Kubernetes Integration: Pod-to-Pod Encryption

Secure microservices communication with PQC in 15 minutes

🚀 Deploy encryption sidecar now

Quick Start: Kubernetes Sidecar

Estimated time: 15 minutes What you'll achieve: Encrypt traffic between pods using ML-KEM Requirements: Kubernetes cluster, AnkaSecure API access

Step 1/3: Create AnkaSecure secret (2 minutes)

# Store AnkaSecure API token in Kubernetes secret
kubectl create secret generic ankasecure-token \
  --from-literal=token=YOUR_ANKASECURE_TOKEN

Step 2/3: Deploy sidecar (8 minutes)

Deployment YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: encrypted-app
spec:
  template:
    spec:
      containers:
      # Main application container
      - name: app
        image: myapp:latest
        env:
        - name: CRYPTO_ENDPOINT
          value: "http://localhost:8080"  # Sidecar

      # AnkaSecure sidecar
      - name: ankasecure-sidecar
        image: ankasecure/sidecar:3.0.0
        ports:
        - containerPort: 8080
        env:
        - name: ANKASECURE_TOKEN
          valueFrom:
            secretKeyRef:
              name: ankasecure-token
              key: token
        - name: ALGORITHM
          value: "ML_KEM_1024"

Deploy:

kubectl apply -f encrypted-app.yaml

Step 3/3: Test encryption (5 minutes)

# Port-forward to sidecar
kubectl port-forward deployment/encrypted-app 8080:8080

# Encrypt via sidecar
curl -X POST http://localhost:8080/encrypt \
  -d '{"plaintext":"Hello from Kubernetes"}'

# Decrypt
curl -X POST http://localhost:8080/decrypt \
  -d '{"ciphertext":"eyJhbGc..."}'

✅ Result: Pod-to-pod encryption with quantum resistance

🎯 Benefit: Zero application code changes (sidecar handles crypto)

What's next? - ConfigMap encryption: Encrypt K8s secrets - Production deployment: HA setup

Integration Patterns

Pattern 1: Sidecar Proxy (Recommended)

Use case: Encrypt traffic without changing app code

Benefits: - ✅ No app code changes (crypto transparent) - ✅ Language-agnostic (works with any app) - ✅ Centralized config (update sidecar, not app)

See quick start above

Pattern 2: SDK Integration

Use case: Fine-grained control in application

Java example:

@Service
public class KubernetesEncryptionService {
  private final AnkaSecureClient client;

  @PostConstruct
  public void init() {
    // Read token from K8s secret
    String token = System.getenv("ANKASECURE_TOKEN");
    this.client = new AnkaSecureClient(token);
  }

  public byte[] encryptForPod(String targetPod, byte[] data) {
    return client.encrypt(EncryptRequest.builder()
      .algorithm("ML_KEM_1024")
      .plaintext(data)
      .metadata(Map.of("targetPod", targetPod))
      .build()).getCiphertext();
  }
}

Pattern 3: Init Container

Use case: Decrypt ConfigMaps on pod startup

YAML:

spec:
  initContainers:
  - name: decrypt-config
    image: ankasecure/init:3.0.0
    env:
    - name: ANKASECURE_TOKEN
      valueFrom:
        secretKeyRef:
          name: ankasecure-token
          key: token
    volumeMounts:
    - name: config
      mountPath: /config

  containers:
  - name: app
    volumeMounts:
    - name: config
      mountPath: /app/config

Init container decrypts /config/encrypted.json → /config/decrypted.json

App reads decrypted config (never sees encrypted version)

Use Cases

Microservices Service-to-Service Encryption

Scenario: Payment service → Database service (sensitive financial data)

Without AnkaSecure:

Payment Service ──┬──> Database Service
                  │ TLS 1.3 (encrypted transport)
                  └─── But: Data decrypted at Database Service
                        (vulnerable if service compromised)

With AnkaSecure:

Payment Service ──> Encrypt data with ML-KEM
                  ──┬──> Send ciphertext to Database Service
                    │ TLS 1.3 (double encryption!)
                    └─── Database stores ciphertext only
                         (even Database compromise doesn't expose data)

Security: End-to-end encryption (data encrypted at rest in Database)

ConfigMap/Secret Encryption

Scenario: Store API keys, database passwords in encrypted ConfigMaps

Traditional (base64 only, NOT encrypted):

apiVersion: v1
kind: Secret
metadata:
  name: db-password
data:
  password: cGFzc3dvcmQxMjMh  # base64 (easily decoded!)

With AnkaSecure:

apiVersion: v1
kind: ConfigMap
metadata:
  name: db-password-encrypted
data:
  password: eyJhbGciOiJNTC1LRU0tMTAyNCIsInR5cCI6IkpXRSJ9...  # ML-KEM encrypted!

Benefit: Even if etcd compromised, passwords are quantum-encrypted

What's Next?

Deploy on Kubernetes: - 🚀 Sidecar quick start (15-minute setup) - 📥 Download Helm chart (production-ready deployment) - 📥 Download sidecar Docker image (official image) - 📧 Request K8s consultation (architecture review)

Related integrations: - AWS S3 integration - Cloud storage encryption - Microservices patterns - Service-to-service crypto

Have questions? Email [email protected]

Last updated: 2026-01-07 | Compatible with Kubernetes 1.24+ | Helm chart available