BestHub
Sign in
Cloud Native 7 min read

Mastering Kubernetes subPath: Prevent Overwrites, Isolate Files, and Boost Config Management

This article explains the Kubernetes subPath feature, how it works under the Kubelet, and provides step‑by‑step examples for avoiding ConfigMap/Secret overwrites and achieving file isolation with PVCs, while highlighting practical tips and limitations for production use.

Linux Ops Smart Journey
Linux Ops Smart Journey
Linux Ops Smart Journey
Mastering Kubernetes subPath: Prevent Overwrites, Isolate Files, and Boost Config Management

What is subPath?

subPath is a Kubernetes feature that allows mounting a single file or subdirectory from a volume into a container, preventing the entire volume from being overwritten and enabling fine‑grained control of volume contents.

How subPath works

The Kubelet handles subPath entirely on the node. When a Pod is scheduled, the Kubelet first mounts the whole volume to a temporary directory, then creates a bind mount for the specified subPath.

Mount the entire volume to a temporary path on the node (e.g.,

/var/lib/kubelet/pods/<pod-id>/volumes/<volume-type>/<volume-name>

).

Create a bind mount for the desired subPath.

mount --bind /host_volume_path/nginx.conf /var/lib/kubelet/.../<container-rootfs>/etc/nginx/nginx.conf

Common use cases

Avoid overwriting : Mount a specific key from a ConfigMap or Secret using subPath so that other files in the container’s directory remain untouched.

File isolation : Multiple containers share a PVC but each mounts a different subdirectory, keeping their data separate.

Case 1: Adding a new config file without overwriting defaults

Steps to add web‑api.conf alongside the default Nginx configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
  namespace: default
data:
  web-api.conf: |
    server {
      listen 8080;
      listen [::]:8080;
      server_name localhost;
      location / {
        root /usr/share/nginx/html;
        index index.html index.htm;
      }
      error_page 500 502 503 504 /50x.html;
      location = /50x.html {
        root /usr/share/nginx/html;
      }
    }
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: client
        image: core.jiaxzeng.com/library/nginx:1.27-alpine3.20
        volumeMounts:
        - name: config
          mountPath: /etc/nginx/conf.d/web-api.conf
          subPath: web-api.conf
      volumes:
      - name: config
        configMap:
          name: nginx-config

Case 2: Isolating logs per pod using a shared PVC

When multiple stateless replicas write logs to a shared NFS directory, subPath can separate each pod’s logs.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: client-data-pv
spec:
  accessModes: ["ReadWriteOnce"]
  capacity:
    storage: 5Gi
  local:
    path: /data/test-local-pv
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values: ["k8s-node02"]
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: client-data-pvc
spec:
  accessModes: ["ReadWriteOnce"]
  resources:
    requests:
      storage: 5Gi
  volumeMode: Filesystem
apiVersion: apps/v1
kind: Deployment
metadata:
  name: simple
spec:
  replicas: 2
  selector:
    matchLabels:
      app: simple
  template:
    metadata:
      labels:
        app: simple
    spec:
      containers:
      - name: simple
        image: core.jiaxzeng.com/jiaxzeng/simple:v1.4.3
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        volumeMounts:
        - name: config
          mountPath: /etc/simple
        - name: logs
          mountPath: /app/logs
          subPathExpr: $(POD_NAME)/logs
        imagePullPolicy: Always
      volumes:
      - name: config
        configMap:
          name: simple-config
          defaultMode: 420
      - name: logs
        persistentVolumeClaim:
          claimName: client-data-pvc

Tips

subPath does not support automatic updates of ConfigMap or Secret contents; when the source data changes, the bind‑mounted file inside the container will not be refreshed until the pod is restarted.

Conclusion

subPath is a powerful, practical feature that enables precise control over volume content while preserving container image integrity. Proper use can greatly improve configuration flexibility and data isolation, but operators must be aware of its limitations, especially regarding hot updates and path dependencies, and validate usage in a test environment before production deployment.

subPath diagram
subPath diagram
best practicesvolumeConfigMapsubPath
Linux Ops Smart Journey
Written by

Linux Ops Smart Journey

The operations journey never stops—pursuing excellence endlessly.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment