As cloud-native environments expand, organizations need a more secure way to deliver application secrets without disrupting existing Kubernetes workflows. The Vault Secrets Operator (VSO) has long provided a simple and familiar method for syncing secrets from HashiCorp Vault into Kubernetes Secret objects. But storing secrets in etcd introduces unnecessary risk.

With Vault Enterprise 1.21, VSO now supports a CSI-based workflow that delivers secrets directly to pods at runtime — bypassing etcd entirely. This session will walk through how the new CSI driver works, how it improves security, and how teams can begin adopting it.

Key takeaways:

• Understand the differences between traditional Kubernetes Secret syncing and the new CSI workflow
• Learn how the CSI driver mounts secrets just in time as volumes
• Explore how to define custom resources that authorize pod access to specific secrets
• See how eliminating persistent secret storage reduces exposure risk
• Discover how to operationalize this workflow in production environments

Who should attend: Platform engineers, DevOps teams, security architects, SREs, and Kubernetes practitioners responsible for secret management, workload security, or operating Vault at scale.