Kloak
Kubernetes eBPF HTTPS interceptor that transparently injects secrets at the kernel level without application changes, sidecars, or SDKs.
At a Glance
About Kloak
Kloak is an open-source Kubernetes security tool that intercepts outbound TLS traffic using eBPF uprobes, replacing hashed placeholders with real secrets at the kernel level before encryption. Applications never handle actual credentials, and no sidecars, code changes, or SDK integrations are required. It works with standard Kubernetes Secrets and can be enabled with a single label, making it a zero-friction secret injection solution for cloud-native environments.
- No code changes required — Mount a secret, make HTTPS requests, and Kloak handles the rest. No SDK, library, or application modifications needed.
- Secret isolation — Applications only see hashed shadow values (
kloak:<UUID>). Real secrets exist solely in eBPF maps and are injected in-kernel at TLS write time. - Zero overhead — eBPF uprobes operate in kernel space with negligible latency impact. No userspace proxy or sidecar sits in the data path.
- Kubernetes native — Works with standard Kubernetes Secrets. Enable Kloak for any workload with a single
getkloak.io/enabled=truelabel. - Host and IP filtering — Secrets annotated with
getkloak.io/hostsare only sent to specific destination hostnames or IPs, preventing exfiltration to unauthorized servers. - Port-based filtering — Secrets annotated with
getkloak.io/portare restricted to connections on a specific destination port. - Broad runtime support — Hooks into OpenSSL, BoringSSL, and Go's native
crypto/tls. Works with Python, Node.js, Go, Rust, Ruby, PHP, curl, and any OpenSSL-linked runtime. - DNS-verified trust chain — Secrets with host annotations are only rewritten when the destination is verified through the full DNS resolution chain, preventing exfiltration even if an application is compromised.
- Helm installation — Install with
helm repo add kloak https://chart.getkloak.ioandhelm install kloak kloak/kloak -n kloak-system --create-namespace. - Control plane + eBPF data plane — Consists of a controller (DaemonSet), a mutating admission webhook (Deployment), and an eBPF data plane running entirely in kernel space.
Community Discussions
Be the first to start a conversation about Kloak
Share your experience with Kloak, ask questions, or help others learn from your insights.
Pricing
Open Source (AGPL-3.0)
Free and open-source under the GNU Affero General Public License v3.0. Full access to all features.
- Agentless eBPF secret injection
- Kubernetes-native integration
- Host and port filtering
- DNS-verified trust chain
- Broad runtime support (Python, Node.js, Go, Rust, Ruby, PHP, curl)
Capabilities
Key Features
- Agentless secret injection via eBPF uprobes
- No application code changes required
- Kubernetes-native integration with standard Secrets
- Shadow secret generation with length-matched placeholders
- Host and IP-based secret filtering
- Port-based secret filtering
- DNS-verified trust chain for secret routing
- Support for OpenSSL, BoringSSL, and Go crypto/tls
- Zero-latency kernel-space operation
- Helm chart deployment
- Mutating admission webhook for automatic volume mount rewriting
- DaemonSet controller for secret lifecycle management
- TTL-based DNS entry enforcement
- Fail-closed webhook behavior