Kustomize Best Practices (part 4)

Paul Dally
2 min readMar 27, 2023

Part 1 of this series can be found here. Part 2 of this series can be found here. Part 3 of this series can be found here.


Creating ConfigMaps is a bit of a pain, particularly when you want to create it from a file. You have to put the contents of the file in a yaml manifest, get the indentation right, etc. Wouldn’t it be easier if something would just take your file and create the ConfigMap for you?

Kustomize does exactly that! You simply specify the name of the name of the configMap and the file(s) or literal value(s) that you want included, and kustomize does the rest.

- name: example-configmap-1
- somename=somevalue
- application.properties


Creating Secrets without help from kustomize is somewhat more painful than creating ConfigMaps. You can:

  • create your Secret manifest directly, but you have to make sure that you base64 encode the content correctly. Every time you change the content, you’ll have to re-encode it
  • call kubectl create secret, but this likely means additional automation work in your pipelines or extra manual steps that are error prone
  • OR you can have kustomize create the secret for you with a secretGenerator:
- name: mysecret
- username=admin
- password=1f2d1e2e67df
- longsecret.txt

Of course, you need to make sure that you keep your kustomization.yaml and any files referenced in the secretGenerator safe (and as such, the previously mentioned SealedSecrets or other alternatives like Vault or AWS Secrets Manager may be better choices).



Paul Dally

AVP, IT Foundation Platforms Architecture at Sun Life Financial. Views & opinions expressed are my own, not necessarily those of Sun Life