ReviseAlgo Logo

Kubernetes Configuration & Secrets

Environment Variables vs Volume Mounts — Which to Use

Evaluating hot-reload capabilities and security characteristics.

Interview: Compare env variables vs volume mounts. Explain the hot-reload behavior: config mounted as volumes updates automatically inside the container when modified in the cluster (after a propagation delay), whereas environment variables require a container restart to pick up changes. Note that subPath mounts do not support hot-reloads.

Last Updated: June 15, 2026 8 min read

Decoupling Mechanics

When injecting configuration files (ConfigMaps) or credentials (Secrets) into container workloads, you must choose between mounting them as environment variables or as volume directories.

The Hot-Reloading Difference

This choice determines how configuration updates propagate to running containers:

  • Environment Variables (No Hot-Reload): Environment variables are injected when the container process starts. If you modify a ConfigMap or Secret in the cluster, the running container's environment variables **will not update**. You must restart the container process (e.g. by running a rolling update restart) to apply changes.
  • Volume Mounts (Automatic Hot-Reload): When mounted as a directory volume, the kubelet daemon monitors resource updates. When a ConfigMap/Secret changes, the kubelet automatically updates the mounted files in the container filesystem (after a caching propagation delay).

The subPath Reload Trap

*Crucial Gotcha:* If you use the subPath directive to mount a single file from a ConfigMap/Secret into a directory (instead of mounting the entire directory), **the file will not receive hot-reloads**. Files mounted via subPath remain locked to their initial state until the container restarts.

Security Footprint

Environment variables are easily leaked through debug endpoints (e.g. Spring Boot Actuator env dump), container crash stack traces, or host-level process inspection tools (like ps aux). Directory mounts are significantly more secure, as they use memory-backed tmpfs filesystems that are deleted when the container process terminates.