diff --git a/pkg/podexecutor/staticpod.go b/pkg/podexecutor/staticpod.go
index ee3a35d808..ad13755ddf 100644
--- a/pkg/podexecutor/staticpod.go
+++ b/pkg/podexecutor/staticpod.go
@@ -327,6 +327,10 @@ func (s *StaticPodConfig) APIServer(_ context.Context, etcdReady <-chan struct{}
 		dirs = append(dirs, filepath.Dir(auditLogFile))
 		excludeFiles = append(excludeFiles, auditLogFile)
 	}
+	// encryption config is refreshed by the secrets-encryption controller
+	// so we mount the directory to allow the pod to see the updates
+	dirs = append(dirs, filepath.Join(s.DataDir, "server/cred"))
+	excludeFiles = append(excludeFiles, filepath.Join(s.DataDir, "server/cred/encryption-config.json"))
 
 	apiServerArgs := staticpod.Args{
 		Command:       "kube-apiserver",
diff --git a/pkg/staticpod/staticpod.go b/pkg/staticpod/staticpod.go
index 69ca651cc4..ec687f91e5 100644
--- a/pkg/staticpod/staticpod.go
+++ b/pkg/staticpod/staticpod.go
@@ -109,6 +109,8 @@ func Run(dir string, args Args) error {
 		return err
 	}
 
+	// TODO Check to make sure we aren't double mounting directories and the files in those directories
+
 	args.Files = append(args.Files, files...)
 	pod, err := pod(args)
 	if err != nil {
@@ -411,6 +413,9 @@ func addExtraEnv(p *v1.Pod, extraEnv []string) {
 	}
 }
 
+// readFiles takes in the arguments passed to the static pod and returns a list of all files
+// embedded in those arguments to be included in the pod manifest as volumes.
+// excludeFiles are not included in the returned list.
 func readFiles(args, excludeFiles []string) ([]string, error) {
 	files := map[string]bool{}
 	excludes := map[string]bool{}