u/destari

▲ 46 r/eBPF+1 crossposts

Uses eBPF for secrets injection so your app never has access to them.

Clever idea! Note: I have not tried this yet, just looks interesting and an interesting approach!

https://github.com/spinningfactory/kloak

Edit: More info so it does not get removed: Basically instead of having the application itself have access to secrets, it uses a "key" to identify which secret to use (like: "kloak:<uuid>" which then eBPF magic swaps it at the transport layer. So, applications never have access, so they cannot leak what they don't know. Happens all within the kernel.

u/destari — 2 months ago