diff --git a/pkg/podexecutor/staticpod.go b/pkg/podexecutor/staticpod.go
index a9bffaf70d..169a76216a 100644
--- a/pkg/podexecutor/staticpod.go
+++ b/pkg/podexecutor/staticpod.go
@@ -314,6 +314,10 @@ func (s *StaticPodConfig) APIServer(_ context.Context, etcdReady <-chan struct{}
 		dirs = append(dirs, filepath.Dir(auditLogFile))
 		excludeFiles = append(excludeFiles, auditLogFile)
 	}
+	// encryption config is refreshed by the secrets-encryption controller
+	// so we mount the directory to allow the pod to see the updates
+	dirs = append(dirs, filepath.Join(s.DataDir, "server/cred"))
+	excludeFiles = append(excludeFiles, filepath.Join(s.DataDir, "server/cred/encryption-config.json"))
 
 	return after(etcdReady, func() error {
 		return staticpod.Run(s.ManifestsDir, staticpod.Args{
diff --git a/pkg/staticpod/staticpod.go b/pkg/staticpod/staticpod.go
index e016a72b08..e78e91f4ca 100644
--- a/pkg/staticpod/staticpod.go
+++ b/pkg/staticpod/staticpod.go
@@ -103,6 +103,8 @@ func Run(dir string, args Args) error {
 		return err
 	}
 
+	// TODO Check to make sure we aren't double mounting directories and the files in those directories
+
 	args.Files = append(args.Files, files...)
 	pod, err := pod(args)
 	if err != nil {
@@ -375,6 +377,9 @@ func addExtraEnv(p *v1.Pod, extraEnv []string) {
 	}
 }
 
+// readFiles takes in the arguments passed to the static pod and returns a list of all files
+// embedded in those arguments to be included in the pod manifest as volumes.
+// excludeFiles are not included in the returned list.
 func readFiles(args, excludeFiles []string) ([]string, error) {
 	files := map[string]bool{}
 	excludes := map[string]bool{}