This is fantastic! I need this. however, for my self-hosted home projects that are containerized but where I don't use Kubernetes, is there a way for me to use a version of Kloak that does the same eBPF magic on docker-compose or LXC/QEMU (Incus) stacks?

It's perfectly fine for you to say non-Kubernetes isn't either your focus or on your 90 day roadmap :)

▲

NewJazz 6 hours ago | parent | next [-]

Yeah you might have to go talk to incus folks on how to integrate this together.. They are fairly capable, might have some good direction.

https://discuss.linuxcontainers.org/t/how-to-best-ask-questi...

▲

neo2006 4 hours ago | parent [-]

Thank you! We will reachout and see what can be done

▲

subhobroto 4 hours ago | parent [-]

Please let me know how I can help. Can I write or review the initial forum post for you or anything that can help both of us?

- What's the best way to discuss this specific topic with you? As an https://github.com/spinningfactory/kloak/issues or something else?

- My specific usecase is to not need Conjur Secretless Broker (https://github.com/cyberark/secretless-broker) - my understanding of eBPF is entirely superficial but from a 30k ft view, it looks like this can not only replace it but would be a far efficient solution (Conjur would be a user-space proxy while kloak would be at lower levels of abstraction)?

	▲	neo2006 4 hours ago \| parent [-]
		yes please open an issue on https://github.com/spinningfactory/kloak/issues and we can discuss this. I'm not familiar with secretless-broker but we can definitely see if that use case fit with kloak and get into more specifics on how you can help.

▲

neo2006 6 hours ago | parent | prev [-]

Thank you! We appreciate your enthusiasm! :-) From technology perspective nothing prevent kloak to do rewrite on any workload scheduler or even without a scheduler (native Linux). The main challenge is to find a flow to signal to kloak what to rewrite and how to inject kloaked secrets to the workload. TBH supporting other technologies is not something we thought about but we can definitely consider if there is an ask for it from the community.

▲

cassianoleal 4 hours ago | parent | next [-]

Yes, please! :)

▲

subhobroto 4 hours ago | parent | prev [-]

> The main challenge is to find a flow to signal to kloak what to rewrite and how to inject kloaked secrets to the workload

Would it be realistic or reasonable to detect a header like `X-kloak-ENABLED` or specific endpoints in the case of HTTP?

Similar for wire protocols like PostgreSQL or gRPC?

Our would a usermode proxy be easier but not preferred due to overhead?

	▲	neo2006 4 hours ago \| parent [-]
		The way we thought about it is from the lense of 2 personas: - a persona that control the control plain side, what secret to distribute to which user and what hosts they are allowed to send that secret to (probably platform team or secops team) - a persona that represent the user that need to reach host X with secret Y (probably the dev team) based on this secret rewrite signal need to be out of band and not part of the request it self or the whole model will fall apart. We already have the intention to support rewrites for specific headers but those headers are defined by the first persona out of band too. btw, we support rewrite for postgres protocol for db password.