Show HN: Kloak, A secret manager that keeps K8s workload away from secrets

(getkloak.io)

31 points by neo20064 hours ago

7 comments

sandeepkd19 minutes ago
There is also a model where the applications sign the payload using the secret, AWS is a big user of that across all its API's.
- neo20066 minutes ago
 This is not something we support currently. We will need to do some research on ways to support it.The main hurdle is that we can't rewrite secrets in any of the user buffers as this will defy our threat model and signing is usually done in user space.
giladd55 minutes ago
This is pretty cool, nice project. Can you expand on what threat model this combats?Also, does the replace op happen only for specific fields in HTTP, or for every matching string in the request? I can imagine the latter if you want to support non-standard authentications methods, though there's always the edge case where the secret string placeholder is not used as a secret and should not be replaced.
- neo200649 minutes ago
 The main threat model is application leaking secrets: - Internet facing app that could potentially be hacked and bad actor exfiltrating secrets - AI agent that can exfiltrate secrets through prompt injection for example or context poisoning - The general use case where a secret can be for example inject by mistake in logs for instance
- boistrous46 minutes ago
 we currently support rewrites for specific hosts and IPs and we have an open issue for supporting rewrite for specific headers for http/http2
neo20063 hours ago
Hey, we're the spinning-factory team, the folks behind Kloak. Kloak runs as a Kubernetes controller. It swaps the secrets in your workloads for harmless placeholders we call kloaked secrets, then uses eBPF to substitute the real secrets back in at the last moment — right when your app makes a request to an allowed host. Today, Kloak works with any app using OpenSSL 3.0–3.5 (statically or dynamically linked) or go-tls (Go 1.25 and 1.26). Support for more TLS libraries (GnuTLS, BoringSSL, and others) and additional Go versions is on the roadmap. Kloak is open source under the AGPL, contributions are welcome! We are also happy to hear any feedback and answer any question for the HN community.
- arpinum33 minutes ago
 your architecture page is empty. <a href="https://getkloak.io/docs/architecture/overview.html" rel="nofollow">https://getkloak.io/docs/architecture/overview.html</a>For security products trust is important. writing your website copy by hand will help you build trust. If the design and content does not look human written it will lower adoption.
 - neo200619 minutes ago
 Thank you for the feedback! We are currently shorthanded so we relied on AI a lot for writing our docs, we reviewed that doc as much as we could but definitely there is room for improvement. We will try to get better at this. In the mean time, if you find any discruptency with the docs or anything that we can correct please open an issue and we will get to it ASAP.
- koolba2 hours ago
 So it reads the packets and replaces the byte sequences at the kernel level? How does that work across packet boundaries?
 - neo20062 hours ago
 Secrets are detected before encryption in the user buffer but rewrites happen post encryption in the kernel buffer to be sent on the wire.packets boundaries are not an issue because detection happen at the SSL write where we have the full secret in the buffer and its position so we can know at rewrite time that the secret is cross 2 packets and rewrite it in 2 separate operations. We also have to update the TLS session hash at the end to not corrupt the TLS frame.
- subhobroto2 hours ago
 This is fantastic! I need this. however, for my self-hosted home projects that are containerized but where I don't use Kubernetes, is there a way for me to use a version of Kloak that does the same eBPF magic on docker-compose or LXC/QEMU (Incus) stacks?It's perfectly fine for you to say non-Kubernetes isn't either your focus or on your 90 day roadmap :)
 - NewJazz2 hours ago
 Yeah you might have to go talk to incus folks on how to integrate this together.. They are fairly capable, might have some good direction.<a href="https://discuss.linuxcontainers.org/t/how-to-best-ask-questions-on-this-discussion-forum/7362" rel="nofollow">https://discuss.linuxcontainers.org/t/how-to-best-ask-questi...</a>
 - neo20061 hour ago
 Thank you! We will reachout and see what can be done
 - subhobroto32 minutes ago
 Please let me know how I can help. Can I write or review the initial forum post for you or anything that can help both of us?- What's the best way to discuss this specific topic with you? As an <a href="https://github.com/spinningfactory/kloak/issues" rel="nofollow">https://github.com/spinningfactory/kloak/issues</a> or something else?- My specific usecase is to not need Conjur Secretless Broker (<a href="https://github.com/cyberark/secretless-broker" rel="nofollow">https://github.com/cyberark/secretless-broker</a>) - my understanding of eBPF is entirely superficial but from a 30k ft view, it looks like this can not only replace it but would be a far efficient solution (Conjur would be a user-space proxy while kloak would be at lower levels of abstraction)?
 neo200617 minutes ago
 yes please open an issue on <a href="https://github.com/spinningfactory/kloak/issues" rel="nofollow">https://github.com/spinningfactory/kloak/issues</a> and we can discuss this. I'm not familiar with secretless-broker but we can definitely see if that use case fit with kloak and get into more specifics on how you can help.
 - neo20062 hours ago
 Thank you! We appreciate your enthusiasm! :-) From technology perspective nothing prevent kloak to do rewrite on any workload scheduler or even without a scheduler (native Linux). The main challenge is to find a flow to signal to kloak what to rewrite and how to inject kloaked secrets to the workload. TBH supporting other technologies is not something we thought about but we can definitely consider if there is an ask for it from the community.
 - subhobroto23 minutes ago
 > The main challenge is to find a flow to signal to kloak what to rewrite and how to inject kloaked secrets to the workloadWould it be realistic or reasonable to detect a header like `X-kloak-ENABLED` or specific endpoints in the case of HTTP?Similar for wire protocols like PostgreSQL or gRPC?Our would a usermode proxy be easier but not preferred due to overhead?
 - neo200614 minutes ago
 The way we thought about it is from the lense of 2 personas: - a persona that control the control plain side, what secret to distribute to which user and what hosts they are allowed to send that secret to (probably platform team or secops team) - a persona that represent the user that need to reach host X with secret Y (probably the dev team)based on this secret rewrite signal need to be out of band and not part of the request it self or the whole model will fall apart.We already have the intention to support rewrites for specific headers but those headers are defined by the first persona out of band too.btw, we support rewrite for postgres protocol for db password.
 - cassianoleal33 minutes ago
 Yes, please! :)
mrweasel3 hours ago
Yeah, so Kloak is Danish for sewer.
- WJW2 hours ago
 More or less straight from Latin?<a href="https://en.wikipedia.org/wiki/Cloaca_Maxima" rel="nofollow">https://en.wikipedia.org/wiki/Cloaca_Maxima</a>
- neo20062 hours ago
 I guess we are the secrets sewers then! :D We would love to hear what you think about it beyond the name though.
 - anthonyskipper1 hour ago
 I think it is funny that it's sewer, because a sewer is also a underground way around things, which is a good description of the out of band solution here. So the name checks out.
 - neo20061 hour ago
 It was not intended! We were trying to make it sound like a cloak with a kubernetes K but I guess this explanation actually checkout better!
anthonyskipper2 hours ago
This is pretty awesome. Super relevant for the time because AI controlled workflows are desperate for a out of band solution like this.The main thing I wonder is how well supported is it in cloud environements? AKS/EKS/etc?
- spinningfactory2 hours ago
 It should work in cloud environments, We tested it on EKS and digital ocean cloud so far, and it works. The kloak controller is deployed as privileged daemonset that have access to the underlying host and can perform eBPF attachment operations on all the pods on that host.
- boistrous56 minutes ago
 gcp and aks were going to be the next ones on the testing list, but life sometimes gets in the way !
captn3m02 hours ago
You should split your controller - it is running in both the control and data planes. Idea is good though, wish you luck.
- neo20062 hours ago
  Thank you! Not really, the controller is not doing dataplane per-say, it only pushes eBPF programs to the kernel for the relevant apps/cgroups so that could be considered control-plane. The full data-plane run in eBPF.
- NewJazz2 hours ago
  Aiui the controller is only running in the control plane, and the ebpf programs are in the data plane?
  - neo20061 hour ago
    yes, that's right!