patternbashkubernetesModerate
ConfigMap and Secret hot-reload without pod restart
Viewed 0 times
configmapsecrethot reloadvolume mountenv varkubelet syncfile watchconfiguration update
Problem
Updating a ConfigMap or Secret does not take effect in running pods because the values were injected as environment variables, which are set at container start and never updated.
Solution
Mount ConfigMaps and Secrets as volumes instead of environment variables. Kubernetes automatically updates mounted files when the underlying ConfigMap/Secret changes (within ~1-2 minutes via kubelet sync). The application must then watch for file changes and reload its config.
For secrets requiring immediate rotation, trigger a rollout:
volumes:
- name: config
configMap:
name: app-config
containers:
- name: app
image: myapp
volumeMounts:
- name: config
mountPath: /etc/config
readOnly: trueFor secrets requiring immediate rotation, trigger a rollout:
kubectl rollout restart deployment/myapp.Why
Environment variables are a snapshot taken at container creation. Mounted volumes are periodically synced by kubelet from the API server, so changes propagate without a restart. However, the application must implement file-watching logic to pick up changes.
Gotchas
- Volume-mounted ConfigMaps update eventually (kubelet sync period, default 1 minute) — not instantly
- Individual keys projected into subPath mounts do NOT auto-update — avoid subPath for hot-reload scenarios
- Applications must implement inotify/filesystem watching or polling to actually pick up file changes
- Secrets mounted as volumes update the same way as ConfigMaps — no special behavior
Code Snippets
Update ConfigMap and trigger rollout if hot-reload is not available
# Update configmap in-place
kubectl create configmap app-config \
--from-file=config.yaml \
--dry-run=client -o yaml | kubectl apply -f -
# Force rollout if env vars or subPath mounts are used
kubectl rollout restart deployment/myappContext
Applications that need to pick up configuration changes without downtime
Revisions (0)
No revisions yet.