The Kubernetes project has adopted the Container Storage Interface (CSI) standard for exposing storage systems to containerized workloads. The Secrets Store CSI Driver is a plugable CSI driver that depends on an additional provider to be defined, with supported providers including Microsoft Azure, Google Cloud, and HashiCorp Vault. The Vault CSI provider is an alternative to the sidecar injector method for retrieving secrets from Vault without native Vault logic built-in. The CSI method simplifies this architecture by not requiring any sidecar containers, rendering secrets before the pod starts, and providing a method to sync secrets into environment variables. However, it uses hostPath volumes to communicate with the CSI driver, which may be disabled in some Kubernetes distributions due to security concerns. The Vault CSI provider has received improvements around stability, support for all secret engines, and authentication with a requesting pod's service account. To implement the Vault CSI provider, users must enable the Kubernetes auth method, configure the Vault policy, create the SecretProviderClass, and define a basic NGINX pod using the CSI driver and SecretProviderClass. The CSI method provides more granular flexibility with access controls and grants the ability to practice principles of least privilege between applications.