# Configuration

Applications in pods might be configured in a few ways.

# ConfigMaps

# Mounting as volumes

When mounting a ConfigMap/Secret as a volume, the files in the container are actually symbolic links. Next to them is a directory with the actual files. This was done so that when configMap changes, and Kubernetes updates the files, the symbolic links will be switched to point to new files only after all of them get updated properly. This solves a potential issue of container seeing only half of the files being updated, which could lead to improper configuration of the app.

When using subPath while mounting configMap, the files do not get updated together with configMap updates.

# Secrets

Secrets are very similar to configMaps. Some differences:

  • Secrets are only distrubuted to the Nodes that run the Pods taht need the given Secret.
  • Secrets in the Nodes are always only in memory, never written to the disk.

By default Secrets have type set to Opaque. There are various types of secrets used by various K8s components. Examples of secret types:

  • kubernetes.io/basic-auth - must container username and password
  • kubernetes.io/tls - must contain tls.crt and tls.key

Secrets objects store secrets under the data key in base64 encoded format. In order to crete a secret, you can either provide the base64-encoded values under data or provide raw values under the stringData key. They will be transformed to base64 and put under data by K8s. stringData is only writable, not readable.

# Downward API

It allows to expose pod and container metadata (metadata, spec or status fields and resource constraints, like CPU, RAM) via environment variables or files (like ConfigMaps).

Supported metadata fields:

Field Description Allowed in env Allowed in volume
metadata.name The pod's name. Yes Yes
metadata.namespace The pod's namespace. Yes Yes
metadata.uid The pod's UID. Yes Yes
metadata.labels All the pod's labels, one label per line, formatted as key="value" No Yes
metadata.labels['key'] The value of the specified label. Yes Yes
metadata.annotations All the pod's annotations, one per line, formatted as key="value". No Yes
metadata.annotations['key'] The value of the specified annotation. Yes Yes
spec.nodeName The name of the worker node the pod runs on. Yes No
spec.serviceAccountName The name of the pod's service account. Yes No
status.podIp The pod's IP address. Yes No
status.hostIP The worker node's IP address. Yes No

Supported resource cnstraints injection:

Resource field Description Allowed in env Allowed in vol
requests.cpu The container's CPU request. Yes Yes
requests.memory The container's memory request. Yes Yes
requests.ephemeral-storage The container's ephemeral storage request. Yes Yes
limits.cpu The container's CPU limit. Yes Yes
limits.memory The container's memory limit. Yes Yes
limits.ephemeral-storage The container's ephemeral storage limit. Yes Yes

# Projected Volumes

When mounting Secrets, ConfigMaps, Downward API as volumes, they cannot be mounted in the same directory (unless using subPath). Projected Volumes allow to do that.

Last Updated: 10/5/2022, 6:26:29 PM