I'm the author of both of these features. The idea is that you should:

  1. Use Secrets for things which are actually secret like API keys, credentials, etc
  2. Use ConfigMaps for not-secret configuration data

In the future, there will likely be some differentiators for secrets like rotation or support for backing the secret API w/ HSMs, etc. In general, we like intent-based APIs, and the intent is definitely different for secret data vs. plain old configs.

Answer from Paul Morie on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 36912372 › when-to-use-secrets-as-opposed-to-configmaps-in-kubernetes
When to use Secrets as opposed to ConfigMaps in Kubernetes? - Stack Overflow
Top answer
1 of 4
195

I'm the author of both of these features. The idea is that you should:

  1. Use Secrets for things which are actually secret like API keys, credentials, etc
  2. Use ConfigMaps for not-secret configuration data

In the future, there will likely be some differentiators for secrets like rotation or support for backing the secret API w/ HSMs, etc. In general, we like intent-based APIs, and the intent is definitely different for secret data vs. plain old configs.

2 of 4
16

One notable difference in the implementation is that kubectl apply -f:

  • ConfigMaps are "unchanged" if the data hasn't changed.
  • Secrets are always "configured" - even if the file hasn't changed
🌐
Reddit
reddit.com › r/kubernetes › secrets vs configmaps and its security
r/kubernetes on Reddit: Secrets vs Configmaps and its security
December 20, 2022 -

After reading a lot of resources about secrets (this https://www.macchaffee.com/blog/2022/k8s-secrets/ included) I really have issue with understanding if there is any difference between secret and configmap object under the hood when it comes to security. If I get this right:

  1. If we have TLS enabled between nodes and kubernetes API any request to API is secured thus both configmaps and secrets are transmited in secure way to pods. If no TLS is enabled, they both unsecured in transmission.

  2. We can have encryption at rest enabled but according to this guide https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ we can both encrypt configmaps and secrets in ETCD so no difference here.

  3. For API access we can enable/dissable access with RBAC both for secrets and configmasp as we like

  4. There is suggestion that we can allow certain containers to have access to a certain Secret but I didn't found any method to do so

  5. The one difference I found is tmpfs that is used when mounting secret on volume (and thus have 1MB limit)

It seem to me that using secret is just convention and not security manner. If we can use tools like sealed secret we can imagine operators that does same with configmaps (encrypt it to store in git, and decrypt as regular k8s object). If we can use tools like any Vault same way we could protect data in configmap as we do with secret object.

So do I get this right? Is there any real difference apart of convention that secret is the thing we secure more but as soon it gets into the cluster its security is almost same as configmap?

Top answer
1 of 4
6
The difference is they are different object types. Grant access to config maps only means you don't see secrets. That's all.
2 of 4
5
https://twitter.com/kelseyhightower/status/1586005703184945152?s=46&t=5goSz7q0bs-ults9V7GfZw
Discussions
Why use configmaps when we have secrets?
No functional reason on the k8s side. But depending on your gitops setup, it may be a lot easier to to track changes made to configmaps rather than secrets as they're generally encoded More on reddit.com
🌐 r/kubernetes
48
80
April 17, 2025
is there a reason to use secrets over configmap on private local cluster?
The biggest reason (other than it just being a best practice) is that if you ever go down the gitops rabbit hole (which you probably will at some point), you're gonna have a really bad no fun time trying find and remove all the secret data from your configmaps and move it into secrets where it should have been in the first place. Better to just do things the right way from the start More on reddit.com
🌐 r/kubernetes
34
24
April 3, 2025
Kubernetes when to use secrets instead of configmap? - Stack Overflow
What are the differences between secrets and configmap in term of security? In which cases would I want to use secret instead of configmap? More on stackoverflow.com
🌐 stackoverflow.com
Secrets vs Configmaps and its security
The difference is they are different object types. Grant access to config maps only means you don't see secrets. That's all. More on reddit.com
🌐 r/kubernetes
15
3
December 20, 2022
Videos
21:33
🌐 YouTube
Kubernetes: ConfigMaps and Secrets - YouTube
December 28, 2025
00:42
🌐 YouTube
Kubernetes Secrets vs ConfigMaps! #devops #k8s - YouTube
July 1, 2025
17:09
🌐 YouTube
Day 19/40 - kubernetes configmap and secret - CKA Full Course 2024 ...
July 17, 2024
38:06
🌐 YouTube
DAY-41 | KUBERNETES LIVE PROJECT | CONFIGMAPS & SECRETS | HOW TO ...
March 15, 2023
16:35
🌐 YouTube
ConfigMaps and Secrets in Kubernetes - YouTube
October 23, 2022
28:20
🌐 YouTube
Kubernetes Tutorial | ConfigMap & Secrets Implementation in Spring ...
January 14, 2022
View all
View all
🌐
Kubernetes
kubernetes.io › docs › concepts › configuration › secret
Secrets | Kubernetes
March 17, 2026 - Existing Pods maintain a mount point to the deleted Secret - it is recommended to recreate these pods. Although ConfigMap and Secret work similarly, Kubernetes applies some additional protection for Secret objects.
🌐
Medium
medium.com › google-cloud › kubernetes-configmaps-and-secrets-68d061f7ab5b
Kubernetes ConfigMaps and Secrets | by Sandeep Dinesh | Google Cloud - Community | Medium
March 14, 2018 - There may be more differences in the future, but it is good practice to use Secrets for confidential data (like API keys) and ConfigMaps for non-confidential data (like port numbers).
🌐
Cast AI
cast.ai › cast ai › blog › kubernetes configmaps and secrets: what are they and when to use them?
Kubernetes ConfigMaps and Secrets: What Are They and When to Use Them? – CAST AI
October 24, 2025 - A ConfigMap also doesn’t provide secrecy or encryption. If the data you want to store in a ConfigMap is confidential, Kubernetes Secrets will be much better suited for the job.
🌐
Kubernetes
kubernetes.io › docs › concepts › configuration › configmap
ConfigMaps | Kubernetes
November 21, 2025 - ConfigMap does not provide secrecy or encryption. If the data you want to store are confidential, use a Secret rather than a ConfigMap, or use additional (third party) tools to keep your data private.
🌐
Opensource.com
opensource.com › article › 19 › 6 › introduction-kubernetes-secrets-and-configmaps
An Introduction to Kubernetes Secrets and ConfigMaps | Opensource.com
June 7, 2019 - Kubernetes Secrets and ConfigMaps separate the configuration of individual container instances from the container image, reducing overhead and adding flexibility.
Find elsewhere
🌐
Sigma Config
cloudtruth.com › home › what’s the difference between a kubernetes configmap and a secret?
Difference between Kubernetes ConfigMaps and Secrets | CloudTruth
June 15, 2025 - Both ConfigMaps and secrets store the data the same way, with key/value pairs, but ConfigMaps are meant for plain text data, and secrets are meant for data that you don’t want anything or anyone to know about except the application.
🌐
Reddit
reddit.com › r/kubernetes › why use configmaps when we have secrets?
r/kubernetes on Reddit: Why use configmaps when we have secrets?
April 17, 2025 -

Found a lot of good explanations for why you shouldn't store everything as a Configmap, and why you should move certain sensitive key-values over to a Secret instead. Makes sense to me.

But what about taking that to its logical extreme? Seems like there's nothing stopping you from just feeding in everything as secrets, and abandoning configmaps altogether. Wouldn't that be even better? Are there any specific reasons not to do that?

Top answer
1 of 26
185
No functional reason on the k8s side. But depending on your gitops setup, it may be a lot easier to to track changes made to configmaps rather than secrets as they're generally encoded
2 of 26
166
RBAC. Some users may be allowed to view configs but not credentials, for example. Security. Encryption at rest for secrets, unnecessary overhead for configs.
🌐
Gravitee
gravitee.io › blog › kubernetes-secrets-configmaps-guide
How to Secure Configs with Kubernetes Secrets and ConfigMaps
March 5, 2026 - ConfigMaps are meant for configuration parameters like application settings, configuration files, and command-line arguments, whereas Kubernetes Secrets are specifically for sensitive data that requires additional security measures.
🌐
KodeKloud
kodekloud.com › blog › day-6-configmaps-and-secrets
Kubernetes ConfigMaps & Secrets Explained Clearly
May 1, 2025 - But in Kubernetes, there’s a better and safer way to do this. ... It keeps your app configs separate from your app code and container image — which is great for flexibility and security. A Secret is like a ConfigMap — but for sensitive data:
🌐
Baeldung
baeldung.com › home › kubernetes › understanding configmaps and secrets in kubernetes
Understanding ConfigMaps and Secrets in Kubernetes | Baeldung on Ops
February 6, 2024 - Secrets and ConfigMaps are Kubernetes resources designed to separate the configuration and sensitive information from the application code in a centralized manner.
🌐
Snyk
snyk.io › blog › using-kubernetes-configmaps-securely
Using Kubernetes ConfigMaps securely | Snyk
September 9, 2022 - Secrets obfuscate data with base64 encoding, while ConfigMaps data is in plain text. Note that we can also store plain text in ConfigMaps as base64-encoded strings. Another difference between the two is that there are several Secrets types in ...
🌐
Reddit
reddit.com › r/kubernetes › is there a reason to use secrets over configmap on private local cluster?
r/kubernetes on Reddit: is there a reason to use secrets over configmap on private local cluster?
April 3, 2025 -

running a local selfhosted k8s cluster and i need to store "Credentials" for pods (think user name / pw for mealie db..so nothing critical)

I am the only person that has access to the cluster.

Given these constraints, is there a reason to use secrets over configmaps?

Like, both secrets and configmaps can be read easily if someone does get into my system.

my understanding with secrets and configmaps is that if i was giving access to others to my cluster, i can use RBAC to control who can see secrets and what not.

am i missing something here?

Top answer
1 of 16
75
The biggest reason (other than it just being a best practice) is that if you ever go down the gitops rabbit hole (which you probably will at some point), you're gonna have a really bad no fun time trying find and remove all the secret data from your configmaps and move it into secrets where it should have been in the first place. Better to just do things the right way from the start
2 of 16
21
What a lot of people in these comments are missing, is that nobody gave OP a reason why one should use secrets over config maps. Just saying "yeah just use secrets as that is what should be done" is not a valid argument, we shouldn't do things just because. And sometimes yes there arent that many advantages. Secrets aren't encrypted, just like configmaps. They are only base64 encoded, so anyone can decode them easily if they can access them. They are also injected into pods, and can be used as mounted files and env vars just like configmaps. The advantages of using secrets for sensitive information is mainly: Being able to encrypt at rest, you cant do that to configmaps They dont show uo on kubectl describe or when references in logs Safer permissions when mounted (think of 600 for ssh keys for example by default) By default they arent exposed by the k8s api unlike configmaps, so anyone with basic access to the cluster can see configmaps, but not secrets. They need rbac permissions to be configured. There might be a few more advantages im not aware of but this is usually the jist of it.
🌐
K21 Academy
k21academy.com › kubernetes › configmaps-secrets
Kubernetes Configmaps and Secrets | Create and Update
September 6, 2024 - The usual way of using ConfigMaps is to configure environments for containers running in a Pod in the same namespace. You can also use ConfigMap separately. Check Out: Kubernetes Operator Example. Click here · The K8s beta feature Immutable Secrets and ConfigMaps gives an option to set specific Secrets and ConfigMaps as immutable.
🌐
Medium
8grams.medium.com › kubernetes-101-secret-and-configmap-966711d5e2a5
Kubernetes 101: Secret and ConfigMap | by 8grams | Medium
July 11, 2023 - Remember that all secret data should ... decode this data when it is used. ... A Kubernetes ConfigMap is an API object used to store non-sensitive configuration data in key-value pairs....
🌐
Devtron
devtron.ai › home › blog
Kubernetes ConfigMap & Secrets
December 29, 2025 - Caution: ConfigMap does not provide secrecy or encryption. If the data you want to store is confidential, use a Secret rather than a ConfigMap, or use additional (third-party) tools to keep your data private.” - kubernetes.io
🌐
DEV Community
dev.to › techworld_with_nana › kubernetes-configmap-and-secret-explained-5894
Kubernetes ConfigMap and Secret explained - DEV Community
February 12, 2020 - So for a better comparison, think of secrets as encrypted configMaps.
🌐
Stack Overflow
stackoverflow.com › questions › 36844812 › kubernetes-when-to-use-secrets-instead-of-configmap
Kubernetes when to use secrets instead of configmap? - Stack Overflow
Top answer
1 of 2
10

Secrets are stored encoded and over time will become more protected (e.g. limited access, encrypted at rest, etc). Secrets existed before ConfigMap was created, so until recently it was common to store configuration data in secrets (e.g. conf2kube).

You should use secrets for sensitive data (database passwords, private keys) and ConfigMaps for non-sensitive configuration data.

2 of 2
0

Most importantly secrets are stored in tmpfs, an in memory file system, and are never persisted to a node file system.

Conversely they consume RAM.

🌐
Aqua Security
aquasec.com › home › why you shouldn’t use config maps to store sensitive data in k8s
Why You Shouldn’t Use Config Maps to Store Sensitive Data in K8s
March 12, 2024 - It’s recommended to store sensitive data of cloud native applications using a built-in secrets object type rather than Kubernetes Configmaps
Related queries
kubernetes secrets best practices
kubernetes secret stringdata
kubernetes secrets encryption base64
kubernetes external secrets
kubernetes secret types
configmap and secrets in kubernetes
configmap vs environment variables
kubernetes envfrom secret