You’ve been given a ConfigMap file and asked to pass some sensitive database credentials to your pods. How would you handle this without exposing the secrets in plain text?

If I’m asked to pass sensitive database credentials like a username and password to a pod, I wouldn’t use a ConfigMap because ConfigMaps are meant for non-sensitive configuration data and are stored in plain text. Instead, I would use a Kubernetes Secret, which is specifically designed for sensitive information.

The way I handle it is by creating a Secret object in Kubernetes to store the database credentials. Then, in the pod specification, I reference that secret—usually as environment variables or mounted as a volume inside the container.

This ensures that the credentials are not exposed in the configuration files or in the pod's environment unnecessarily. I also make sure access to the Secret is restricted using RBAC, so only authorized service accounts or applications can access it.

Additionally, in production environments, I prefer integrating Kubernetes with external secret management tools like HashiCorp Vault or AWS Secrets Manager. This allows for better lifecycle management of credentials and removes the need to store secrets directly inside the Kubernetes cluster.

So in short, I replace the use of ConfigMap with a Kubernetes Secret and implement proper access controls to keep sensitive data secure.