24 مستودعات
Protocols and configurations for establishing encrypted communication between distributed nodes.
Distinguishing note: Focuses on node-to-node network security rather than general cluster networking.
Explore 24 awesome GitHub repositories matching security & cryptography · Secure Node Networking. Refine with filters or upvote what's useful.
K3s is a lightweight Kubernetes distribution designed for resource-constrained environments, edge computing, and simplified deployment across diverse hardware architectures. It functions as a container orchestration engine that automates the deployment, scaling, and management of containerized applications. By bundling all necessary control plane components and dependencies into a single binary, it minimizes the system footprint and streamlines the installation process. The project distinguishes itself through a flexible architecture that supports both high-availability clustering and minimal
Establishes encrypted and authenticated communication between distributed nodes.
Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o
Configures password-less authentication between cluster nodes to allow automated service management.
NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t
Limits message flow between local and remote systems by applying authorization policies to leaf node connections.
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
Verifies host identity using certificates and private keys to ensure secure peer-to-peer communication.
Kubo is a peer-to-peer implementation of the InterPlanetary File System (IPFS) designed for decentralized data storage and content delivery. It uses content-addressing, directed acyclic graphs, and distributed hash tables to identify, distribute, and retrieve data across a network without relying on central servers. The project differentiates itself by providing a virtual filesystem via FUSE, which maps decentralized network namespaces to local operating system directories for direct file access. It also includes integrated HTTP gateways that translate peer-to-peer content into standard web t
Configures a node as a client to ensure it does not serve discovery records for other peers.
Presto is a distributed SQL query engine designed for high-performance analytical processing across heterogeneous data sources. It functions as a data federation platform and massively parallel processing engine, allowing users to execute interactive queries against diverse storage systems without requiring data migration. By mapping remote metadata and structures to a unified relational namespace, it enables seamless cross-platform analysis through a standard SQL interface. The engine distinguishes itself through a pluggable connector architecture and a shared-nothing distributed processing
Enforces SSL/TLS encryption for all internal network traffic between cluster nodes.
Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule en
Encrypts network traffic between distributed nodes using security certificates to prevent unauthorized interception.
Lnd is a full implementation of the Lightning Network protocol, functioning as a Bitcoin Layer 2 daemon that manages payment channels and settles transactions on the Bitcoin blockchain. It serves as an off-chain payment processor and a cryptographic wallet manager, enabling the execution of instant, scalable transactions through a network node. The project distinguishes itself through a focus on secure node networking and programmatic control. It provides gRPC and REST API servers for automating payment workflows and utilizes macaroon-based authorization to delegate granular permissions via c
Implements a network node that establishes encrypted communication and maintains peer connections for the Lightning Network.
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Teaches how to protect individual servers using local access lists, packet filters, and anti-virus software.
Calico is a cloud-native networking and security solution designed to connect containerized workloads across virtual machines, bare metal, and multi-cloud environments. It provides a routing solution based on the Border Gateway Protocol to manage cluster traffic and implement the Container Network Interface for pod connectivity and IP address management. The project distinguishes itself through a security layer that enforces network policies based on identities and labels rather than static addresses. It includes a policy engine for controlling traffic flow, a cluster network encryptor for se
Encrypts data in transit between nodes and implements authorization policies to secure communication between workloads.
Storm is a distributed stream processing framework designed to execute unbounded computations across a cluster to process real-time data streams. It functions as a data pipeline orchestrator that allows users to define and deploy declarative data flow graphs connecting streaming sources to processing components. The system operates as a multi-tenant distributed compute engine that isolates workloads and limits resource usage across shared clusters using dedicated pools and access control. It is also a secure distributed processing engine that employs encrypted node communication and SSL-secur
Encrypts and authenticates messaging between worker nodes to prevent unauthorized data processing.
Metrics Server is a lightweight, single-purpose daemon that collects CPU and memory usage data from every node and pod in a Kubernetes cluster and exposes those metrics through a standard Kubernetes API endpoint. It registers as an aggregated extension API server behind the Kubernetes apiserver, making resource utilization data available to the Horizontal Pod Autoscaler and Vertical Pod Autoscaler for automatic replica count and resource request adjustments. The project distinguishes itself by operating as a focused, in-cluster resource metrics collector that polls kubelet summary endpoints a
Secures all node and pod traffic to the API server with HTTPS, client certificates, and service account tokens.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches host-level security configurations to reduce the attack surface of Kubernetes nodes.
هذا المشروع عبارة عن دليل نشر Kubernetes ومزود بنية تحتية مصمم لبيئات الهواة والمختبرات المنزلية. يوفر إطار عمل لإعداد مجموعات متعددة العقد عبر مختلف مزودي السحابة والعقد المادية أو الافتراضية، ويعمل كمنسق مجموعة ذاتي الاستضافة. يركز المشروع على تعزيز الأمان واستقرار البنية التحتية من خلال أدلة تنفيذ محددة. يتضمن ذلك إطار عمل لأمن الشبكة يغطي جدران حماية المضيف وتراكبات الشبكة المشفرة، بالإضافة إلى تعليمات مفصلة لتكوين توجيه الدخول (ingress) لإدارة حركة المرور العامة الخارجية عبر تعيين DNS ومتحكمات حركة المرور. تمتد إمكانيات المشروع إلى توفير التخزين الموزع، وتوفير طرق لتنفيذ تخزين الكتل المكرر والأحجام المستمرة التي تستمر بعد إعادة تشغيل الحاويات. كما يغطي إدارة الشهادات المؤتمتة للاتصالات المشفرة وتكوين عناصر التحكم في الوصول القائم على الأدوار.
Establishes secure node-to-node networking via encrypted tunnels to protect internal cluster traffic.
This project is a comprehensive technical documentation site and reference manual for configuring and deploying WireGuard VPN tunnels and interfaces. It serves as a guide for establishing encrypted network connections between peers using public key authentication to secure data traffic across untrusted networks. The documentation provides specific technical manuals for implementing NAT traversal solutions, including UDP hole punching and the use of bounce servers to connect peers behind restrictive firewalls. It also includes detailed guides on tunnel implementation and protocol references fo
Documents the establishment of encrypted communication between distributed nodes using public key authentication.
Pigsty is a full-stack orchestration suite for deploying, monitoring, and managing high-availability PostgreSQL clusters and their supporting infrastructure. It functions as a cluster management platform and high-availability suite that automates failover, manages virtual IPs, and ensures data consistency through distributed consensus. The project distinguishes itself by providing a comprehensive database infrastructure-as-code framework and a dedicated observability stack. It incorporates a backup and recovery manager supporting point-in-time recovery via S3-compatible object storage, alongs
Hardens the host environment using SELinux enforcement and restricted sudo privileges to isolate the database.
Ockam هو إطار عمل للتشفير من النهاية إلى النهاية ومزود هوية موزع مصمم لإنشاء اتصال آمن بين التطبيقات والأجهزة. يوفر تراكب شبكة آمن يستخدم هويات تشفير وتحكماً في الوصول قائماً على السمات لتنفيذ الوصول إلى الشبكة بانعدام الثقة (zero trust). يتميز المشروع بالتوجيه متعدد القفزات القائم على البيانات الوصفية وطبقة نقل قابلة للتوصيل، مما يسمح لحركة المرور المشفرة بالتحرك عبر طوبولوجيا شبكة متنوعة دون الحاجة إلى تراكبات IP افتراضية. وهو يمكن بشكل خاص الأنفاق الآمنة للتطبيقات القديمة عن طريق تغليف حركة مرور TCP الخام في قنوات مشفرة، مما يسمح باتصال الشبكة الخاصة وتجاوز جدار الحماية عبر مرحلات خارجية. تغطي المنصة نطاقاً واسعاً من القدرات، بما في ذلك إدارة الهوية الموزعة، وإصدار والتحقق من بيانات الاعتماد المشفرة، وتنفيذ الجهات الفاعلة المتزامنة ذات الحالة. كما توفر أدوات لتوفير العقد على نطاق سحابي والنشر المؤتمت باستخدام قوالب البنية التحتية ككود.
Provisions encrypted inlet and outlet nodes on cloud infrastructure to establish secure tunnels between distributed services.
Ockam هو إطار عمل للشبكات بانعدام الثقة (zero-trust) مصمم لتأمين نقل البيانات بين التطبيقات الموزعة باستخدام تراكب شبكة قائم على الهوية. يوفر البدائيات اللازمة لإنشاء اتصالات مصادق عليها متبادلاً ومشفرة من النهاية إلى النهاية، مما يزيل الاعتماد على أمن طبقة الشبكة التقليدي. يتميز المشروع باستخدامه للتحكم في الوصول القائم على السمات وبيانات الاعتماد القابلة للتحقق لإدارة الثقة على نطاق واسع. وينفذ تدوير هوية التشفير للحفاظ على استمرارية الهوية ويتكامل مع أنظمة إدارة المفاتيح المدعومة بالأجهزة لتأمين المفاتيح الخاصة داخل الجيوب (enclaves) أو خدمات إدارة المفاتيح السحابية. تغطي المنصة نطاقاً واسعاً من القدرات بما في ذلك التوجيه الثنائي متعدد القفزات وجسر الشبكة القائم على الترحيل لربط الشبكات المتباينة. يمكنه تغليف حركة مرور TCP أو Kafka القديمة في أنفاق آمنة، مما يسمح للخدمات الخاصة بالتواصل دون كشف منافذ الاستماع. بالإضافة إلى ذلك، يستخدم نموذج جهة فاعلة ذات حالة لمعالجة الرسائل بشكل غير متزامن عبر العقد الموزعة. يتم دعم النشر من خلال قوالب البنية التحتية ككود لتوفير العقد والبوابات الآمنة في البيئات السحابية.
Creates and manages asynchronous execution environments that run secure protocols and route messages locally or across remote endpoints.
nng is a brokerless messaging library and a modern implementation of the nanomsg protocol. It provides an asynchronous network transport for communication between distributed processes, utilizing non-blocking input and output to distribute network traffic across multiple CPU cores. The library enables the implementation of scalable messaging patterns, such as request-reply and publish-subscribe, without the need for a central message broker. It includes built-in encryption protocols to provide secure message transport and protect data transmissions between network nodes. The project covers d
Implements encrypted communication between distributed nodes to prevent unauthorized interception.
Dynomite هو طبقة تقسيم بيانات موزعة (sharding) ووكيل محرك تخزين مفتاح-قيمة. يعمل كطبقة توزيع تقوم بتقسيم البيانات ونسخها عبر عقد متعددة، مما يحول مخازن البيانات ذات الخادم الواحد إلى أنظمة نظير إلى نظير قابلة للتوسع. يعمل النظام كنسخة متماثلة للبيانات عبر مراكز بيانات متعددة، حيث يقوم بمزامنة البيانات بين مواقع جغرافية مختلفة لضمان المرونة والتوافر العالي أثناء فشل الموقع. يدير توزيع بيانات مفتاح-قيمة لتمكين توسيع نطاق مخزن البيانات الخطي والتخزين المتكرر. يوفر المشروع قدرات لتقسيم محرك التخزين وشبكات التوافر العالي. يقوم بتوجيه الطلبات الواردة إلى محركات تخزين محلية أو بعيدة مع الحفاظ على بروتوكولات الاتصال وتأمين الاتصال بين العقد عبر التشفير.
Secures data transfers between distributed nodes using encrypted communication protocols.