kloak / ebpf / kubernetes

A Hacker News thread highlights a 2024 essay titled “Dear friend, you have built a Kubernetes,” sparking debate about Kubernetes’ complexity and suitability. Commenters argue that even after setup teams revert to ad-hoc deploy scripts or Helm, and that alternatives (BEAM/OTP stacks) or simple single-node deployments can avoid Kubernetes’ operational overhead. Others note Kubernetes fits dynamic, cloud-native SaaS use cases but can be overkill for on-prem or small-scale needs; a linked MetalLB developer blog offers deeper criticism. The exchange underscores trade-offs between powerful orchestration and developer/operator friction, advising teams to match tooling to actual requirements rather than adopting Kubernetes by default.

Kloak, an open-source AGPL-3.0 project, transparently intercepts HTTPS traffic in Kubernetes using pure eBPF to replace hashed placeholders with real secrets at the network edge so applications never see credentials. Deployed via Helm, Kloak labels Kubernetes Secrets, issues ULID placeholders that apps use in configs or headers, and performs kernel-space transformation on outbound requests, avoiding sidecars, SDKs, or CNI changes. Key features include Kubernetes-native integration, host-level access controls, minimal latency due to eBPF, and zero code changes for apps. This matters for cloud-native security: it reduces the blast radius of compromised processes and simplifies secret handling while trading off kernel-level complexity and AGPL licensing considerations.

Kloak, an open-source secret manager from the spinning-factory team, runs as a Kubernetes controller that replaces real secrets in pod workloads with harmless placeholders and uses eBPF to inject the actual secrets only at the moment an application makes a TLS request to an approved host. It currently supports apps using OpenSSL 3.0–3.5 and Go’s go-tls for Go 1.25–1.26, with plans to add more TLS libraries (GnuTLS, BoringSSL) and Go versions. Kloak is released under the AGPL and invites contributions and feedback from the community. The approach aims to reduce exposure of secrets in cluster memory and manifests by performing in-kernel substitution at request time.

Kloak is an open-source, agentless secret manager for Kubernetes that uses eBPF to intercept HTTPS traffic and swap hashed placeholders in headers with real credentials at the network edge. Installed via Helm and running in kernel space, Kloak replaces tokens like Authorization: kloak:<hash> with live secrets so application processes never handle raw credentials. The project claims negligible latency impact, Kubernetes-native operation with standard Secrets and label-based opt-in, host-level restrictions for fine-grained access control, and no code changes or SDKs required. Released under AGPL-3.0, Kloak aims to reduce secret exposure and credential leakage without sidecars or CNIs, making it attractive for clusters prioritizing minimal runtime changes and high-performance security.