ConfigMap
Dados de configuração em formato chave-valor.Criar ConfigMap
Copy
Ask AI
# De arquivo
kubectl create configmap app-config --from-file=config.properties
# De arquivo específico
kubectl create configmap nginx-config --from-file=nginx.conf=./nginx.conf
# De literal
kubectl create configmap app-env --from-literal=ENV=production --from-literal=LOG_LEVEL=info
# De arquivo .env
kubectl create configmap app-env --from-env-file=.env
YAML
Copy
Ask AI
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
namespace: production
data:
DATABASE_HOST: "postgres.default.svc"
DATABASE_PORT: "5432"
LOG_LEVEL: "info"
config.json: |
{
"feature_flag": true,
"timeout": 30,
"retries": 3
}
nginx.conf: |
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend:8080;
}
}
Usar ConfigMap
Copy
Ask AI
# Como variáveis de ambiente
spec:
containers:
- name: app
env:
- name: DATABASE_HOST
valueFrom:
configMapKeyRef:
name: app-config
key: DATABASE_HOST
- name: ALL_CONFIG
valueFrom:
configMapKeyRef:
name: app-config
key: config.json
Copy
Ask AI
# Todas as chaves como variáveis
spec:
containers:
- name: app
envFrom:
- configMapRef:
name: app-config
Copy
Ask AI
# Como volume
spec:
containers:
- name: app
volumeMounts:
- name: config
mountPath: /etc/config
readOnly: true
volumes:
- name: config
configMap:
name: app-config
items:
- key: config.json
path: app.json
Secret
Dados sensíveis (base64).Tipos de Secret
| Tipo | Uso |
|---|---|
| Opaque | Dados arbitrary (default) |
| kubernetes.io/tls | Certificados TLS |
| kubernetes.io/dockerconfigjson | Registry Docker |
| kubernetes.io/ssh-auth | SSH keys |
Criar Secret
Copy
Ask AI
# De literal
kubectl create secret generic db-creds \
--from-literal=username=admin \
--from-literal=password=secret123
# De arquivo
kubectl create secret generic tls-certs \
--from-file=tls.crt=./cert.crt \
--from-file=tls.key=./cert.key
# TLS secret direto
kubectl create secret tls my-tls \
--cert=./cert.crt \
--key=./cert.key
# Docker registry
kubectl create secret docker-registry my-registry \
--docker-server=https://index.docker.io/v1/ \
--docker-username=user \
--docker-password=token \
--docker-email=email@example.com
YAML (base64)
Copy
Ask AI
apiVersion: v1
kind: Secret
metadata:
name: db-creds
type: Opaque
data:
username: YWRtaW4=
password: c2VjcmV0MTIz
stringData:
# Será codificado automaticamente
api_key: "my-secret-key"
Usar Secret
Copy
Ask AI
# Como variáveis de ambiente
spec:
containers:
- name: app
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-creds
key: password
Copy
Ask AI
# Todas as chaves como variáveis
spec:
containers:
- name: app
envFrom:
- secretRef:
name: db-creds
Copy
Ask AI
# Como volume
spec:
containers:
- name: app
volumeMounts:
- name: secrets
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: db-creds
items:
- key: password
path: db-password.txt
External Secrets
Copy
Ask AI
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: aws-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secretsmanager
kind: ClusterSecretStore
target:
name: app-secrets
creationPolicy: Owner
data:
- secretKey: API_KEY
remoteRef:
key: production/app
property: api_key
Sealed Secrets
Copy
Ask AI
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: db-creds
spec:
encryptedData:
password: AgA...
username: AgB...
template:
metadata:
name: db-creds
namespace: production
Comandos
Copy
Ask AI
# Listar secrets
kubectl get secrets
# Ver secret (base64)
kubectl get secret db-creds -o yaml
# Decode secret
kubectl get secret db-creds -o jsonpath='{.data.password}' | base64 -d
# Editar secret
kubectl edit secret db-creds
# Delete secret
kubectl delete secret db-creds
# Ver ConfigMaps
kubectl get configmaps
# Ver ConfigMap
kubectl get configmap app-config -o yaml
# Explicar
kubectl explain configmap
kubectl explain secret
RBAC para Secrets
Copy
Ask AI
# Role para secrets (dev)
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-reader
namespace: development
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["app-secrets"]
verbs: ["get", "list", "watch"]
---
# RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: development
roleRef:
kind: Role
name: secret-reader
apiGroup: rbac.authorization.k8s.io
Best Practices
- Não commitar Secrets no Git - Use sealed secrets ou external secrets
- Rotacionar Secrets regularmente
- Usar RBAC para limitar acesso
- Encrypt Secrets at rest (etcd encryption)
- Usar TLS secrets para certificados
- Não usar default service account com acesso a secrets
- Monitorar acesso a secrets
Encrypt Secrets at Rest
Copy
Ask AI
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-key>
- identity: {}