
Uses eBPF for secrets injection so your app never has access to them.
Clever idea! Note: I have not tried this yet, just looks interesting and an interesting approach!
https://github.com/spinningfactory/kloak
Edit: More info so it does not get removed: Basically instead of having the application itself have access to secrets, it uses a "key" to identify which secret to use (like: "kloak:<uuid>" which then eBPF magic swaps it at the transport layer. So, applications never have access, so they cannot leak what they don't know. Happens all within the kernel.
u/destari — 2 months ago