Kloak Secret icon
Kloak Secret icon

Kloak Secret

Kloak transparently intercepts outbound TLS traffic in Kubernetes using eBPF uprobes, replacing hashed placeholders with real secrets at the kernel level before encryption. Applications never handle actual credentials, and no sidecars or code changes are required.

Kloak Secret screenshot 1

Cost / License

Platforms

  • Kubernetes
0likes
0comments
0alternatives
0articles

Features

Properties

  1.  Security-focused

Features

  1.  Kubernetes
  2.  Intercepting HTTP calls

 Tags

Kloak Secret News & Activities

Highlights All activities

Recent activities

Kloak Secret information

  • Developed by

    Unknown

  • Licensing

    Open Source (AGPL-3.0) and Free product.

  • Written in

  • Alternatives

    0 alternatives listed

  • Supported Languages

    • English

AlternativeTo Category

Security & Privacy

GitHub repository

  •  58 Stars
  •  0 Forks
  •  21 Open Issues
  •   Updated  
View on GitHub
Kloak Secret was added to AlternativeTo by Paul on and this page was last updated .
No comments or reviews, maybe you want to be first?

What is Kloak Secret?

Kloak transparently intercepts outbound TLS traffic in Kubernetes using eBPF uprobes, replacing hashed placeholders with real secrets at the kernel level before encryption. Applications never handle actual credentials, and no sidecars or code changes are required.

Features:

  • No code changes -- No SDK, no library, no application modifications. Mount a secret, make HTTPS requests, and Kloak handles the rest.
  • Secret isolation -- Applications only see hashed shadow values (kloak:<UUID>). Real secrets exist solely in eBPF maps and are injected in-kernel at TLS write time.
  • Zero overhead -- eBPF uprobes operate in kernel space with negligible latency impact. No userspace proxy or sidecar in the data path.
  • Kubernetes native -- Works with standard Kubernetes Secrets. Enable with a single label.
  • Host and IP filtering -- Secrets annotated with getkloak.io/hosts are only sent to specific destination hostnames or IP addresses, preventing exfiltration to unauthorized servers.
  • Port-based filtering -- Secrets annotated with getkloak.io/port are restricted to connections on a specific destination port.
  • Broad runtime support -- Hooks into OpenSSL, BoringSSL, and Go's native crypto/tls. Works with Python, Node.js, Go, Rust, Ruby, PHP, curl, and any OpenSSL-linked runtime.

Official Links

AppStores & Other Links