Kloak is a Kubernetes-native secret manager that isolates workloads from direct access to real credentials at runtime.
Key Takeaways
Workloads never hold real secrets; Kloak swaps them for inert placeholders called kloaked secrets at the controller level.
Real values are injected only at the moment an app makes a request to an allowed host, not stored in the pod.
Built as a Kubernetes controller, not a vault sidecar or external-secrets-operator pattern.
Targets runtime secret exposure, the window between secret mount and actual use, not just storage or rotation.
Hacker News Comment Review
The mechanism is eBPF-based: Kloak intercepts TLS calls and substitutes real secrets just before the handshake, scoped to allowed hosts only.
Library coverage at launch is OpenSSL 3.0-3.5 (static and dynamic linking) and go-tls for Go 1.25-1.26; GnuTLS and BoringSSL are on the roadmap.
“Kloak” is Danish for sewer, a minor naming consideration for multilingual teams or documentation.
Notable Comments
@neo2006: Spinning-factory team founder confirms eBPF substitution at TLS layer, kloaked-secret placeholder design, and the Go and OpenSSL version matrix.