Interview Kubernetes, Docker, Helm & Podman

What is a Secret, and how is it different from a ConfigMap (and is it actually encrypted)?

Kubernetes, Docker, Helm & Podman · Basic level

Answer

A Secret is meant for sensitive values, while a ConfigMap is for non-sensitive config. Kubernetes Secrets are base64-encoded by default and are only encrypted at rest if the cluster is configured with encryption or a managed KMS provider.

Technical explanation

base64 is encoding, not encryption; anyone with read access to the Secret object can decode it.

Secret safety requires RBAC, encryption at rest, restricted logging, no env dumps, and external secret rotation where possible.

Configuration, secrets, namespaces, quotas, and defaults define operational boundaries for teams and environments.

RBAC and admission controls determine who can read sensitive data and who can create risky workloads.

Production clusters should treat namespace setup as a platform contract created through IaC or GitOps.

Hands-on example

1. Create a sandbox namespace and implement this exercise with declarative YAML: create a Secret, decode it, then restrict read access with RBAC.

2. Test both success and failure paths: allowed read, denied read, quota rejection, default limit application, or config reload behavior.

3. Inspect objects with kubectl describe, kubectl auth can-i, and kubectl get events to prove the control works.

4. Turn the pattern into a reusable namespace bootstrap manifest for real teams.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Kubernetes, Docker, Helm & Podman interview questions

← All Kubernetes, Docker, Helm & Podman questions