New comment by zaronkedl in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

zaronkedl — Sun, 26 Apr 2026 10:48:22 +0000

That's right, OP is the main maintainer and the idea he has is that nothing should change in the application. The application believe it has the secret, but the secret is injected on the wire AND only for the intended destination.

Please have a look at the demo if you can ; there is a webhook that abstract changing the secret resource name for you. You just "annotate" the secret resource and kloak admission controller will rewrite secrets of your deployment resource for you after that. This means the app never actually see the secret (accidental or not).

New comment by zaronkedl in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

zaronkedl — Sun, 26 Apr 2026 10:39:56 +0000

Yes, we have host and ip filtering in place that can be used to ensure the secret is sent only for the destination we expect.

It's not perfect though, see Host Filtering | https://getkloak.io/docs/guides/host-filtering.html

Hacker News: zaronkedl

New comment by zaronkedl in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"

New comment by zaronkedl in "Show HN: Kloak, A secret manager that keeps K8s workload away from secrets"