Running Vault with Kubernetes

Running Vault with Kubernetes can be done differently based on the environments and needs, whether you’re running Vault side-by-side or within Kubernetes. The goal is to provide a variety of options around how to leverage Vault and Kubernetes to securely introduce secrets into applications and infrastructure.

Learn how to integrate Vault and Kubernetes

Vault on Kubernetes Reference Architecture

This document outlines a reference architecture for deployment of HashiCorp Vault in the context of the Kubernetes cluster scheduler.

Integrate a Kubernetes Cluster with an External Vault

In this guide, you will run Vault locally, start a Kubernetes cluster with Minikube, deploy an application that retrieves secrets from this Vault, and configure an injector only deployment to inject secrets into the pods from this Vault.

Injecting Secrets into Kubernetes Pods via Vault Helm Sidecar

In this guide, you setup Vault and this injector service with the Vault Helm chart. Then deploy several applications to demonstrate how this new injector service retrieves and writes these secrets for the applications use.

Vault on Kubernetes Security Considerations

This guide highlights where extra precaution is needed when you deploy Vault on Kubernetes in production.

Vault Installation to Minikube via Helm

In this guide, you will setup Vault and its dependencies with a Helm chart. Then integrate a web application that uses the Kubernetes service account token to authenticate with Vault and retrieve a secret.

Mount Vault Secrets through Container Storage Interface (CSI) Volume

This document outlines a reference architecture for deployment of HashiCorp Vault in the context of the Kubernetes cluster scheduler.



Vault can be deployed into Kubernetes using the official HashiCorp Vault Helm chart. The helm chart allows users to deploy Vault in various configurations

Auth Method

The kubernetes auth method can be used to authenticate with Vault using a Kubernetes Service Account Token. This method of authentication makes it easy to introduce a Vault token into a Kubernetes Pod.


The following are different configuration examples to support a variety of deployment models.

Agent Sidecar


The Vault Agent Injector alters pod specifications to include Vault Agent containers that render Vault secrets to a shared memory volume using Vault Agent Templates.


The following are the different methods of installing the Agent Injector in Kubernetes.


The following are the available annotations for the injector.


Standalone Server with Load Balanced UI

Standalone Server with TLS

Standalone Server with Audit Storage

Highly Available Vault Cluster with Consul

Using Kubernetes Auth Method

When to consider Vault Enterprise?

Open Source

Technical Complexity

Vault Open Source addresses the technical complexity of managing secrets by leveraging trusted identities across distributed infrastructure and clouds.

View Open Source Features

Organizational Complexity

Vault Enterprise addresses the organizational complexity of large user bases and compliance requirements with collaboration and governance features.

View Enterprise Features

Ready to get started?