CNCFKubernetesContainer OrchestrationBeginner22 min read

What Does ConfigMaps Mean?

Also known as: ConfigMap, Kubernetes ConfigMap, CKA ConfigMap, ConfigMap vs Secret, Kubernetes configuration

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

ConfigMaps let you keep configuration information, like database addresses or feature flags, in a central place that your applications can read at runtime. You can update these settings without changing your application code or restarting the whole system. Think of it as a whiteboard where you write notes that all your programs can see. This keeps your containers generic and your configuration flexible.

Must Know for Exams

ConfigMaps are a foundational topic in the Certified Kubernetes Administrator (CKA) exam. The CKA exam syllabus explicitly includes managing application configuration with ConfigMaps and Secrets. You should expect to demonstrate hands-on ability to create, update, and consume ConfigMaps in various ways. The exam tests practical skills, not just theory.

Specifically, the CKA exam objectives under Workloads and Scheduling include tasks like configuring a pod to use a ConfigMap as environment variables or as a volume mount. You may be asked to create a ConfigMap from literal values, from a file, or from a directory. You may also need to update a ConfigMap and ensure pods reflect the new configuration. The exam environment is a live Kubernetes cluster, so you must be comfortable with kubectl commands and YAML manifests.

Another common exam scenario is troubleshooting a pod that fails to start because it references a ConfigMap that does not exist. You need to know how to check ConfigMap existence, verify correct naming, and fix the reference. The exam also tests error handling: for example, if a ConfigMap is updated but the pod still uses the old values, you must understand that environment variables are not updated until the pod is restarted.

While ConfigMaps are not a major topic in the Certified Kubernetes Application Developer (CKAD) exam, they do appear in the context of configuring applications. You should know how to mount ConfigMaps as volumes and access them from within the application code.

For the CNCF Kubernetes Security Specialist (CKS) exam, the focus shifts to securing ConfigMaps. You should know that ConfigMaps are not encrypted and that sensitive data must be handled via Secrets or external secret stores. The CKS exam may ask you to restrict access to ConfigMaps using RBAC policies or to audit ConfigMap usage.

In all cases, the exam emphasizes practical, hands-on skills. Expect to type commands directly, edit YAML files, and verify your work using kubectl describe and kubectl get commands.

Simple Meaning

Imagine you work in a large office building with many departments. Each department has a set of rules: the thermostat should be set to 22 degrees, the coffee machine should be refilled at 2 PM, and the main door code is 1234. If you wrote these rules directly into each department's handbook, you would have to reprint every handbook whenever the door code changed. That would be slow and wasteful. ConfigMaps are like a central bulletin board in the lobby. You post the door code, the thermostat setting, and the coffee schedule once on the board, and every department knows to look there for the latest information. If the door code changes, you simply erase the old number and write the new one. All departments see the updated code immediately without needing new handbooks.

In Kubernetes, a ConfigMap is this same kind of central bulletin board. Applications running in containers can read configuration values from a ConfigMap at startup or while they are running. You can store things like database hostnames, API endpoints, feature toggle flags, or any other non-sensitive textual data. The key point is that the configuration is decoupled from the container image. This means you can use the exact same container image in development, testing, and production — only the ConfigMap for each environment changes. It makes deployments more reliable, updates safer, and operations simpler.

ConfigMaps hold key-value pairs. A key might be database_url and the value might be postgres://user:pass@prod-db:5432/mydb. Your application reads these values by referencing the ConfigMap. You can also mount a ConfigMap as a file so that your app reads configuration from a traditional configuration file. Either way, the application does not need to be rewritten or its image rebuilt just because a database moved to a different server.

Full Technical Definition

A ConfigMap is a Kubernetes API resource that stores configuration data as key-value pairs. It belongs to the core API group (v1) and is designed to decouple configuration artifacts from container images. ConfigMaps can hold individual key-value pairs, multi-line values, or entire configuration files (such as JSON, YAML, or INI files) when mounted as volumes.

Under the hood, a ConfigMap is stored in etcd, the Kubernetes cluster's distributed key-value store. When you create a ConfigMap using kubectl create configmap or via a YAML manifest, the data is serialized and written to etcd. Pods can consume ConfigMap data in two primary ways: as environment variables or as mounted files. When used as environment variables, the key becomes the environment variable name and the value becomes its content. When mounted as a volume, each key becomes a file inside a specified mount path, and the value is the file content.

ConfigMaps are namespace-scoped. This means two different namespaces can have ConfigMaps with the same name without conflict. This is useful for separating configuration for development, staging, and production environments. However, ConfigMaps have a size limit of 1 MB. This is because they are stored in etcd, and large objects can degrade cluster performance. For larger or more dynamic configuration, consider using external configuration services or Kubernetes Secrets (for sensitive data).

A ConfigMap does not provide any built-in encryption or access control for its data. By default, any pod in the same namespace can read any ConfigMap. For sensitive data like passwords and API keys, you should use Secret objects instead. Secrets are similar to ConfigMaps but are base64-encoded by convention and can be encrypted at rest with Kubernetes encryption providers.

When a ConfigMap is updated, pods already using that ConfigMap will not automatically see the changes unless the pod is restarted or the application polls for changes. For environment variable consumption, the pod must be recreated. For volume mounts, there is a optional refresh period (default 60 seconds) that syncs updated data into the mounted files. However, most production applications watch for file changes or poll for updates.

ConfigMaps are widely used in microservices architectures, where each service has its own configuration that varies across environments. They also support immutable ConfigMaps (Immutable field set to true) which prevent updates and improve performance by reducing load on etcd and the API server.

Real-Life Example

Think of a large hotel with many guest rooms and a central front desk. Each room has a printed booklet that tells guests about hotel services: breakfast hours, pool opening times, the Wi-Fi password, and the phone number for room service. If the hotel changes breakfast hours or updates the Wi-Fi password, they would need to reprint every booklet and place them in all rooms. That takes time and costs money.

Instead, the hotel installs a digital screen in the lobby and small tablets in each room that display the same information, pulled from a central computer. The central computer holds the current breakfast hours, pool schedule, and Wi-Fi password. When the manager updates these details on the central computer, every tablet in every room shows the new information immediately. No reprinting, no running around.

In this analogy, the central computer is the ConfigMap. The hotel guests are containers running in a Kubernetes pod. The tablets are environment variables or mounted files inside the container that read from the ConfigMap. When you update the ConfigMap (change the Wi-Fi password), the containers can pick up the new value without needing a new container image or a full deployment restart. The hotel (your application) stays the same — only the sign in the lobby changes.

Why This Term Matters

In real-world IT operations, configuration management is a persistent challenge. Applications frequently need to connect to different databases, APIs, or services depending on the environment. Without ConfigMaps, you would have to bake configuration values directly into your container images. That means building a separate image for development, another for staging, and a third for production. Each time a configuration value changes, you must rebuild and redeploy that image across all affected systems. This is slow, error-prone, and defeats the purpose of immutable infrastructure.

ConfigMaps solve this by keeping configuration outside the image. You can run the exact same container image in development, staging, and production — only the ConfigMap changes per environment. This consistency reduces the chance of environment-specific bugs. For example, a developer might accidentally test against a production database if the connection string is baked into the code. With ConfigMaps, each environment clearly controls its own values.

ConfigMaps also enable operational agility. When a database is migrated to a new server, an operations team can update the database hostname in the ConfigMap and restart the affected pods. There is no need to rebuild the entire application. This reduces deployment time from hours to minutes. In large clusters with hundreds of microservices, this decoupling is essential for maintaining velocity.

From a security perspective, ConfigMaps reinforce the principle of least privilege. ConfigMaps are not encrypted and should not contain secrets, but they still allow you to separate configuration from code. This makes audits easier because configuration changes happen in a clear, version-controlled manner. Teams can roll back a configuration change by reverting the ConfigMap, without touching the application code.

Finally, ConfigMaps support the twelve-factor app methodology, which mandates storing configuration in the environment. Kubernetes native objects make this implementation straightforward and standardized across any cluster.

How It Appears in Exam Questions

CKA exam questions involving ConfigMaps typically fall into several categories.

Scenario questions: You are given a scenario where an application needs to read configuration from environment variables. You must create a ConfigMap from given literal values (e.g., APP_COLOR=blue, DB_HOST=mysql) and then update a pod specification to inject those values as environment variables. You might be asked to verify that the pod has the correct environment using kubectl exec.

Configuration questions: You are provided with a YAML file for a pod that currently has hardcoded values. You must convert it to use a ConfigMap. This tests your ability to write the correct YAML structure for envFrom or valueFrom fields. You may also be asked to mount a ConfigMap as a volume and ensure files appear in the expected directory.

Troubleshooting questions: A pod is crashing with an error like unable to load config. You need to diagnose the issue. Possible causes: the ConfigMap does not exist in the same namespace, the key name is misspelled, or the ConfigMap exists but the pod's reference uses an incorrect name. You must use kubectl get configmaps, kubectl describe pod, and kubectl logs to find and fix the problem.

Architecture questions: You are asked to design a solution where multiple microservices share a common configuration. You need to explain how to use a single ConfigMap or multiple ConfigMaps, and how to ensure updates propagate correctly. This tests your understanding of ConfigMap immutability, update propagation, and namespace scoping.

Multiple-choice questions: These are less common in CKA (which is performance-based), but in CNCF certification prep courses you might see questions like: Which is the correct way to create a ConfigMap from a file? Options: kubectl create configmap my-config --from-file=config.txt, kubectl create configmap my-config --from-literal=key=value, etc.

You should also be prepared for questions that mix ConfigMaps with Secrets. For example: You have a config that includes both a database URL (non-sensitive) and a password (sensitive). Which Kubernetes object should store each? The correct answer is ConfigMap for the URL, Secret for the password.

Study cncf-cka

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior Kubernetes administrator at a company that runs a web application. The application reads a configuration file called app.properties that contains: server.port=8080, database.host=localhost, and feature.new-ui=true. Currently, these values are hardcoded inside the Docker image, so every time you change the database host from localhost to production-db, you have to build a new image and redeploy.

Your senior engineer tells you to use a ConfigMap instead. You create a ConfigMap named webapp-config with the following commands:

kubectl create configmap webapp-config --from-literal=server.port=8080 kubectl create configmap webapp-config --from-literal=database.host=production-db --dry-run=client -o yaml | kubectl apply -f -

Then you update the pod specification to reference this ConfigMap as environment variables. The pod definition now includes an envFrom section that pulls all key-value pairs from webapp-config. When the pod starts, the application reads server.port and database.host from environment variables instead of the hardcoded file.

Later, when the database moves to a new host, you simply update the ConfigMap: kubectl edit configmap webapp-config and change the database.host value. After recreating the pod, the application picks up the new hostname without any image rebuild. This saves time, reduces errors, and keeps your deployment process simple.

Common Mistakes

Storing sensitive data like passwords or API keys in a ConfigMap.

ConfigMaps store data in plaintext and have no encryption at rest by default. Anyone with access to the namespace or etcd can read the values. This violates security best practices and can lead to data breaches.

Use Kubernetes Secrets for sensitive data. Secrets offer base64 encoding by convention and can be encrypted at rest using kube-apiserver encryption configuration. For sensitive data, always use Secrets or an external secret management system like HashiCorp Vault.

Expecting pods to update environment variables automatically when a ConfigMap changes.

When a ConfigMap is consumed as environment variables, those values are injected into the pod at creation time. Kubernetes does not automatically restart or update the environment variables of running pods. The pod will continue using the old values until it is recreated.

For environment variables, you must delete and recreate the pod to pick up ConfigMap changes. For volume mounts, you can set a refresh period (default 60 seconds) for updated files, but the application must be designed to watch for file changes. Alternatively, use a controller like Reloader that automatically triggers rolling updates when ConfigMaps change.

Creating a ConfigMap with a key that contains invalid characters for environment variable names.

Not all keys in a ConfigMap are valid as environment variable names. Environment variables must start with a letter or underscore and can only contain letters, digits, and underscores. Keys with dots, hyphens, or other characters will cause the pod creation to fail or the variable to be silently ignored.

Use keys that follow the POSIX environment variable naming convention. For example, use DATABASE_HOST instead of database.host. If you cannot control the key names, mount the ConfigMap as a file instead of using environment variables. That way the application can read the configuration using file I/O without naming restrictions.

Assuming ConfigMaps are immutable by default and cannot be updated.

ConfigMaps are mutable by default. You can update them using kubectl edit, kubectl apply, or kubectl patch. However, there is an optional immutable field that, when set to true, prevents updates and is especially useful for configurations that should never change, providing performance benefits.

Understand that mutability is the default. If you need a config that cannot be changed accidentally, set immutable: true in the ConfigMap metadata. Be aware that once immutable, the ConfigMap cannot be updated — you must delete and recreate it for any changes.

Forgetting to check which namespace the ConfigMap exists in.

ConfigMaps are namespace-scoped objects. If you create a ConfigMap in namespace dev and try to reference it from a pod in namespace prod, the pod will fail because Kubernetes cannot find the ConfigMap. The error message is not always obvious.

Always ensure that the ConfigMap is created in the same namespace as the pod that uses it. Use kubectl get configmaps -n <namespace> to verify. If you need cross-namespace access, you must copy the ConfigMap data to the target namespace or use a different approach like a shared operator.

Exam Trap — Don't Get Fooled

An exam question asks you to create a pod that uses a ConfigMap as environment variables. You write the correct envFrom section but forget that the ConfigMap must exist before the pod is created. The pod starts in a CrushLoopBackOff state with messages like ConfigMap not found.

Always create the ConfigMap before the pod that references it. Use a two-step approach: first run kubectl create configmap, then deploy the pod. In exam tasks, read the instructions carefully; they often provide the ConfigMap data first.

If you see an error, check that the ConfigMap exists with kubectl get configmap. If it does not exist, create it. If it exists but the pod still fails, check the namespace and the key names.

Commonly Confused With

ConfigMapsvsKubernetes Secrets

Both ConfigMaps and Secrets store key-value data and can be consumed as environment variables or volume mounts. The core difference is that Secrets are designed for sensitive data (passwords, tokens, keys) and offer base64 encoding and optional encryption at rest. ConfigMaps store plaintext, non-sensitive configuration. Use ConfigMaps for database hostnames, feature flags, and app settings. Use Secrets for any data that would pose a risk if exposed.

Your app needs a database URL (postgres://prod-db:5432/mydb) and a database password. Store the URL in a ConfigMap because it doesn't contain credentials. Store the password in a Secret because it is sensitive.

ConfigMapsvsKubernetes Environment Variables

Environment variables are a mechanism for passing configuration to a container, while ConfigMaps are a storage object that can supply values for those environment variables. You can set environment variables directly in the pod spec without a ConfigMap, but then the values are hardcoded and cannot be updated without modifying the pod spec. ConfigMaps provide a centralized, updatable source for those values.

Setting APP_COLOR=blue directly in a pod spec is hardcoded. Creating a ConfigMap with key APP_COLOR and value blue and then referencing it in the pod spec makes the configuration external and updatable.

ConfigMapsvsKubernetes Volumes

Volumes in Kubernetes provide storage for pods (e.g., emptyDir, hostPath, persistent volumes). A ConfigMap can be mounted as a volume, but the ConfigMap itself is not a general-purpose storage solution. The ConfigMap volume type specifically projects the key-value pairs of a ConfigMap into a directory as files. This is different from a persistent volume that stores arbitrary data long-term.

Mounting a ConfigMap as a volume creates files like /etc/config/server.port with content 8080. A persistent volume, on the other hand, would allow a database to store its data files. They serve different purposes: one for configuration, the other for data persistence.

Step-by-Step Breakdown

1

Create the ConfigMap

You create a ConfigMap either from literal values, a file, or a directory. Use kubectl create configmap my-config --from-literal=key=value for simple values, or from-file to import configuration files. This stores the data in etcd as a Kubernetes object.

2

Verify the ConfigMap exists

Run kubectl get configmap my-config to confirm it was created successfully. Use kubectl describe configmap my-config to see the key-value pairs. This step helps you catch typos or missing data before attaching it to a pod.

3

Define the pod specification that consumes the ConfigMap

In the pod YAML, add a volumes section with a configMap type referencing the ConfigMap name, or add an envFrom section to inject all key-value pairs as environment variables. For selective keys, use env with valueFrom.configMapKeyRef.

4

Create the pod

Use kubectl apply -f pod.yaml or kubectl run to create the pod. Kubernetes validates that the referenced ConfigMap exists in the same namespace. If it does, the pod starts and the configuration is injected according to the spec.

5

Test that the configuration is applied correctly

Use kubectl exec <pod-name> -- env to list environment variables, or kubectl exec <pod-name> -- cat /etc/config/key to check file contents. This confirms that the ConfigMap data was correctly injected into the running container.

6

Update the ConfigMap when configuration changes

Use kubectl edit configmap my-config or kubectl apply with a modified YAML. For environment variable consumption, you must recreate the pod. For volume mounts, the files update automatically after a refresh period (default 60 seconds). Check the updated values using kubectl exec.

7

Clean up resources

Delete the ConfigMap when it is no longer needed using kubectl delete configmap my-config. Be aware that if a pod still references the deleted ConfigMap, the pod will fail to start if recreated or restarted, but existing running pods that already consumed the ConfigMap values will continue to work with the old data in memory.

Practical Mini-Lesson

ConfigMaps are one of the first tools a Kubernetes administrator learns for managing application configuration. The concept is simple but powerful. Let us walk through a complete, practical workflow that you might encounter in a real cluster.

Start by examining your application. Most modern applications follow the twelve-factor app methodology, which stores configuration in environment variables. For example, a Node.js app might read process.env.DATABASE_HOST and process.env.FEATURE_FLAG. A Java Spring Boot app might read environment variables that override properties in application.properties. As a Kubernetes admin, your job is to provide those environment variables from a ConfigMap rather than hardcoding them.

To create a ConfigMap from a configuration file a developer gave you, save the file as app.properties with lines like: server.port=8080, database.host=prod-db, feature.new-ui=true. Then import it: kubectl create configmap app-config --from-file=app.properties. This creates a ConfigMap with a single key (the filename) and the entire file content as the value. You can also create it from individual key-value pairs: kubectl create configmap app-config --from-literal=server.port=8080 --from-literal=database.host=prod-db.

Now, to inject these values into a pod, you have two main approaches. The first is using envFrom in the pod spec, which imports all ConfigMap keys as environment variables. This is clean and automatic, but the keys must be valid environment variable names. The second approach is mounting the ConfigMap as a volume. This is useful when the application expects a configuration file at a specific path. Add a volumes section in the pod spec referencing the ConfigMap, and a volumeMounts section to place the file at, for example, /etc/config.

In production, you will often use ConfigMaps with Deployments rather than bare pods. A Deployment manages replicas and supports rolling updates. When you update a ConfigMap, you typically need to roll out a new version of the Deployment to restart pods and pick up the new environment variable values. Tools like Reloader can automate this by watching ConfigMaps and triggering a rolling restart.

What can go wrong? The most common issues are missing ConfigMaps, namespace mismatches, and invalid key names. If a pod fails to start, use kubectl describe pod to check the events section for errors like ConfigMap not found. Another issue is updating a ConfigMap but not restarting pods, leading to stale configuration for hours or days until someone notices.

For performance, consider making ConfigMaps immutable if they never change. Set the Immutable field to true in the ConfigMap spec. This reduces API server load because Kubernetes no longer watches for updates. However, remember that immutable ConfigMaps cannot be updated — you must delete and recreate them.

Finally, always remember that ConfigMaps are not encrypted. If you need to store a database password or an API token, create a Secret instead. Some teams mistakenly use ConfigMaps for secrets, which is a critical security flaw. Audit your cluster regularly with kubectl get configmaps --all-namespaces and review the data to ensure no sensitive information is exposed.

Memory Tip

Think CONFIG MAP as: Configuration Outside, Never In the container's Filesystem or Code — always read from a separate Map. Remember the mnemonic: C-O-N-F-I-G spells 'Configuration Outside, Not in the Image's Git'. This reminds you that configuration lives outside the image and can change independently.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Can I use a ConfigMap to store a JSON configuration file?

Yes. You can store entire files including JSON, YAML, or INI files as values in a ConfigMap. You can create the ConfigMap using --from-file=config.json, then mount it as a volume so the application reads the file directly.

What happens if I update a ConfigMap while a pod is running?

If the ConfigMap is consumed as environment variables, the running pod will not see the changes until the pod is recreated. If it is consumed as a volume mount, the files will be updated automatically after a refresh period (default 60 seconds).

Can I use ConfigMaps across different namespaces?

No. ConfigMaps are namespace-scoped. A pod in one namespace cannot directly reference a ConfigMap in another namespace. You must either create a duplicate ConfigMap in the target namespace or use a tool that copies data across namespaces.

Is there a size limit for ConfigMaps?

Yes. ConfigMaps are limited to 1 MB. This is because they are stored in etcd, which has performance constraints for large objects. For larger configurations, consider using external configuration stores or splitting configuration across multiple ConfigMaps.

Should I store database passwords in ConfigMaps?

No. ConfigMaps are not encrypted and store data in plaintext. Always use Kubernetes Secrets for passwords, tokens, and other sensitive data. Secrets provide base64 encoding and can be encrypted at rest.

How do I update environment variables in a pod without restarting it?

You cannot update environment variables of a running pod without restarting it. The environment variables are set at container startup. To pick up new values, you must delete and recreate the pod or use a rolling update strategy with a Deployment.

Can I make a ConfigMap immutable?

Yes. Set the immutable field to true in the ConfigMap metadata. This prevents any updates to the ConfigMap. It also improves performance because the API server no longer watches for changes to that ConfigMap.

Summary

ConfigMaps are a Kubernetes resource that stores non-sensitive configuration data separate from container images. They allow you to keep your applications generic and reusable across different environments — development, staging, and production — by injecting environment-specific settings at runtime. ConfigMaps can be consumed as environment variables or mounted as files, giving you flexibility in how your applications access configuration.

For certification exams, especially the CKA, you must be able to create, update, and troubleshoot ConfigMaps from both the command line and YAML manifests. Common pitfalls include confusing ConfigMaps with Secrets, forgetting to restart pods after updating environment-variable-based configuration, and namespace mismatches. Remember that ConfigMaps are not encrypted and should never hold sensitive data.

Mastering ConfigMaps is essential for efficient and secure Kubernetes cluster management. By decoupling configuration from code, you achieve greater operational agility and maintain a clear separation of concerns — a cornerstone of modern DevOps practices.