the analogy maps: The hotel front desk is the Kubernetes API server, where ConfigMaps are stored. The key card programmer is the process that creates or updates a ConfigMap. The door lock represents the application code that reads configuration. The key card itself is the ConfigMap data, delivered to the pod as environment variables or files. When you check out, the hotel deactivates your card, just as deleting a ConfigMap removes that configuration from the cluster.

The key insight is that the lock (the application) does not need to know how the card was programmed. It just needs to read the code. This separation means you can have many different key cards (ConfigMaps) for different guests (environments like development, staging, production), all using the same lock design. This is exactly how ConfigMap Usage enables environment-specific configurations without changing the application image.

Why This Term Matters

ConfigMap Usage matters because it is the standard way to manage application configuration in Kubernetes, which has become the dominant platform for deploying and running containerized applications in production. Without ConfigMaps, developers would be forced to hard-code configuration values into their application images or use environment variables defined directly in pod specs, which is not scalable or maintainable.

In real IT work, teams often deploy the same application across multiple environments: development, staging, testing, and production. Each environment has its own database servers, API endpoints, feature flags, and scaling parameters. Using ConfigMaps, a single container image can be promoted from development to production with different ConfigMaps defining the environment-specific settings. This reduces the risk of human error, because you do not need to rebuild the image for each environment.

ConfigMaps also support zero-downtime updates in many cases. When a configuration change is required, an operator can update the ConfigMap, and then trigger a rolling restart of the pods. The new pods will pick up the updated configuration. This is far less disruptive than rebuilding and redeploying the entire application image, which can take minutes and requires a full CI/CD pipeline run.

From a security standpoint, ConfigMaps help enforce the principle of least privilege by keeping non-sensitive configuration separate from sensitive data, which is stored in Secrets. This separation allows different teams to manage different aspects of a deployment. For example, a development team can update application feature flags in a ConfigMap without needing access to database passwords stored in Secrets.

Finally, ConfigMaps are essential for GitOps and declarative infrastructure. Organizations that manage their Kubernetes resources using Git repositories can store ConfigMap YAML files alongside their application manifests. This provides a full audit trail of configuration changes, making it easy to roll back to a previous version if a change causes issues.

How It Appears in Exam Questions

In certification exams like the CKAD, ConfigMap Usage appears in several types of questions. The most common are configuration tasks where you are given a scenario and asked to create a ConfigMap and use it in a pod. For example: Create a ConfigMap named app-config with the key DB_HOST and value mysql.prod.svc.cluster.local. Then create a pod that uses this ConfigMap to set the environment variable DATABASE_HOST. The question may also require you to verify that the variable is correctly set inside the container.

Another common question pattern is the update scenario. You might be asked to update an existing ConfigMap and then restart the pods so they pick up the new configuration. For example: The current ConfigMap named web-config has an incorrect port number. Update the ConfigMap to use port 8080, then perform a rolling update of the deployment to apply the change.

Scenario-based questions often combine ConfigMap usage with other resources. For instance, you might be asked to create a ConfigMap that holds configuration files, then mount that ConfigMap as a volume in a pod at the path /etc/config. The question may specify that the application expects a file named app.properties with specific content. You would need to create the ConfigMap with a key matching the filename and the value containing the file content.

Troubleshooting questions also appear. You might be given a pod that is failing because it cannot find a required configuration value. The question asks you to identify the issue and fix it. The problem could be a typo in the ConfigMap name, a missing key, or a namespace mismatch. You would need to use kubectl describe configmap and kubectl logs to diagnose the issue.

Architecture questions are less common in CKAD but may appear in the CKA exam. For example: You have a microservice that requires configuration for different environments. Which approach would you recommend? The correct answer would be to use separate ConfigMaps for each environment, deployed in separate namespaces or clusters.

Finally, some questions test your understanding of ConfigMap limits and best practices. For example: You have a configuration file that is 5 MiB in size. Can you store it in a ConfigMap? If not, what alternative approach should you use? The answer is no, because ConfigMaps have a 1 MiB limit, and you should use a separate volume or an external configuration service instead.

Study cncf-ckad

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: A development team is building a web application that displays weather data. The application needs to know which API endpoint to use for fetching weather forecasts. In the development environment, the API runs at http://dev-weather-api:5000. In the production environment, the API runs at https://prod-weather-api.example.com. The team wants to use the same container image in both environments without rebuilding it.

The solution is to use a ConfigMap. The DevOps engineer creates a ConfigMap named weather-app-config in the development namespace with the key WEATHER_API_URL and value http://dev-weather-api:5000. In the production namespace, the same ConfigMap key exists but with the value https://prod-weather-api.example.com. The pod specification for the weather application includes an envFrom field that references the weather-app-config ConfigMap. When the pod starts in development, it reads the local API URL. When it starts in production, it reads the production URL.

Later, the team decides to switch to a different weather data provider. The new provider uses a different API endpoint and requires an API key. The team updates the ConfigMap in the production namespace to change the WEATHER_API_URL and adds a new key WEATHER_API_KEY. Because the API key is sensitive, they actually move it to a Secret and keep only the non-sensitive URL in the ConfigMap. The application code reads both values, and the change is deployed by updating the ConfigMap and performing a rolling restart of the pods. No code changes are needed.

This scenario shows how ConfigMap Usage simplifies configuration management across environments, reduces deployment risk, and supports sensitive data separation when combined with Secrets.

Common Mistakes

Storing sensitive information like passwords or API keys in a ConfigMap

ConfigMaps store data in plain text within etcd and are accessible to anyone with read access to the namespace. They are not designed for secrets and do not support encryption at rest by default. Using ConfigMaps for sensitive data exposes your application to security risks.

Use Kubernetes Secrets for any sensitive data. Secrets provide base64 encoding and can be encrypted at rest if the cluster is configured appropriately. Reserve ConfigMaps for non-sensitive configuration like database hostnames, feature flags, and log levels.

Assuming that ConfigMap updates automatically update running pods without a restart

ConfigMaps consumed as environment variables are only read during pod initialization. Updating the ConfigMap does not change the environment variables in a running container. For volume mounts, the files are updated eventually, but it can take minutes and the application must be designed to watch for file changes.

Plan for a rolling restart of pods after updating a ConfigMap to ensure the new configuration is applied. You can use kubectl rollout restart deployment or update a label or annotation to trigger the restart.

Using ConfigMap keys that are not valid environment variable names when injecting as env vars

Kubernetes validates that ConfigMap keys used as environment variable names start with a letter or underscore and contain only alphanumeric characters or underscores. Keys with hyphens or dots will cause the pod to fail to start.

When creating ConfigMaps, use keys that conform to environment variable naming rules if you intend to inject them as env vars. For keys that do not meet these rules, use volume mounts instead, where the key becomes a filename.

Creating a ConfigMap without specifying the namespace, expecting it to be available in all namespaces

ConfigMaps are namespace-scoped resources. If you create a ConfigMap without specifying a namespace, it is created in the current namespace set in your kubeconfig context. Pods in other namespaces cannot reference it.

Always create ConfigMaps in the same namespace as the pods that will consume them. Use the --namespace flag or set the namespace in your kubectl context. Alternatively, use a tool like Kustomize to generate ConfigMaps per namespace.

Exam Trap — Don't Get Fooled

A question asks you to create a ConfigMap and then inject all its key-value pairs as environment variables in a pod. You correctly create the ConfigMap, but in the pod spec, you use the env field with a valueFrom configMapKeyRef instead of the envFrom field. The pod starts, but only one environment variable is set instead of all of them.

Remember that envFrom is for bulk injection of all ConfigMap keys, while env is for selecting individual keys, potentially with a different name. When the question says 'all key-value pairs as environment variables,' always use envFrom. Practice with both fields to build familiarity.

Commonly Confused With

ConfigMap UsagevsKubernetes Secrets

Secrets are used to store sensitive data like passwords, tokens, and keys, while ConfigMaps store non-sensitive configuration. Secrets encode data in base64 and can be encrypted at rest, whereas ConfigMaps store plain text. Both can be injected similarly, but Secrets are the correct choice for any confidential information.

A database password must be stored in a Secret. The database hostname can be stored in a ConfigMap.

ConfigMap UsagevsEnvironment Variables in Pod Spec

Environment variables defined directly in the pod spec are static and hard-coded into the deployment manifest. ConfigMaps allow you to define configuration externally and reuse it across multiple pods. Updating a ConfigMap is easier than updating every pod spec.

Setting DB_HOST directly in the pod spec means you must edit the pod YAML to change it. Using a ConfigMap lets you change the value once and restart the pods.

ConfigMap UsagevsKubernetes Volumes (PersistentVolumeClaim)

PersistentVolumeClaims are used for persistent storage that survives pod restarts, like databases or file stores. ConfigMaps are for configuration files that are small and typically do not need to persist across pod restarts. ConfigMaps are also lost when deleted, while PVC data persists.

A configuration file for an application that changes per environment is a good fit for a ConfigMap volume. A database data directory needs a PersistentVolumeClaim.

Step-by-Step Breakdown

1

Plan Your Configuration Data

Decide which configuration values your application needs, such as database URLs, feature flags, or log levels. Ensure none of this data is sensitive; sensitive data belongs in Secrets. Group related keys logically so the ConfigMap is easy to manage.

2

Create the ConfigMap Object

Use kubectl create configmap or write a YAML file with the core/v1 API version. Specify the name, namespace, and data field with key-value pairs. You can create from literal values, from files, or from directories. This step stores the configuration in etcd.

3

Define How Pods Will Consume the ConfigMap

Decide the injection method: environment variables, command-line arguments, or volume mounts. Environment variables are simple but static after pod start. Volume mounts allow file-based configuration and can be updated without rebuilding the pod (with some lag).

4

Reference the ConfigMap in the Pod Spec

In the pod or deployment YAML, add the envFrom or env field with a configMapKeyRef or volume mount that points to the ConfigMap name. Ensure the keys exist in the ConfigMap and match the expected names in your application.

5

Deploy the Pod and Verify Configuration

Apply the pod or deployment manifest. Use kubectl exec to enter the container and check that environment variables are set or that mounted files exist. Use kubectl logs to confirm the application is using the expected configuration.

6

Update Configuration When Needed

When a configuration change is required, edit the ConfigMap using kubectl edit configmap or apply a new YAML. If the ConfigMap is not immutable, the data is updated in etcd. Then trigger a rolling restart of the deployment to apply the change.

7

Clean Up When No Longer Needed

Delete ConfigMaps that are no longer in use to free up etcd storage and avoid confusion. Use kubectl delete configmap. Ensure no running pods still reference the ConfigMap, or they may fail to start if they require it.

Practical Mini-Lesson

ConfigMap Usage is one of the most practical skills for any Kubernetes developer. In the real world, you will rarely hard-code configuration into your applications because it creates brittle, environment-specific artifacts. Instead, you will use ConfigMaps to externalize that configuration.

Start by thinking about what your application needs to know at startup. Common items include database connection strings, external service URLs, feature toggle flags, logging levels, and timezone settings. Collect these into a list, and categorize each item as either non-sensitive (store in ConfigMap) or sensitive (store in Secret). For the CKAD exam, you must be comfortable with both.

When creating ConfigMaps, there are multiple methods. Imperative commands like kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2 are fast for the exam. Declarative YAML is better for production because it can be version-controlled. If you have configuration files on disk, use --from-file=path/to/file.conf, which creates a key with the filename and value with the file content.

In production, a common pattern is to use ConfigMaps with volume mounts for configuration files. This is especially useful for applications that expect a configuration file in a specific path. For example, many Java applications look for application.properties or application.yml in a config directory. You can mount a ConfigMap at that path. When you update the ConfigMap, the file changes eventually, and the application might pick it up if it watches for file changes.

A key professional practice is to use immutable ConfigMaps where possible. Once an application reaches a stable configuration, mark the ConfigMap as immutable: immutable: true. This prevents accidental updates and reduces load on the API server because the Kubelet can cache the ConfigMap. However, if you need to change configuration, you must create a new ConfigMap and update the pod spec to point to the new name. This is more work but is safer in high-stakes environments.

Another advanced pattern is using ConfigMaps in combination with Helm charts. Helm templates can generate ConfigMaps based on values provided by the user, making it easy to deploy the same chart to multiple environments with different configurations.

Common pitfalls include forgetting that ConfigMaps are namespace-scoped, not understanding the 1 MiB size limit, and confusing ConfigMaps with Secrets. Always verify your work by inspecting the ConfigMap and the pod. Use kubectl describe configmap and kubectl exec into the container to confirm the values are present.

For the CKAD exam, practice is essential. Set up a local Kubernetes cluster using Minikube or Kind, and practice creating ConfigMaps, injecting them in different ways, and updating them. Time yourself, because exam questions are time-pressured. Focus on getting the syntax right for envFrom, configMapKeyRef, and volume mounts.

Memory Tip

ConfigMaps are like a post-it note on your application: great for writing down the database address, but never write your password on it. For environment variables, think envFrom for all, env for one.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the maximum size of a ConfigMap?

A ConfigMap can hold up to 1 MiB of data. This limit is enforced by the Kubernetes API server because ConfigMaps are stored in etcd, and large objects can degrade performance.

Can a ConfigMap be used across different namespaces?

No, ConfigMaps are namespace-scoped. A pod can only reference a ConfigMap that exists in the same namespace. To use the same configuration across namespaces, you must create separate ConfigMaps in each namespace.

How do I update a ConfigMap and make a running pod use the new values?

If the ConfigMap is consumed as environment variables, you must restart the pod because environment variables are set at pod startup. For volume mounts, the files are updated after a delay, but the application must watch for file changes to react. The safest approach is to perform a rolling restart of the deployment after updating the ConfigMap.

Can I store a YAML or JSON file in a ConfigMap?

Yes, you can store any text-based file, including YAML or JSON, as a value in a ConfigMap. Use the --from-file flag when creating the ConfigMap, and the file content becomes the value. Then mount the ConfigMap as a volume, and the file will be available inside the container.

What is the difference between ConfigMap and Secret?

ConfigMaps store non-sensitive configuration data in plain text. Secrets store sensitive data like passwords and tokens, with base64 encoding and optional encryption at rest. Both can be injected into pods similarly, but Secrets should be used for any confidential information.

What happens if a pod references a ConfigMap that does not exist?

The pod will fail to start. The Kubelet will report an error indicating that the ConfigMap was not found. You must either create the ConfigMap first or correct the pod spec to reference an existing ConfigMap.

Can I use a ConfigMap to set command-line arguments in a pod?

Yes, you can use the ConfigMap value in the command field of a container spec by referencing it through environment variables. For example, set an environment variable from the ConfigMap, then use $(ENV_VAR) in the command field to pass it as an argument.

Summary

ConfigMap Usage is a foundational concept in Kubernetes that enables you to separate application configuration from code, making your applications more portable, maintainable, and secure. You learned that ConfigMaps store key-value pairs of non-sensitive data and can be injected into pods as environment variables, command-line arguments, or mounted files. This approach allows you to use a single container image across multiple environments by simply changing the ConfigMap.

For certification exams like the CKAD, you must be proficient in creating ConfigMaps, consuming them in pods, and understanding the differences between ConfigMaps and Secrets. Remember that ConfigMaps are namespace-scoped, have a 1 MiB size limit, and do not support automatic updates for environment variables. Practice creating ConfigMaps from literal values and files, and experiment with both envFrom and volume mounts.

Mastering ConfigMap Usage will not only help you pass your exam but also make you a more effective Kubernetes developer in real-world projects.