Open Source Kubernetes Security

Secure Your Secrets, Invisibly

Kloak transparently intercepts HTTPS traffic in Kubernetes, replacing hashed placeholders with real secrets at the network edge. Your applications never see the actual credentials.

Get Started Learn More
eBPF Powered
Zero Code Changes
K8s Native
demo-pod 
# Your app sends this header:
Authorization: kloak:a1b2c3d4-e5f6-7890

# Kloak transforms it to:
Authorization: Bearer sk-live-xyz123...

✓ Secret never exposed to application
Features

Everything You Need for Secure Secret Management

Kloak provides enterprise-grade security without the complexity

Secure by Design

Secrets are replaced at the network edge. Your application code never sees real credentials, eliminating accidental exposure.

Zero Latency Impact

eBPF-powered traffic redirection happens in kernel space, adding negligible overhead to your requests.

Kubernetes Native

Works with standard Kubernetes Secrets. Just add a label and Kloak handles the rest automatically.

Host Restrictions

Control which secrets can be used with which hosts. Prevent credential misuse with fine-grained access control.

Zero Code Changes

No SDK required. Works with any language or framework. Just use the hash placeholder in your config.

Automatic Injection

Envoy sidecars are automatically injected via mutating webhook. Just label your namespace.

How It Works

Simple, Secure, Transparent

Kloak operates at the network layer, making secret management invisible to your applications

01

Register Your Secrets

Label your Kubernetes secrets with getkloak.io/enabled=true. Kloak generates a unique hash (UUID) for each secret value. 

labels:
  getkloak.io/enabled: "true"
  getkloak.io/hosts: "api.example.com"
02

Use Hash Placeholders

Reference the generated hash in your application config instead of the actual secret. Your app never sees the real value. 

headers:
  Authorization: "kloak:a1b2c3d4-e5f6-7890"
03

Automatic Transform

When your app makes an HTTPS request, Kloak intercepts it and replaces the hash with the real secret before forwarding. 

# Request leaves your pod with real credentials
Authorization: Bearer sk-live-xyz123...
Architecture

Built for Kubernetes

A cloud-native solution using proven technologies

Control Plane
📡
Controller
Watches secrets & generates hashes
🔧
xDS Server
SDS, LDS & ExtProc
🎯
Webhook
Sidecar injection
Data Plane
Application Pod
📦
App
🔀
Envoy
eBPF Traffic Redirect
Go 1.25+
eBPF
Envoy
gRPC
xDS
Get Started

Up and Running in Minutes

Try the demo or deploy to your cluster

1 Clone the repository 
git clone https://github.com/spinningfactory/kloak.git && cd kloak
2 Run the demo script 
./examples/setup-demo.sh
3 Verify the transformation 
export KUBECONFIG=/tmp/kloak-k3s.yaml
kubectl logs demo-python -n kloak-demo -c demo-app
1 Build the binary 
make build
2 Build the Docker image 
make docker-build
3 Deploy to your cluster 
kubectl apply -f config/manifests/

Ready to Secure Your Secrets?

Join the growing community of developers using Kloak to manage secrets securely.

View on GitHub Report an Issue