csi

This is part of the Vault + Kubernetes Integration Guide. Return to the main guide for the full architecture overview. The Vault CSI Provider uses the Kubernetes Secrets Store CSI Driver to mount Vault secrets directly as ephemeral volumes — no sidecar containers needed. How It Differs from Agent Injector Aspect Agent Injector CSI Provider Architecture Sidecar per pod DaemonSet per node Resource usage Higher (per-pod) Lower (per-node) Dynamic secrets ✅ Full renewal ❌ Static at mount Templating ✅ Advanced Go templates ❌ Raw key-value only Secret rotation ✅ Automatic ❌ Requires pod restart Best for: Workloads needing simple key-value secrets without dynamic renewal, and teams wanting lower resource overhead....