Show HN: Kloak, A secret manager that keeps K8s workload away from secrets
Kloak transparently intercepts HTTPS traffic in Kubernetes using pure eBPF, replacing hashed placeholders with real secrets at the network edge. Your applications never see the actual credentials, so a compromised process cannot leak what it never had.
# Your app sends this header: Authorization: kloak:MPZVR3GHWT4E6YBCA01JQXK5N8 # Kloak transforms it to: Authorization: Bearer sk-live-xyz123... ✓ Secret never exposed to application quick start # Install Kloak with Helm $ helm repo add kloak https://chart.getkloak.io $ helm repo update $ helm install kloak kloak/kloak \ -n kloak-system --create-namespace \ --set demo.enabled=true Copy Features
Features
Everything You Need for Secure Secret Management
Kloak provides enterprise-grade security without the complexity
Secure by Design
Secrets are replaced at the network edge. Your application code never sees real credentials, eliminating accidental exposure.
Zero Latency Impact
eBPF-powered traffic redirection happens in kernel space, adding negligible overhead to your requests.
Kubernetes Native
Works with standard Kubernetes Secrets. Add a label and Kloak handles the rest automatically.
Host Restrictions
Control which secrets can be used with which hosts. Prevent credential misuse with fine-grained access control.
Zero Code Changes
No SDK required. Works with any language or framework. Use the hash placeholder in your config.
Pure eBPF Integration
No bulky sidecars or complex CNI plugins. Kloak operates purely at the kernel level for maximum efficiency.
Open Source
Fully open source under the AGPL-3.0 License. Inspect the code, contribute, and build with confidence.
Kloak operates at the network layer, making secret management invisible to your applications
Label your Kubernetes secrets with getkloak.io/enabled=true. Kloak generates a unique ULID placeholder for each secret value.
labels: getkloak.io/enabled: "true" getkloak.io/hosts: "api.example.com" 02Use Hash Placeholders
Reference the generated hash in your application config instead of the actual secret. Your app never sees the real value.
headers: Authorization: "kloak:MPZVR3GHWT4E6YBCA01JQXK5N8" 03Automatic Transform
When your app makes an HTTPS request, Kloak intercepts it and replaces the hash with the real secret before forwarding.
# Request leaves your pod with real credentials Authorization: Bearer sk-live-xyz123... ArchitectureBuilt for Kubernetes
A cloud-native solution using proven technologies
Схожі новини
Trump scraps U.S. trip for Iran talks, leaving ceasefire in limbo
I've tested Sony headphones for years, and these tweaks get me the best audio - always
Why has there been so little progress on Alzheimer's disease?
