ConfigMaps

    A ConfigMap allows you to decouple environment-specific configuration from your container images, so that your applications are easily portable.

    Caution: ConfigMap does not provide secrecy or encryption. If the data you want to store are confidential, use a rather than a ConfigMap, or use additional (third party) tools to keep your data private.

    Use a ConfigMap for setting configuration data separately from application code.

    For example, imagine that you are developing an application that you can run on your own computer (for development) and in the cloud (to handle real traffic). You write the code to look in an environment variable named . Locally, you set that variable to localhost. In the cloud, you set it to refer to a Kubernetes Service that exposes the database component to your cluster. This lets you fetch a container image running in the cloud and debug the exact same code locally if needed.

    A ConfigMap is not designed to hold large chunks of data. The data stored in a ConfigMap cannot exceed 1 MiB. If you need to store settings that are larger than this limit, you may want to consider mounting a volume or use a separate database or file service.

    ConfigMap object

    A ConfigMap is an API object that lets you store configuration for other objects to use. Unlike most Kubernetes objects that have a spec, a ConfigMap has data and binaryData fields. These fields accept key-value pairs as their values. Both the data field and the binaryData are optional. The data field is designed to contain UTF-8 byte sequences while the binaryData field is designed to contain binary data as base64-encoded strings.

    The name of a ConfigMap must be a valid .

    Each key under the data or the binaryData field must consist of alphanumeric characters, -, _ or .. The keys stored in must not overlap with the keys in the binaryData field.

    Starting from v1.19, you can add an immutable field to a ConfigMap definition to create an immutable ConfigMap.

    Note: The spec of a cannot refer to a ConfigMap or any other API objects.

    Here’s an example ConfigMap that has some keys with single values, and other keys where the value looks like a fragment of a configuration format.

    There are four different ways that you can use a ConfigMap to configure a container inside a Pod:

    1. Inside a container command and args
    2. Environment variables for a container
    3. Add a file in read-only volume, for the application to read
    4. Write code to run inside the Pod that uses the Kubernetes API to read a ConfigMap

    These different methods lend themselves to different ways of modeling the data being consumed. For the first three methods, the kubelet uses the data from the ConfigMap when it launches container(s) for a Pod.

    The fourth method means you have to write code to read the ConfigMap and its data. However, because you’re using the Kubernetes API directly, your application can subscribe to get updates whenever the ConfigMap changes, and react when that happens. By accessing the Kubernetes API directly, this technique also lets you access a ConfigMap in a different namespace.

    Here’s an example Pod that uses values from game-demo to configure a Pod:

    A ConfigMap doesn’t differentiate between single line property values and multi-line file-like values. What matters is how Pods and other objects consume those values.

    For this example, defining a volume and mounting it inside the demo container as /config creates two files, /config/game.properties and /config/user-interface.properties, even though there are four keys in the ConfigMap. This is because the Pod definition specifies an items array in the volumes section. If you omit the items array entirely, every key in the ConfigMap becomes a file with the same name as the key, and you get 4 files.

    Using ConfigMaps

    ConfigMaps can be mounted as data volumes. ConfigMaps can also be used by other parts of the system, without being directly exposed to the Pod. For example, ConfigMaps can hold data that other parts of the system should use for configuration.

    For example, you might encounter addons or that adjust their behavior based on a ConfigMap.

    To consume a ConfigMap in a volume in a Pod:

    1. Create a ConfigMap or use an existing one. Multiple Pods can reference the same ConfigMap.
    2. Add a .spec.containers[].volumeMounts[] to each container that needs the ConfigMap. Specify .spec.containers[].volumeMounts[].readOnly = true and .spec.containers[].volumeMounts[].mountPath to an unused directory name where you would like the ConfigMap to appear.
    3. Modify your image or command line so that the program looks for files in that directory. Each key in the ConfigMap data map becomes the filename under mountPath.

    This is an example of a Pod that mounts a ConfigMap in a volume:

    Each ConfigMap you want to use needs to be referred to in .spec.volumes.

    If there are multiple containers in the Pod, then each container needs its own volumeMounts block, but only one .spec.volumes is needed per ConfigMap.

    Mounted ConfigMaps are updated automatically

    When a ConfigMap currently consumed in a volume is updated, projected keys are eventually updated as well. The kubelet checks whether the mounted ConfigMap is fresh on every periodic sync. However, the kubelet uses its local cache for getting the current value of the ConfigMap. The type of the cache is configurable using the ConfigMapAndSecretChangeDetectionStrategy field in the . A ConfigMap can be either propagated by watch (default), ttl-based, or by redirecting all requests directly to the API server. As a result, the total delay from the moment when the ConfigMap is updated to the moment when new keys are projected to the Pod can be as long as the kubelet sync period + cache propagation delay, where the cache propagation delay depends on the chosen cache type (it equals to watch propagation delay, ttl of cache, or zero correspondingly).

    ConfigMaps consumed as environment variables are not updated automatically and require a pod restart.

    FEATURE STATE: Kubernetes v1.21 [stable]

    The Kubernetes feature Immutable Secrets and ConfigMaps provides an option to set individual Secrets and ConfigMaps as immutable. For clusters that extensively use ConfigMaps (at least tens of thousands of unique ConfigMap to Pod mounts), preventing changes to their data has the following advantages:

    • protects you from accidental (or unwanted) updates that could cause applications outages
    • improves performance of your cluster by significantly reducing load on kube-apiserver, by closing watches for ConfigMaps marked as immutable.

    Once a ConfigMap is marked as immutable, it is not possible to revert this change nor to mutate the contents of the or the binaryData field. You can only delete and recreate the ConfigMap. Because existing Pods maintain a mount point to the deleted ConfigMap, it is recommended to recreate these pods.

    What’s next