https://drive.google.com/file/d/1MP2E90LLefF1GroC2xvCNZ_l_5NN0-Xc/view?usp=sharing
Starting in Kubernetes 1.21+, you can mark a ConfigMap or Secret as immutable β meaning it cannot be updated or deleted after creation (without full replacement).
β Why?
- Prevents accidental/malicious config changes
- Reduces load on kube-apiserver (no watches for updates)
- Improves cluster performance at scale
Like a sealed firmware chip in a device β once programmed, it canβt be changed. To update, you replace the whole chip.
Step 1: Define an Immutable ConfigMap
# immutable-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-version
namespace: prod
immutable: true # β This makes it immutable!
VERSION: "2.1.0"
BUILD_DATE: "2025-04-05"
Apply it:
kubectl apply -f immutable-config.yaml
Step 2: Try to Edit It (It Fails!)
kubectl edit cm app-version -n prod
# Make a change β save
β Error:
error: configmap "app-version" is immutable
β To update: You must delete and recreate (or use a new name):
kubectl delete cm app-version -n prod
# Then apply a new version
Step 3: Use in a Deployment (with rollout trigger)
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 2
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
annotations:
# Force rollout when config changes
checksum/config: a1b2c3d4 # β Update this hash manually
spec:
containers:
- name: app
image: nginx
envFrom:
- configMapRef:
name: app-version