Hacker News: neo2006

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sun, 26 Apr 2026 23:00:40 +0000

yes I agree and we actually already do that for TLS when rewriting secrets after encryption but my point is about the fact in our threat model we consider the app as an adversary so we don't want to use any of its buffers to rewrite secrets because it would be trivial for an adversary to reread the buffer after rewrite and get the secret. The way we overcome this is by listening to the user buffer recording all the data we need to rewrite the secret without writing anything. We go back later in the kernel buffer meant to be sent to the network and not accessible to the user app and perform the rewrite. For API keys used to sign the request we need to do something similar which could be challenging within ebpf (maybe doable I'm not sure)

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sun, 26 Apr 2026 15:35:26 +0000

Actually we have 2 applications along those boundaries you described. a webhook app that manage kubernetes manifest and another to inject the ebpf code and manage the ebpf maps.

Thank you for the feedback though! I think we need to clarify the doc to make that separation clear. I will open an issue for that and we will work on it.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sun, 26 Apr 2026 14:38:30 +0000

Thank you!

We are planning to integrate with external secret operators, like AWS secret manager or Openboa/Vault so users can benefit from an end to end secrets protection. secret encryption/sealing at rest (through secrets managers) and protecting secrets from in-memory exfiltration attacks with kloak.

The idea is to let the ESO handle the secret at rest and delivering it to Kloak that then would continue to do the kloaked secret rewrite so the secret will only be available in a non encrypted form in Kloak. We can even push the concept further and do KMS decryption just in time to reduce the window where the secret is available.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sun, 26 Apr 2026 12:46:25 +0000

Thank you! I agree, each architecture have its pro and cons. If an egress gateway is available and can handle secrets it's definitely a viable solution.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 23:55:32 +0000

I'm not super familiar with TPUs and Trusted execution environments but my understanding is that it serve a different threat model.

TEE aim to protect a certain workload from the host to avoid another workload on the same host from steeling secrets. Kloak aim is to protect the secret from the workload itself not the host.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 23:37:50 +0000

For egress proxy the app need to:

- send traffic to the proxy (either in a non transparent way or using routes or even ebpf to redirect traffic to the proxy transparently)

- trust the proxy certs or use plain http/TCP to the proxy

With kloak, the app don't need any modification and you avoid a single point of failure (aka egress proxy). Each app has an independent ebpf program attached to it that can survive the control plane going down and don't need to trust any special certs or change the endpoint it sends traffic to.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 23:07:31 +0000

This is not something we support currently. We will need to do some research on ways to support it.

The main hurdle is that we can't rewrite secrets in any of the user buffers as this will defy our threat model and signing is usually done in user space.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:59:33 +0000

The way we thought about it is from the lense of 2 personas: - a persona that control the control plain side, what secret to distribute to which user and what hosts they are allowed to send that secret to (probably platform team or secops team) - a persona that represent the user that need to reach host X with secret Y (probably the dev team)

based on this secret rewrite signal need to be out of band and not part of the request it self or the whole model will fall apart.

We already have the intention to support rewrites for specific headers but those headers are defined by the first persona out of band too.

btw, we support rewrite for postgres protocol for db password.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:56:34 +0000

yes please open an issue on https://github.com/spinningfactory/kloak/issues and we can discuss this. I'm not familiar with secretless-broker but we can definitely see if that use case fit with kloak and get into more specifics on how you can help.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:54:03 +0000

Thank you for the feedback! We are currently shorthanded so we relied on AI a lot for writing our docs, we reviewed that doc as much as we could but definitely there is room for improvement. We will try to get better at this. In the mean time, if you find any discruptency with the docs or anything that we can correct please open an issue and we will get to it ASAP.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:24:01 +0000

The main threat model is application leaking secrets: - Internet facing app that could potentially be hacked and bad actor exfiltrating secrets - AI agent that can exfiltrate secrets through prompt injection for example or context poisoning - The general use case where a secret can be for example inject by mistake in logs for instance

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:09:10 +0000

It was not intended! We were trying to make it sound like a cloak with a kubernetes K but I guess this explanation actually checkout better!

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:06:49 +0000

Thank you! We will reachout and see what can be done

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 22:06:17 +0000

yes, that's right!

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 21:13:17 +0000

Thank you! Not really, the controller is not doing dataplane per-say, it only pushes eBPF programs to the kernel for the relevant apps/cgroups so that could be considered control-plane. The full data-plane run in eBPF.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 20:56:58 +0000

Thank you! We appreciate your enthusiasm! :-) From technology perspective nothing prevent kloak to do rewrite on any workload scheduler or even without a scheduler (native Linux). The main challenge is to find a flow to signal to kloak what to rewrite and how to inject kloaked secrets to the workload. TBH supporting other technologies is not something we thought about but we can definitely consider if there is an ask for it from the community.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 20:52:57 +0000

Secrets are detected before encryption in the user buffer but rewrites happen post encryption in the kernel buffer to be sent on the wire.

packets boundaries are not an issue because detection happen at the SSL write where we have the full secret in the buffer and its position so we can know at rewrite time that the secret is cross 2 packets and rewrite it in 2 separate operations. We also have to update the TLS session hash at the end to not corrupt the TLS frame.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 20:36:39 +0000

I guess we are the secrets sewers then! :D We would love to hear what you think about it beyond the name though.

New comment by neo2006 in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

neo2006 — Sat, 25 Apr 2026 19:26:39 +0000

Hey, we're the spinning-factory team, the folks behind Kloak. Kloak runs as a Kubernetes controller. It swaps the secrets in your workloads for harmless placeholders we call kloaked secrets, then uses eBPF to substitute the real secrets back in at the last moment — right when your app makes a request to an allowed host. Today, Kloak works with any app using OpenSSL 3.0–3.5 (statically or dynamically linked) or go-tls (Go 1.25 and 1.26). Support for more TLS libraries (GnuTLS, BoringSSL, and others) and additional Go versions is on the roadmap. Kloak is open source under the AGPL, contributions are welcome! We are also happy to hear any feedback and answer any question for the HN community.

Show HN: Kloak, A secret manager that keeps K8s workload away from secrets

neo2006 — Sat, 25 Apr 2026 19:03:01 +0000

Article URL: https://getkloak.io/

Comments URL: https://news.ycombinator.com/item?id=47903690

Points: 63

# Comments: 52