ConfigMaps and Secrets
Kubernetes provides ConfigMaps and secrets to store and manage application configurations and sensitive data. They decouple configurations from container images, greatly improving deployment flexibility. ConfigMaps and secrets also ensure cluster security and O&M efficiency through fine-grained access control and encryption.
ConfigMaps
ConfigMaps are a type of Kubernetes resource object. They store non-sensitive information in key-value pairs and are used by applications during runtime. ConfigMaps have the following advantages:
- Flexible storage: ConfigMaps can store various non-encrypted configurations, such as plain text, JSON, YAML, or property files.
- Diverse usage: ConfigMaps can be used as environment variables, command line arguments, or configuration files in volumes.
- Easy to update: When a configuration changes, updating ConfigMaps automatically provides the latest configuration to related workloads. There is no need to build new container images.
- Simplified configuration management: ConfigMaps allow configurations to be separated from application code, enabling applications to use different configurations across environments without modifying the code. Additionally, multiple applications can reference the same ConfigMap for unified configuration management. This reduces duplicated or decentralized configuration management efforts.
You can create and use a ConfigMap by referring to the following:
Secrets
Secrets are a type of Kubernetes resource object designed to store and manage sensitive information securely. They ensure sensitive information security and privacy through encrypted storage and access control. Secrets have the following advantages:
- Security: Data in secrets is encrypted. Kubernetes automatically encrypts the data during storage to ensure that sensitive information is not stored in plain text in the clusters.
- Access control: Kubernetes role-based access control (RBAC) can be used to precisely control the accounts or users who access specific secrets, thereby improving security.
- Diverse usage: Secrets can be used as environment variables or configuration files in volumes for pods. Secrets make it unnecessary to store sensitive information in container images and simplify the management of sensitive data.
- Easy to update: Secrets can be dynamically updated during runtime. The updated data can be accessed by related pods immediately. There is no need to rebuild container images or restart services.
You can create and use a secret by referring to the following:
Cluster Secrets
In addition to custom secrets, CCE creates the following system secrets in each namespace by default:
- default-secret: The secret type is kubernetes.io/dockerconfigjson. The data field contains the credential for logging in to and pulling images from the SWR image repository. When creating a workload in a CCE cluster, if you need to pull images from SWR, you need to set imagePullSecrets to default-secret.
- paas.elb: The secret type is cfe/secure-opaque. The data field contains the temporary AK/SK that provides dynamic and short-term security authentication for pods and load balancers. This secret ensures cloud service access with the minimum permissions and automatic resource management and prevents data leak caused by a long-term secret.
For more information, see Cluster Secrets.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
