Module Review: Configuration

[!NOTE] Let’s review the core concepts of Kubernetes Configuration, ensuring you understand how to securely manage state, inject environment variables, and enforce resource boundaries.

1. Key Takeaways

  • ConfigMaps: Used for non-sensitive data. They decouple environment-specific configuration from your container images.
  • Secrets: Used for sensitive data. They are Base64 encoded (not encrypted by default!) and stored in RAM on the Node. In production, use ETCD encryption at rest or an External Secrets Operator.
  • Downward API: Allows a Pod to inspect its own metadata (like Pod IP or Node Name) and inject it as environment variables or files without coupling the app to the Kubernetes API.
  • Environment Variables: Injected into the container’s process space at startup via env or envFrom. They are static; updating a ConfigMap does not update a running Pod’s environment variables.
  • Resource Management: Enforced by the Linux kernel via cgroups. CPU is a compressible resource (managed via CFS quotas), while Memory is incompressible (exceeding limits results in OOMKilled).

2. Flashcards

Are Kubernetes Secrets encrypted by default?
No. They are merely Base64 encoded. Encryption at rest must be explicitly configured in ETCD.
What happens if a container exceeds its CPU limit?
It is throttled (paused) by the Linux kernel's CFS scheduler until the next period. It does not crash.
What happens if a ConfigMap mounted as an environment variable is updated?
Nothing happens to the running Pod. Environment variables are statically injected at process startup. The Pod must be restarted.

3. Cheat Sheet

Concept Description
ConfigMap Key-Value store for non-sensitive configuration data.
Secret Key-Value store for sensitive data (Base64 encoded, stored in tmpfs).
Downward API Mechanism to inject Pod/Cluster metadata into a container.
envFrom Injects all keys from a ConfigMap or Secret as environment variables.
Requests Minimum guaranteed resources. Used by the scheduler.
Limits Maximum allowed resources. Enforced by cgroups.
ResourceQuota Caps total resources across a namespace.

4. Quick Revision

  1. Why avoid hardcoding config? Decoupling configuration allows a single container image to be promoted across environments (Dev → Staging → Prod).
  2. How does K8s restrict resources? It uses Linux cgroups and the Completely Fair Scheduler (CFS).
  3. What is OOMKilled? When a container tries to allocate more memory than its limit, the Linux kernel sends a SIGKILL, terminating the process.

5. Next Steps

Now that you understand how to configure and constrain Pods, the next step is to understand how Kubernetes stores data persistently.