vault/csi-provider: update recommendations for OpenShift (#883)

tvoran · web-flow · commit 36ba953b60fe · 2025-09-05T10:29:17.000-07:00
Also use the chart values to set `privileged: true` instead of
directly patching the daemonSet. Across 1.20-1.18, 1.16 doc versions.
diff --git a/content/vault/v1.16.x/content/docs/platform/k8s/csi/installation.mdx b/content/vault/v1.16.x/content/docs/platform/k8s/csi/installation.mdx
@@ -46,28 +46,20 @@ more.
 
 ## Installation on OpenShift
 
-We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift)
-instead of the Secrets Store CSI driver. OpenShift
-[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html)
-using `hostPath` mounting in production or
-[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks)
-using CSI objects because pods must run as privileged. Pods will have elevated access to
-other pods on the same node, which OpenShift does not recommend.
-
 You can run the Secrets Store CSI driver with additional
 security configurations on a OpenShift development
 or testing cluster.
 
-Deploy the Secrets Store CSI driver and Vault Helm chart
-to your OpenShift cluster.
-
-Then, patch the `DaemonSet` for the Vault CSI provider to
-run with a privileged security context.
+Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift
+cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2)
+to `privileged: true` in the Vault Helm chart values:
 
-```shell-session
-$ kubectl patch daemonset vault-csi-provider \
-  --type='json' \
-  --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'
+```yaml
+csi:
+  daemonSet:
+    securityContext:
+      container:
+        privileged: true
 ```
 
 The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access.
diff --git a/content/vault/v1.18.x/content/docs/platform/k8s/csi/installation.mdx b/content/vault/v1.18.x/content/docs/platform/k8s/csi/installation.mdx
@@ -46,28 +46,20 @@ more.
 
 ## Installation on OpenShift
 
-We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift)
-instead of the Secrets Store CSI driver. OpenShift
-[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html)
-using `hostPath` mounting in production or
-[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks)
-using CSI objects because pods must run as privileged. Pods will have elevated access to
-other pods on the same node, which OpenShift does not recommend.
-
 You can run the Secrets Store CSI driver with additional
 security configurations on a OpenShift development
 or testing cluster.
 
-Deploy the Secrets Store CSI driver and Vault Helm chart
-to your OpenShift cluster.
-
-Then, patch the `DaemonSet` for the Vault CSI provider to
-run with a privileged security context.
+Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift
+cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2)
+to `privileged: true` in the Vault Helm chart values:
 
-```shell-session
-$ kubectl patch daemonset vault-csi-provider \
-  --type='json' \
-  --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'
+```yaml
+csi:
+  daemonSet:
+    securityContext:
+      container:
+        privileged: true
 ```
 
 The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access.
diff --git a/content/vault/v1.19.x/content/docs/deploy/kubernetes/csi/installation.mdx b/content/vault/v1.19.x/content/docs/deploy/kubernetes/csi/installation.mdx
@@ -46,28 +46,20 @@ more.
 
 ## Installation on OpenShift
 
-We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift)
-instead of the Secrets Store CSI driver. OpenShift
-[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html)
-using `hostPath` mounting in production or
-[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks)
-using CSI objects because pods must run as privileged. Pods will have elevated access to
-other pods on the same node, which OpenShift does not recommend.
-
 You can run the Secrets Store CSI driver with additional
 security configurations on a OpenShift development
 or testing cluster.
 
-Deploy the Secrets Store CSI driver and Vault Helm chart
-to your OpenShift cluster.
-
-Then, patch the `DaemonSet` for the Vault CSI provider to
-run with a privileged security context.
+Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift
+cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2)
+to `privileged: true` in the Vault Helm chart values:
 
-```shell-session
-$ kubectl patch daemonset vault-csi-provider \
-  --type='json' \
-  --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'
+```yaml
+csi:
+  daemonSet:
+    securityContext:
+      container:
+        privileged: true
 ```
 
 The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access.
diff --git a/content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/installation.mdx b/content/vault/v1.20.x/content/docs/deploy/kubernetes/csi/installation.mdx
@@ -46,28 +46,20 @@ more.
 
 ## Installation on OpenShift
 
-We recommend using the [Vault agent injector on Openshift](/vault/docs/platform/k8s/helm/openshift)
-instead of the Secrets Store CSI driver. OpenShift
-[does not recommend](https://docs.openshift.com/container-platform/4.9/storage/persistent_storage/persistent-storage-hostpath.html)
-using `hostPath` mounting in production or
-[certify Helm charts](https://github.com/redhat-certification/chart-verifier/blob/dbf89bff2d09142e4709d689a9f4037a739c2244/docs/helm-chart-checks.md#table-2-helm-chart-default-checks)
-using CSI objects because pods must run as privileged. Pods will have elevated access to
-other pods on the same node, which OpenShift does not recommend.
-
 You can run the Secrets Store CSI driver with additional
 security configurations on a OpenShift development
 or testing cluster.
 
-Deploy the Secrets Store CSI driver and Vault Helm chart
-to your OpenShift cluster.
-
-Then, patch the `DaemonSet` for the Vault CSI provider to
-run with a privileged security context.
+Deploy the Secrets Store CSI driver and Vault Helm chart to your OpenShift
+cluster. Set the [provider container's securityContext](/vault/docs/deploy/kubernetes/helm/configuration#container-2)
+to `privileged: true` in the Vault Helm chart values:
 
-```shell-session
-$ kubectl patch daemonset vault-csi-provider \
-  --type='json' \
-  --patch='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'
+```yaml
+csi:
+  daemonSet:
+    securityContext:
+      container:
+        privileged: true
 ```
 
 The Secrets Store CSI driver and Vault CSI provider need `hostPath` mount access.
