diff --git a/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go b/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
index 397c1622fd..06ec4342af 100644
--- a/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
+++ b/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/openshift/library-go/pkg/operator/encryption/kms"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
@@ -148,9 +149,17 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
 					{
-						Name:         "vault-kms-plugin-555",
-						Image:        "quay.io/test/vault:v1",
-						Args:         sidecarArgs,
+						Name:                     "vault-kms-plugin-555",
+						Image:                    "quay.io/test/vault:v1",
+						Args:                     sidecarArgs,
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
 				},
@@ -185,6 +194,14 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 							"-vault-namespace=other-namespace",
 							"-transit-mount=transit2",
 						},
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
 					{
@@ -199,6 +216,14 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 							"-vault-namespace=my-namespace",
 							"-transit-mount=transit",
 						},
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
 				},
@@ -397,9 +422,17 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
 					{
-						Name:         "vault-kms-plugin-555",
-						Image:        "quay.io/test/vault:v1",
-						Args:         sidecarArgs,
+						Name:                     "vault-kms-plugin-555",
+						Image:                    "quay.io/test/vault:v1",
+						Args:                     sidecarArgs,
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
 				},
diff --git a/pkg/operator/encryption/kms/pluginlifecycle/vault.go b/pkg/operator/encryption/kms/pluginlifecycle/vault.go
index 4e459dd039..93c5c27611 100644
--- a/pkg/operator/encryption/kms/pluginlifecycle/vault.go
+++ b/pkg/operator/encryption/kms/pluginlifecycle/vault.go
@@ -5,6 +5,7 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 // newVaultSidecarProvider creates a Vault sidecar provider from the given KMS plugin configuration.
@@ -54,8 +55,19 @@ func (v *vault) BuildSidecarContainer() (corev1.Container, error) {
 	}
 
 	return corev1.Container{
-		Name:  v.Name(),
-		Image: v.config.KMSPluginImage,
-		Args:  args,
+		Name:                     v.Name(),
+		Image:                    v.config.KMSPluginImage,
+		Args:                     args,
+		ImagePullPolicy:          corev1.PullIfNotPresent,
+		TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+		// TODO(bertinatto): the plugin sidecar needs to be measure under heavy load to figure out good defaults.
+		// For now follow what most sidecars in the kube-apiserver pod do. xref:
+		// https://github.com/openshift/cluster-kube-apiserver-operator/commit/e15a19cd2474c8b60ce17ac16dd8f422c729847a
+		Resources: corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceMemory: resource.MustParse("50Mi"),
+				corev1.ResourceCPU:    resource.MustParse("5m"),
+			},
+		},
 	}, nil
 }
diff --git a/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go b/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
index 2b3b662a57..feaf6c48f8 100644
--- a/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
+++ b/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
@@ -6,6 +6,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
@@ -49,6 +50,14 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 							"-vault-namespace=my-namespace",
 							"-transit-mount=transit",
 						},
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 					},
 				},
 			},
@@ -94,6 +103,14 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 							"-vault-namespace=my-namespace",
 							"-transit-mount=transit",
 						},
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 					},
 				},
 			},
@@ -129,6 +146,14 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 							// "-vault-namespace=",
 							// "-transit-mount=",
 						},
+						ImagePullPolicy:          corev1.PullIfNotPresent,
+						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+						Resources: corev1.ResourceRequirements{
+							Requests: corev1.ResourceList{
+								corev1.ResourceMemory: resource.MustParse("50Mi"),
+								corev1.ResourceCPU:    resource.MustParse("5m"),
+							},
+						},
 					},
 				},
 			},