Kubernetes for DevOps Engineers: Namespaces, Labels, ConfigMaps, and Secrets Made Simple
Learn Kubernetes namespaces, labels, ConfigMaps, and Secrets the simple way. Understand how to organize resources, target workloads, and inject configuration safely.
Kubernetes for DevOps Engineers: Namespaces, Labels, ConfigMaps, and Secrets Made Simple
Once your workloads are running and reachable, the next question is:
How do you organize everything and pass configuration to applications cleanly?
This is where four Kubernetes basics become essential: Namespaces, Labels, ConfigMaps, and Secrets.
These are not advanced features. They are part of the everyday toolkit of a solid DevOps engineer.
In this guide, we will keep things simple, practical, and focused on what matters in real clusters.
The Big Idea
These four objects solve four different problems:
- Namespaces help you organize and isolate resources.
- Labels help you group and target resources.
- ConfigMaps hold non-sensitive configuration.
- Secrets hold sensitive values such as passwords, tokens, and keys.
If you understand these four clearly, your manifests become much easier to manage.
Namespaces: Basic Isolation Inside a Cluster
A namespace is a logical boundary inside a Kubernetes cluster.
It helps different teams, applications, or environments share the same cluster without throwing everything into one giant default space.
A simple way to think about it is:
Cluster = building, namespace = room
Two resources can have the same name if they live in different namespaces.
In practice, namespaces are often used for things like dev, staging, prod, or for separating teams and projects.
Simple Namespace Example
apiVersion: v1
kind: Namespace
metadata:
name: stagingUseful commands:
kubectl get namespaces
kubectl get pods -n staging
kubectl config set-context --current --namespace=stagingOne important detail: not everything in Kubernetes is namespaced. Some objects are cluster-wide.
Labels: The Tags That Make Kubernetes Work
Labels are key-value pairs attached to objects.
They are small, simple, and extremely important.
Kubernetes uses labels to group objects, select them, and connect resources together.
For example, a Service finds Pods through label selectors. A Deployment also uses labels to know which Pods belong to it.
Simple Labels Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-api
namespace: staging
labels:
app.kubernetes.io/name: demo-api
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: demo-platform
spec:
replicas: 2
selector:
matchLabels:
app: demo-api
template:
metadata:
labels:
app: demo-api
tier: backend
spec:
containers:
- name: api
image: nginx:stable
ports:
- containerPort: 80The most important lesson here is simple:
If your labels are messy, your Kubernetes objects become messy too.
A Practical Labeling Habit
Kubernetes documents a set of recommended application labels.
You do not need to memorize all of them on day one, but it is a good habit to use a consistent label style from the start.
Common useful labels include:
app.kubernetes.io/nameapp.kubernetes.io/instanceapp.kubernetes.io/componentapp.kubernetes.io/part-of
Selectors: How Kubernetes Targets the Right Objects
Labels become truly useful when paired with selectors.
A selector tells Kubernetes which objects to match.
Example:
selector:
matchLabels:
app: demo-api
That means, “select the objects whose label app=demo-api is present.”
This is why labels are not just decoration. They are part of how Kubernetes wiring works.
Annotations: Metadata for Humans and Tools
Labels help identify and select objects.
Annotations are different. They store extra non-identifying metadata.
Tools, controllers, and teams often use annotations for notes, release information, or controller-specific behavior.
Simple Annotation Example
metadata:
annotations:
description: "Public API for the demo app"
owner: "platform-team"A simple rule helps here:
- Use labels for grouping and selection.
- Use annotations for extra metadata.
ConfigMaps: Non-Sensitive Configuration
A ConfigMap stores non-confidential configuration data as key-value pairs.
This is useful for things like environment names, feature flags, hostnames, ports, and application settings that should not be hardcoded into the container image.
A good mental model is:
Image = app code, ConfigMap = environment-specific settings
Simple ConfigMap Example
apiVersion: v1
kind: ConfigMap
metadata:
name: demo-api-config
namespace: staging
data:
APP_ENV: "staging"
LOG_LEVEL: "info"
FEATURE_X_ENABLED: "true"You can inject a ConfigMap into a Pod as environment variables, command-line arguments, or mounted files.
Secrets: Sensitive Configuration
A Secret is similar to a ConfigMap, but it is intended for sensitive values.
Examples include passwords, API tokens, access keys, and certificates.
The main benefit is not magic security by itself. The main benefit is keeping sensitive data out of plain application code and out of normal manifests where possible.
Simple Secret Example
apiVersion: v1
kind: Secret
metadata:
name: demo-api-secret
namespace: staging
type: Opaque
stringData:
DB_PASSWORD: "super-secret-password"
API_TOKEN: "demo-token-123"
Using stringData makes small teaching examples easier to read.
In real life, you still need good access control around Secrets.
Important Security Reality About Secrets
Beginners often think a Kubernetes Secret is automatically “fully secure.”
That is the wrong mental model.
Secret values are commonly represented with base64-encoded data, but base64 is not encryption.
A solid DevOps engineer should also think about RBAC, who can read Secrets, and whether secret data is encrypted at rest in the cluster.
Using a ConfigMap and a Secret in a Deployment
Here is a simple example that shows how an application can consume both regular configuration and sensitive configuration.
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-api
namespace: staging
spec:
replicas: 2
selector:
matchLabels:
app: demo-api
template:
metadata:
labels:
app: demo-api
spec:
containers:
- name: api
image: nginx:stable
env:
- name: APP_ENV
valueFrom:
configMapKeyRef:
name: demo-api-config
key: APP_ENV
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: demo-api-secret
key: DB_PASSWORDThis pattern is common and worth learning early.
A Simple Way to Remember the Difference
- Namespace: where this resource lives
- Label: how this resource is grouped and selected
- Annotation: extra metadata about this resource
- ConfigMap: non-sensitive settings
- Secret: sensitive settings
Common Beginner Mistakes
Putting Everything in the Default Namespace
This works for a tiny lab, but it becomes messy fast in shared environments.
Using Inconsistent Labels
If teams use random label names and values, searching, selecting, and managing resources becomes harder than it should be.
Using Labels for Notes
Labels are for identification and selection. Notes and extra metadata belong in annotations.
Putting Secrets in ConfigMaps
If a value is sensitive, treat it as a Secret, not a ConfigMap.
Thinking Base64 Means Encryption
It does not. Base64 is encoding, not protection.
What a DevOps Engineer Must Remember
- Namespaces help organize and isolate resources inside a cluster.
- Labels are one of the most important Kubernetes building blocks because selectors depend on them.
- Annotations store extra metadata but are not used for selection.
- ConfigMaps are for non-sensitive configuration.
- Secrets are for sensitive data, but they still require proper access control and good security practices.
- Clean labeling and clean configuration habits make Kubernetes much easier to operate.
Final Thought
Many Kubernetes problems are not caused by complex infrastructure.
They come from simple disorder: bad naming, bad labels, hardcoded settings, and secrets handled carelessly.
If you build good habits with namespaces, labels, ConfigMaps, and Secrets early, the rest of your Kubernetes work becomes much cleaner.