Agentless Kubernetes Security

Secure Your Secrets, Agentless

Kloak transparently intercepts HTTPS traffic in Kubernetes using pure eBPF, replacing hashed placeholders with real secrets at the network edge. Your applications never see the actual credentials, so a compromised process cannot leak what it never had.

Get Started Learn More
eBPF Powered
Zero Code Changes
K8s Native
demo-pod 
# Your app sends this header:
Authorization: kloak:MPZVR3GHWT4E6YBCA01JQXK5N8

# Kloak transforms it to:
Authorization: Bearer sk-live-xyz123...

✓ Secret never exposed to application
Features

Everything You Need for Secure Secret Management

Kloak provides enterprise-grade security without the complexity

Secure by Design

Secrets are replaced at the network edge. Your application code never sees real credentials, eliminating accidental exposure.

Zero Latency Impact

eBPF-powered traffic redirection happens in kernel space, adding negligible overhead to your requests.

Kubernetes Native

Works with standard Kubernetes Secrets. Add a label and Kloak handles the rest automatically.

Host Restrictions

Control which secrets can be used with which hosts. Prevent credential misuse with fine-grained access control.

Zero Code Changes

No SDK required. Works with any language or framework. Use the hash placeholder in your config.

Pure eBPF Integration

No bulky sidecars or complex CNI plugins. Kloak operates purely at the kernel level for maximum efficiency.

Open Source

Fully open source under the Apache 2.0 License. Inspect the code, contribute, and build with confidence.

How It Works

Simple, Secure, Transparent

Kloak operates at the network layer, making secret management invisible to your applications

01

Register Your Secrets

Label your Kubernetes secrets with getkloak.io/enabled=true. Kloak generates a unique ULID placeholder for each secret value. 

labels:
  getkloak.io/enabled: "true"
  getkloak.io/hosts: "api.example.com"
02

Use Hash Placeholders

Reference the generated hash in your application config instead of the actual secret. Your app never sees the real value. 

headers:
  Authorization: "kloak:MPZVR3GHWT4E6YBCA01JQXK5N8"
03

Automatic Transform

When your app makes an HTTPS request, Kloak intercepts it and replaces the hash with the real secret before forwarding. 

# Request leaves your pod with real credentials
Authorization: Bearer sk-live-xyz123...
Architecture

Built for Kubernetes

A cloud-native solution using proven technologies

Control Plane
Controller
Watches secrets & manages eBPF programs
Data Plane
Application Pod
App
eBPF Traffic Control & Secret Replacement