diff --git a/clusters/brusnika-prod/infrastructure/patches/prometheus-stack.yaml b/clusters/brusnika-prod/infrastructure/patches/prometheus-stack.yaml
index c662d40..57f23ea 100644
--- a/clusters/brusnika-prod/infrastructure/patches/prometheus-stack.yaml
+++ b/clusters/brusnika-prod/infrastructure/patches/prometheus-stack.yaml
@@ -51,6 +51,14 @@ spec:
               - op: replace
                 path: /spec/groups/0/rules/4/labels/cluster
                 value: brusnika-prod
+              - op: replace
+                path: /spec/groups/0/rules/4/expr
+                value: >-
+                  (
+                    sum(rate(container_cpu_cfs_throttled_periods_total{container!="",namespace!="kube-system"}[15m])) by (container, pod, namespace, scope)
+                    /
+                    sum(rate(container_cpu_cfs_periods_total{container!="",namespace!="kube-system"}[15m])) by (container, pod, namespace, scope)
+                  ) > 0.80
               - op: replace
                 path: /spec/groups/0/rules/5/labels/cluster
                 value: brusnika-prod
@@ -245,26 +253,17 @@ spec:
     grafana:
       enabled: true
       adminUser: grafana-admin
-      admin:
-        existingSecret: grafana-admin
-        userKey: admin-user
-        passwordKey: admin-password
-      extraObjects:
-        - |
-          {{- $secret := lookup "v1" "Secret" .Release.Namespace "grafana-admin" }}
-          apiVersion: v1
-          kind: Secret
-          metadata:
-            name: grafana-admin
-            namespace: {{ .Release.Namespace }}
-            labels:
-              app.kubernetes.io/name: grafana
-              app.kubernetes.io/instance: {{ .Release.Name }}
-              app.kubernetes.io/managed-by: Helm
-          type: Opaque
-          data:
-            admin-user: {{ .Values.adminUser | b64enc | quote }}
-            admin-password: {{ if $secret }}{{ index $secret.data "admin-password" | quote }}{{ else }}{{ randAlphaNum 40 | b64enc | quote }}{{ end }}
+      podAnnotations:
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: grafana-admin
+        vault.hashicorp.com/agent-inject-secret-grafana-admin-password: secrets/data/vault/apps/grafana-admin
+        vault.hashicorp.com/agent-inject-template-grafana-admin-password: |-
+          {{- with secret "secrets/data/vault/apps/grafana-admin" -}}
+          {{ index .Data.data "admin-password" }}
+          {{- end -}}
       persistence:
         enabled: true
         type: sts
@@ -277,6 +276,8 @@ spec:
       env:
         GF_SERVER_DOMAIN: grafana.brusnika.onprem.sarex.io
         GF_SERVER_ROOT_URL: https://grafana.brusnika.onprem.sarex.io/
+        GF_SECURITY_ADMIN_USER: grafana-admin
+        GF_SECURITY_ADMIN_PASSWORD__FILE: /vault/secrets/grafana-admin-password
       sidecar:
         dashboards:
           enabled: true
diff --git a/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml b/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml
index 2000f43..01fa772 100644
--- a/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml
+++ b/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml
@@ -245,26 +245,17 @@ spec:
     grafana:
       enabled: true
       adminUser: grafana-admin
-      admin:
-        existingSecret: grafana-admin
-        userKey: admin-user
-        passwordKey: admin-password
-      extraObjects:
-        - |
-          {{- $secret := lookup "v1" "Secret" .Release.Namespace "grafana-admin" }}
-          apiVersion: v1
-          kind: Secret
-          metadata:
-            name: grafana-admin
-            namespace: {{ .Release.Namespace }}
-            labels:
-              app.kubernetes.io/name: grafana
-              app.kubernetes.io/instance: {{ .Release.Name }}
-              app.kubernetes.io/managed-by: Helm
-          type: Opaque
-          data:
-            admin-user: {{ .Values.adminUser | b64enc | quote }}
-            admin-password: {{ if $secret }}{{ index $secret.data "admin-password" | quote }}{{ else }}{{ randAlphaNum 40 | b64enc | quote }}{{ end }}
+      podAnnotations:
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: grafana-admin
+        vault.hashicorp.com/agent-inject-secret-grafana-admin-password: secrets/data/vault/apps/grafana-admin
+        vault.hashicorp.com/agent-inject-template-grafana-admin-password: |-
+          {{- with secret "secrets/data/vault/apps/grafana-admin" -}}
+          {{ index .Data.data "admin-password" }}
+          {{- end -}}
       persistence:
         enabled: true
         type: sts
@@ -277,6 +268,8 @@ spec:
       env:
         GF_SERVER_DOMAIN: grafana.test.sarex.brusnika.tech
         GF_SERVER_ROOT_URL: https://grafana.test.sarex.brusnika.tech/
+        GF_SECURITY_ADMIN_USER: grafana-admin
+        GF_SECURITY_ADMIN_PASSWORD__FILE: /vault/secrets/grafana-admin-password
       sidecar:
         dashboards:
           enabled: true