What are ConfigMaps and Secrets in Kubernetes?

ConfigMaps store non-confidential configuration data as key-value pairs. Secrets store sensitive data (passwords, tokens, keys) — base64 encoded (not encrypted at rest by default — must enable etcd encryption). ConfigMap creation: kubectl create configmap app-config --from-literal=DB_HOST=localhost --from-literal=LOG_LEVEL=debug --from-file=config.properties kubectl apply -f configmap.yaml. Secret creation: kubectl create secret generic db-secret --from-literal=DB_PASSWORD=mysecretpassword --from-literal=DB_USER=admin. Using ConfigMap as env vars: envFrom: - configMapRef: name: app-config # All keys as env vars env: - name: DB_HOST valueFrom: configMapKeyRef: name: app-config key: DB_HOST. Using Secret as env var: env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: DB_PASSWORD. Mounting as volume files: volumes: - name: config configMap: name: app-config volumeMounts: - name: config mountPath: /etc/config # Creates files named after each key. Security best practices for Secrets: enable encryption at rest (EncryptionConfiguration in API server); use external secret managers (AWS Secrets Manager, HashiCorp Vault) with External Secrets Operator; RBAC to restrict secret access; avoid logging secret values; rotate secrets regularly. Sealed Secrets: encrypt secrets with public key — store in Git safely. Decrypt only inside the cluster by sealed-secrets controller.