ReviseAlgo Logo

Kubernetes Configuration & Secrets

4 Topics
1

ConfigMaps — Externalizing Application Configuration

Mounting configurations as files or environment parameters.

Interviewers check if you know how to decouple config from images. Be ready to explain how ConfigMaps are created (from files, directories, or literal values), how they are mounted (as env vars or files in a volume), and the 1MB resource size limitation in etcd.
2

Secrets — Storing Sensitive Data Safely

Base64 encodings, encryption at rest, and secret parameters mountings.

This is a common security question. Know that K8s Secrets are only Base64 encoded by default (NOT encrypted). Explain how to secure them: enable encryption at rest in etcd, restrict access using RBAC, mount them as memory-backed tmpfs volumes, and use external vault sync drivers.
3

Environment Variables vs Volume Mounts — Which to Use

Evaluating hot-reload capabilities and security characteristics.

Compare env variables vs volume mounts. Explain the hot-reload behavior: config mounted as volumes updates automatically inside the container when modified in the cluster (after a propagation delay), whereas environment variables require a container restart to pick up changes. Note that subPath mounts do not support hot-reloads.
4

External Secrets — Vault, AWS SSM, and External Secrets Operator

Syncing enterprise secrets directly into Kubernetes workloads securely.

GitOps and enterprise credential management questions frequently target this topic. Understand how the External Secrets Operator (ESO) works as a controller that syncs credentials from external managers (like HashiCorp Vault or AWS SSM) into native Kubernetes Secrets dynamically.