Mounting ConfigMaps and Secrets as Volumes

Volume mounts let you expose ConfigMap and Secret data as files inside a container. This is ideal for configuration files, certificates, and any data your application reads from the filesystem.

Basic Volume Mount

Mount all keys from a ConfigMap as files in a directory:

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
    - name: app
      image: nginx
      volumeMounts:
        - name: config-volume
          mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: app-config

Each key in the ConfigMap becomes a file under /etc/config/. The same pattern works for Secrets by replacing configMap with secret.secretName.

Using subPath

Without subPath, mounting a volume to an existing directory replaces all its contents. Use subPath to mount a single file without overwriting the directory:

volumeMounts:
  - name: config-volume
    mountPath: /etc/nginx/nginx.conf
    subPath: nginx.conf

This places only the nginx.conf key at the specified path, leaving other files in /etc/nginx/ untouched.

Projected Volumes

Combine multiple sources into a single volume mount:

volumes:
  - name: all-config
    projected:
      sources:
        - configMap:
            name: app-config
        - secret:
            name: app-secret
        - serviceAccountToken:
            path: token
            expirationSeconds: 3600

This is useful when an application expects configuration and secrets in the same directory.

Hot-Reload Behavior

ConfigMaps and Secrets mounted as volumes (without subPath) are automatically updated by the kubelet when the source data changes. The update delay is typically under one minute.

# Update the ConfigMap
kubectl edit configmap app-config

# The mounted files update automatically
kubectl exec app -- cat /etc/config/LOG_LEVEL

However, mounts using subPath do not receive automatic updates. Applications must be restarted to pick up changes for subPath mounts.