Configuration
Applications in pods might be configured in a few ways.
ConfigMaps
Mounting as volumes
When mounting a ConfigMap/Secret as a volume, the files in the container are actually symbolic links. Next to them is a directory with the actual files. This was done so that when configMap changes, and Kubernetes updates the files, the symbolic links will be switched to point to new files only after all of them get updated properly. This solves a potential issue of container seeing only half of the files being updated, which could lead to improper configuration of the app.
When using subPath while mounting configMap, the files do not get updated
together with configMap updates.
Secrets
Secrets are very similar to configMaps. Some differences:
- Secrets are only distrubuted to the Nodes that run the Pods taht need the given Secret.
- Secrets in the Nodes are always only in memory, never written to the disk.
By default Secrets have type set to Opaque. There are various types of
secrets used by various K8s components. Examples of secret types:
kubernetes.io/basic-auth- must containerusernameandpasswordkubernetes.io/tls- must containtls.crtandtls.key
Secrets objects store secrets under the data key in base64 encoded format. In
order to crete a secret, you can either provide the base64-encoded values under
data or provide raw values under the stringData key. They will be
transformed to base64 and put under data by K8s. stringData is only writable,
not readable.
Downward API
It allows to expose pod and container metadata (metadata, spec or status
fields and resource constraints, like CPU, RAM) via environment variables or
files (like ConfigMaps).
Supported metadata fields:
| Field | Description | Allowed in env | Allowed in volume |
|---|---|---|---|
| metadata.name | The pod’s name. | Yes | Yes |
| metadata.namespace | The pod’s namespace. | Yes | Yes |
| metadata.uid | The pod’s UID. | Yes | Yes |
| metadata.labels | All the pod’s labels, one label per line, formatted as key=“value” | No | Yes |
| metadata.labels[‘key’] | The value of the specified label. | Yes | Yes |
| metadata.annotations | All the pod’s annotations, one per line, formatted as key=“value”. | No | Yes |
| metadata.annotations[‘key’] | The value of the specified annotation. | Yes | Yes |
| spec.nodeName | The name of the worker node the pod runs on. | Yes | No |
| spec.serviceAccountName | The name of the pod’s service account. | Yes | No |
| status.podIp | The pod’s IP address. | Yes | No |
| status.hostIP | The worker node’s IP address. | Yes | No |
Supported resource cnstraints injection:
| Resource field | Description | Allowed in env | Allowed in vol |
|---|---|---|---|
| requests.cpu | The container’s CPU request. | Yes | Yes |
| requests.memory | The container’s memory request. | Yes | Yes |
| requests.ephemeral-storage | The container’s ephemeral storage request. | Yes | Yes |
| limits.cpu | The container’s CPU limit. | Yes | Yes |
| limits.memory | The container’s memory limit. | Yes | Yes |
| limits.ephemeral-storage | The container’s ephemeral storage limit. | Yes | Yes |
Projected Volumes
When mounting Secrets, ConfigMaps, Downward API as volumes, they cannot be
mounted in the same directory (unless using subPath). Projected Volumes allow
to do that.