Get to Know Kubernetes | Application Configuration Management

1) Need


  • Variable Configurations: It’s not possible to write variable configurations to images. Therefore, when a configuration changes, there is a need to re-compile the image, which is unacceptable.
  • Storage and Usage of Sensitive Information: For example, applications may need some passwords or tokens.
  • Access to the Cluster by a Container: For example, the need for identity authentication in case the container needs to access kube-apiserver.
  • Resource Requirements of a Container After it Runs on a Node.
  • Security Control for Containers that Share the Kernel on a Node.
  • Prerequisite Check Before Container Startup: For example, the need to check whether the DNS service or network is available before starting a container.

Pod Configuration Management

  • ConfigMap: The Variable Configuration
  • Secret: The Sensitive Information
  • ServiceAccount: The Identity Authentication
  • Resources: The Resource Configuration
  • SecurityContext: The Security Control
  • Init Container: The Prerequisite Verification

2) ConfigMap

ConfigMap Introduction

ConfigMap Creation

ConfigMap Usage

  • Use ConfigMap to configure environment variables. “name” under configMapKeyRef indicates the name of ConfigMap while "key" indicates the key in In this case, after starting the BusyBox container, run the env command to view the SPECIAL_LEVEL_KEY environment variable.
  • Use ConfigMap to configure command-line parameters. The command-line parameter is SPECIAL_LEVEL_KEY. Obtain it from the first line of the environment variables and run the cmd command to use it.
  • Mount its volume to a directory in a container. In the preceding example, the content of the ConfigMap named special-config is mounted to the /etc/config directory in the container.


3) Secret

Secret Introduction

  • Opaque: a common Secret file
  • Service-account-token: authenticates the service account identity
  • dockerconfigjson: pulls images from a private warehouse
  • bootstrap.token verifies node access to clusters

Secret Creation

  • Created by a System: For example, Kubernetes creates Secret data for the default user (default ServiceAccount) of each namespace.
  • Created by Users: We recommend running the kubectl Alibaba Cloud CLI to create Secret data. The command for creating Secret data contains one more parameter than the command for creating ConfigMap: type. The data field specifies the file and key-value pair. If the type field is not set, the default value is Opaque.

Secret Usage

  • As shown on the left of the preceding figure, mount “mysecret” to the "/etc/foo" directory in the container.
  • As shown on the right of the preceding figure, the system automatically generates serviceaccount-secret and mounts it to the "/var/run/secrets/" directory in the container. Two certificate files containing authentication information are generated, ca.crt and "token."

Using a Private Image Warehouse

  • Configure Secret by setting the imagePullSecrets field in a pod, as shown on the left of the following figure.
  • The other way is to automatically inject Secret. Configure imagePullSecrets in ServiceAccount to be used in a pod. Then, the system automatically injects the value of imagePullSecrets.


4) ServiceAccount

ServiceAccount Introduction

Example — Applications in a Pod Access a Kubernetes Cluster of the Pod

  • tlsClientConfig, which verifies the server based on ca.crt.
  • Bearer Token, which authenticates the pod identity. On the server, the “token” field is used for pod identity authentication.

5) Resources

Container Resource Management

Pod QoS Configuration

  • Guaranteed: Each container in a pod must have a declaration for the requests and limits of the memory and CPU, and the requests and limits must be the same.
  • Burstable: At least one container has a request for CPU and memory.
  • BestEffort: All QoSs other than Guaranteed and Burstable.

6) SecurityContext

SecurityContext Introduction

  • Container level, which is valid only for containers
  • Pod level, which is valid for all containers in a pod
  • Cluster level, which is PSP and is valid for all pods in a cluster

7) Init Container

Init Container Introduction


  • The ConfigMap and Secret sections introduced the creation methods and application scenarios of ConfigMap and Secret, listed common notes, and described the usage and configuration of private warehouse images.
  • The pod identity authentication section described the associations between ServiceAccount and Secret, analyzed the pod identity authentication process and implementation details by looking at the source code, and introduced pod permission management (RBAC configuration management).
  • The container resources and security sections introduced the configurations of common resource types (CPU and memory) for containers, described pod QoS types in detail, and briefly described the valid levels and permission configuration items of SecurityContext.
  • The Init Container section introduced the differences between Init Containers and common containers and used examples to describe the usage of Init Containers.

Original Source:



Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: