Drill: Inspect and Decode ConfigMaps and Secrets¶

Goal¶

Inspect configmaps and decode secrets to verify application configuration in a Kubernetes cluster.

List configmaps in a namespace:

kubectl get configmaps -n <namespace>

View a configmap's contents:

kubectl get configmap <name> -n <namespace> -o yaml

Extract a specific key from a configmap:

kubectl get configmap <name> -n <namespace> -o jsonpath='{.data.config\.yaml}'

List secrets in a namespace:

kubectl get secrets -n <namespace>

View a secret (values are base64-encoded):

kubectl get secret <name> -n <namespace> -o yaml

Decode a specific secret value:

kubectl get secret <name> -n <namespace> -o jsonpath='{.data.password}' | base64 -d ; echo

Decode all secret keys at once:

kubectl get secret <name> -n <namespace> -o go-template='{{range $k,$v := .data}}{{$k}}: {{$v | base64decode}}{{"\n"}}{{end}}'

Check which pods mount a specific configmap:

kubectl get pods -n <namespace> -o json | jq '.items[] | select(.spec.volumes[]?.configMap.name == "<configmap-name>") | .metadata.name'

Describe to see metadata and size:

kubectl describe configmap <name> -n <namespace>

Secret values are base64-encoded, not encrypted (anyone with RBAC access can decode them)
ConfigMap data keys may contain entire config files as values
Mounted configmaps update eventually (unless subPath is used); env vars do not
Secret type field (Opaque, kubernetes.io/tls, etc.) indicates the expected structure

Assuming secrets are encrypted at rest (they may not be without explicit encryption config)
Forgetting to base64-decode secret values and treating encoded strings as actual values
Not checking if the configmap is mounted as a volume or injected as env vars
Editing a configmap but not restarting pods that use it as environment variables

No cleanup needed. These are read-only inspection commands.