April 25, 2026

Sewers, secrets, and HN snark

Article URL →HN comments →

Show HN: Kloak, A secret manager that keeps K8s workload away from secrets

Kloak hides app secrets; HN jokes “sewer” and asks hard questions

TLDR: Kloak promises to keep real passwords out of app code by swapping placeholders and reinserting secrets only at the network edge. The crowd cheered the concept for AI workflows, mocked the “sewer” name, and pressed for answers on architecture, cloud support (AKS/EKS), and how safe the secret replacement really is

Hacker News met Kloak with equal parts wow and “wait, what?”. The team (neo2006) says it runs as a controller in Kubernetes: it swaps your passwords/tokens for harmless placeholders so your app never sees the real thing, then uses eBPF to inject the actual secret only when your service talks to approved hosts. No SDKs, no sidecars, works with standard Kubernetes Secrets, and today supports apps using OpenSSL 3.0–3.5 — all while trying to add nearly zero overhead.

But the crowd didn’t just nod. A top quip declared, “Kloak is Danish for sewer,” instantly birthing naming memes and a chorus of giggles. Architects rolled in with the red pens: “please split control vs data plane.” Security voices asked what threat model this really fixes and whether the secret “replace” hits specific headers or every matching string (cue fears of hilarious false positives). Cloud folks piled on: will this actually work smoothly on managed clusters like AKS/EKS?

Fans hyped it as super relevant for AI-driven workflows that need secrets handled out-of-band. Skeptics side-eyed kernel-level magic in the data path. The vibe: daring idea and slick pitch, but the internet wants proof — reliability, cloud support, and tight guardrails. Sewer jokes aside, invisible secrets have never been more visible

Key Points

  • Kloak replaces secrets at the network edge so application code never handles real credentials.
  • It integrates with standard Kubernetes Secrets via labeling and automates secret handling.
  • eBPF-powered, kernel-space traffic redirection adds negligible overhead to requests.
  • Kloak enforces fine-grained policies controlling which secrets can be used with which hosts.
  • No SDKs or sidecars are required; it’s open source under the AGPL-3.0 license.

Hottest takes

"Yeah, so Kloak is Danish for sewer." — mrweasel
"You should split your controller - it is running in both the control and data planes." — captn3m0
"AI controlled workflows are desperate for a out of band solution like this." — anthonyskipper

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.