πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Storage intermediate ⏱ 10 minutes K8s 1.28+

Kubernetes Projected Volumes Explained

Combine Secrets, ConfigMaps, Downward API, and ServiceAccount tokens into a single projected volume mount for cleaner pod configuration.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: Projected volumes combine multiple volume sources (Secrets, ConfigMaps, Downward API, ServiceAccount tokens) into a single directory, reducing volume mounts and simplifying configuration.

The Problem

Applications often need data from multiple sources mounted together β€” TLS certs from a Secret, config from a ConfigMap, and pod metadata from the Downward API. Without projected volumes, each requires a separate volume and mount point.

The Solution

Combined Configuration Volume

apiVersion: v1
kind: Pod
metadata:
  name: app
  labels:
    app: web
spec:
  containers:
    - name: app
      image: myapp:2.0
      volumeMounts:
        - name: app-config
          mountPath: /etc/app
          readOnly: true
  volumes:
    - name: app-config
      projected:
        sources:
          - configMap:
              name: app-settings
              items:
                - key: config.yaml
                  path: config.yaml
          - secret:
              name: app-tls
              items:
                - key: tls.crt
                  path: certs/tls.crt
                - key: tls.key
                  path: certs/tls.key
          - downwardAPI:
              items:
                - path: labels
                  fieldRef:
                    fieldPath: metadata.labels
                - path: annotations
                  fieldRef:
                    fieldPath: metadata.annotations

Result inside the container:

/etc/app/
β”œβ”€β”€ config.yaml        (from ConfigMap)
β”œβ”€β”€ certs/
β”‚   β”œβ”€β”€ tls.crt        (from Secret)
β”‚   └── tls.key        (from Secret)
β”œβ”€β”€ labels             (from Downward API)
└── annotations        (from Downward API)

Bound Service Account Token

volumes:
  - name: vault-token
    projected:
      sources:
        - serviceAccountToken:
            path: token
            expirationSeconds: 3600
            audience: vault
        - configMap:
            name: vault-config
            items:
              - key: vault-addr
                path: vault-addr

File Permissions

volumes:
  - name: secrets
    projected:
      defaultMode: 0400
      sources:
        - secret:
            name: db-credentials
            items:
              - key: password
                path: db-password
                mode: 0400
graph TD
    PV[Projected Volume] --> CM[ConfigMap: app-settings]
    PV --> S[Secret: app-tls]
    PV --> DA[Downward API: metadata]
    PV --> SA[ServiceAccountToken]
    PV --> M[Single Mount: /etc/app/]
    M --> F1[config.yaml]
    M --> F2[certs/tls.crt]
    M --> F3[certs/tls.key]
    M --> F4[labels]
    M --> F5[token]

Common Issues

Path conflicts between sources Two sources writing to the same path fail validation. Use unique paths or subdirectories.

Token not refreshing ServiceAccount tokens in projected volumes auto-rotate. Ensure your app re-reads the file periodically (don’t cache at startup).

Permission denied Set defaultMode or per-item mode to match your application’s expectations. Secrets default to 0644.

Best Practices

  • Use projected volumes to reduce volumeMounts count (cleaner pod spec)
  • Always set readOnly: true on projected volume mounts
  • Use short-lived serviceAccountToken with specific audience for external services
  • Set restrictive defaultMode: 0400 for secrets
  • Use items to control which keys are exposed and their file paths
  • Combine related configs that the app reads from the same directory

Key Takeaways

  • Projected volumes merge multiple sources into one mount point
  • Supported sources: ConfigMap, Secret, Downward API, ServiceAccountToken
  • Each source can select specific keys and remap file paths
  • ServiceAccountToken source enables bound tokens with expiry and audience
  • File permissions are configurable per-source and per-item
  • Changes to ConfigMaps and Secrets propagate automatically (kubelet sync period)
#projected-volumes #secrets #configmap #downward-api
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

⚑
Ansible Quickstart

Automate cluster bootstrapping and node configuration with Ansible.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Storage Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens