KubeQuest

Appearance

Environment Variables (env and envFrom)

Overview

Three ways to set environment variables in containers:

  1. Static values - env with value
  2. From ConfigMap/Secret - env with valueFrom or envFrom
  3. From Downward API - env with fieldRef or resourceFieldRef

Static Values

yaml
containers:
- name: app
  image: nginx
  env:
  - name: APP_ENV
    value: "production"
  - name: LOG_LEVEL
    value: "info"
  - name: PORT
    value: "8080"

Single Value from ConfigMap

yaml
env:
- name: DATABASE_HOST
  valueFrom:
    configMapKeyRef:
      name: app-config
      key: db_host

Single Value from Secret

yaml
env:
- name: DATABASE_PASSWORD
  valueFrom:
    secretKeyRef:
      name: db-secret
      key: password

All Keys from ConfigMap (envFrom)

yaml
# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DB_HOST: "postgres"
  DB_PORT: "5432"
  APP_ENV: "production"
---
# Pod
containers:
- name: app
  image: nginx
  envFrom:
  - configMapRef:
      name: app-config
  # Creates env vars: DB_HOST, DB_PORT, APP_ENV

All Keys from Secret (envFrom)

yaml
containers:
- name: app
  image: nginx
  envFrom:
  - secretRef:
      name: db-credentials
  # Creates env vars for each key in the secret

Add Prefix to envFrom

yaml
envFrom:
- configMapRef:
    name: app-config
  prefix: CONFIG_
# DB_HOST becomes CONFIG_DB_HOST

Combine Multiple Sources

yaml
containers:
- name: app
  image: nginx
  envFrom:
  - configMapRef:
      name: app-config
  - secretRef:
      name: app-secrets
  env:
  - name: POD_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: EXTRA_VAR
    value: "static-value"

Order of Precedence

When same key exists in multiple sources:

  1. env (explicit) wins over envFrom
  2. Later entries in envFrom array override earlier ones
yaml
envFrom:
- configMapRef:
    name: config1    # APP_ENV=staging
- configMapRef:
    name: config2    # APP_ENV=production (wins)
env:
- name: APP_ENV
  value: "development"   # This wins over all envFrom

Optional References

Don't fail if ConfigMap/Secret missing:

yaml
env:
- name: OPTIONAL_VAR
  valueFrom:
    configMapKeyRef:
      name: maybe-exists
      key: some-key
      optional: true

envFrom:
- configMapRef:
    name: maybe-exists
    optional: true

Complete Example

yaml
apiVersion: v1
kind: Pod
metadata:
  name: env-demo
spec:
  containers:
  - name: app
    image: busybox
    command: ["sh", "-c", "printenv && sleep 3600"]
    envFrom:
    - configMapRef:
        name: app-config
      prefix: CFG_
    - secretRef:
        name: app-secrets
    env:
    - name: POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: NODE_NAME
      valueFrom:
        fieldRef:
          fieldPath: spec.nodeName
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: db-secret
          key: password
    - name: STATIC_VAR
      value: "hello"

Released under the MIT License.

Copyright © 2026 OpsAlchemy