Cheat Sheet logoCheat Sheet Today

Kubernetes YAML Config and Secrets

Kubernetes YAMLPermalink

ConfigMap, Secret, projected volume, envFrom, and secure configuration patterns.

Sign in to save
View
StandardDetailedCompact
Export
Copy the compact sheet, download it, or print it.
Download
`D` dense toggle · `C` copy all

ConfigMaps

Store non-confidential config and mount or inject it.

Basic ConfigMap YAML

Key-value application config in YAML.

#
yamlANYconfigmapconfig
yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_ENV: production
  LOG_LEVEL: info
  FEATURE_X_ENABLED: "true"

ConfigMaps store non-confidential data in key-value form and can be consumed as env vars, args, or files.

ConfigMap with file-like content

Mount application config files from YAML.

#
yamlANYconfigmapvolumenginx
yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
data:
  default.conf: |
    server {
      listen 80;
      location / {
        proxy_pass http://api:8080;
      }
    }

Mount ConfigMap as files

Expose configuration under a volume mount path.

#
yamlANYconfigmapvolumeMount
yaml
volumes:
  - name: app-config
    configMap:
      name: nginx-config

containers:
  - name: nginx
    image: nginx:1.27
    volumeMounts:
      - name: app-config
        mountPath: /etc/nginx/conf.d

Secrets

Store sensitive values and mount or inject them securely.

Opaque Secret with stringData

Author readable Secret YAML without manual base64.

#
yamlANYsecretstringData
yaml
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
stringData:
  DATABASE_URL: postgres://app:secret@postgres:5432/app
  API_KEY: replace-me

Use `stringData` in YAML authoring; the API server handles encoding into Secret data fields.

Read specific secret keys into env vars

Map one Secret key to one variable.

#
yamlANYsecretenv
yaml
env:
  - name: DATABASE_URL
    valueFrom:
      secretKeyRef:
        name: app-secrets
        key: DATABASE_URL

Mount Secret as files

Expose certificate or key material through a volume.

#
yamlANYsecretvolumetls
yaml
volumes:
  - name: tls
    secret:
      secretName: app-tls
containers:
  - name: api
    volumeMounts:
      - name: tls
        mountPath: /etc/tls
        readOnly: true

Create Secret from literals

Generate a Secret without hand-editing YAML.

#
bashANYsecretkubectl
bash
kubectl create secret generic app-secrets --from-literal=API_KEY=replace-me

Projected Volumes

Merge multiple sources into one mount.

Combine Secret and ConfigMap into one volume

Project multiple sources into a single directory.

#
yamlANYprojectedconfigmapsecret
yaml
volumes:
  - name: app-settings
    projected:
      sources:
        - configMap:
            name: app-config
        - secret:
            name: app-secrets

More in Kubernetes YAML

Kubernetes YAML Kustomize and CRDs
Kustomize overlays, patches, generators, and CRD/CR authoring patterns.
Kubernetes YAML Networking
Services, Ingress, NetworkPolicy, ports, and service exposure manifests.
Kubernetes YAML Workloads
YAML patterns for Deployments, StatefulSets, DaemonSets, Jobs, CronJobs, HPAs, and PodDisruptionBudgets.
Kubernetes YAML Cheat Sheet
High-value Kubernetes YAML patterns for Pods, Deployments, Services, probes, resources, scheduling, and day-to-day manifest authoring.

Recommended next

No recommendations yet.
Browse all sheets →