24 Repos
Protocols and configurations for establishing encrypted communication between distributed nodes.
Distinguishing note: Focuses on node-to-node network security rather than general cluster networking.
Explore 24 awesome GitHub repositories matching security & cryptography · Secure Node Networking. Refine with filters or upvote what's useful.
K3s is a lightweight Kubernetes distribution designed for resource-constrained environments, edge computing, and simplified deployment across diverse hardware architectures. It functions as a container orchestration engine that automates the deployment, scaling, and management of containerized applications. By bundling all necessary control plane components and dependencies into a single binary, it minimizes the system footprint and streamlines the installation process. The project distinguishes itself through a flexible architecture that supports both high-availability clustering and minimal
Establishes encrypted and authenticated communication between distributed nodes.
Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o
Configures password-less authentication between cluster nodes to allow automated service management.
NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t
Limits message flow between local and remote systems by applying authorization policies to leaf node connections.
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
Verifies host identity using certificates and private keys to ensure secure peer-to-peer communication.
Kubo is a peer-to-peer implementation of the InterPlanetary File System (IPFS) designed for decentralized data storage and content delivery. It uses content-addressing, directed acyclic graphs, and distributed hash tables to identify, distribute, and retrieve data across a network without relying on central servers. The project differentiates itself by providing a virtual filesystem via FUSE, which maps decentralized network namespaces to local operating system directories for direct file access. It also includes integrated HTTP gateways that translate peer-to-peer content into standard web t
Configures a node as a client to ensure it does not serve discovery records for other peers.
Presto is a distributed SQL query engine designed for high-performance analytical processing across heterogeneous data sources. It functions as a data federation platform and massively parallel processing engine, allowing users to execute interactive queries against diverse storage systems without requiring data migration. By mapping remote metadata and structures to a unified relational namespace, it enables seamless cross-platform analysis through a standard SQL interface. The engine distinguishes itself through a pluggable connector architecture and a shared-nothing distributed processing
Enforces SSL/TLS encryption for all internal network traffic between cluster nodes.
Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule en
Encrypts network traffic between distributed nodes using security certificates to prevent unauthorized interception.
Lnd is a full implementation of the Lightning Network protocol, functioning as a Bitcoin Layer 2 daemon that manages payment channels and settles transactions on the Bitcoin blockchain. It serves as an off-chain payment processor and a cryptographic wallet manager, enabling the execution of instant, scalable transactions through a network node. The project distinguishes itself through a focus on secure node networking and programmatic control. It provides gRPC and REST API servers for automating payment workflows and utilizes macaroon-based authorization to delegate granular permissions via c
Implements a network node that establishes encrypted communication and maintains peer connections for the Lightning Network.
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Teaches how to protect individual servers using local access lists, packet filters, and anti-virus software.
Calico is a cloud-native networking and security solution designed to connect containerized workloads across virtual machines, bare metal, and multi-cloud environments. It provides a routing solution based on the Border Gateway Protocol to manage cluster traffic and implement the Container Network Interface for pod connectivity and IP address management. The project distinguishes itself through a security layer that enforces network policies based on identities and labels rather than static addresses. It includes a policy engine for controlling traffic flow, a cluster network encryptor for se
Encrypts data in transit between nodes and implements authorization policies to secure communication between workloads.
Storm is a distributed stream processing framework designed to execute unbounded computations across a cluster to process real-time data streams. It functions as a data pipeline orchestrator that allows users to define and deploy declarative data flow graphs connecting streaming sources to processing components. The system operates as a multi-tenant distributed compute engine that isolates workloads and limits resource usage across shared clusters using dedicated pools and access control. It is also a secure distributed processing engine that employs encrypted node communication and SSL-secur
Encrypts and authenticates messaging between worker nodes to prevent unauthorized data processing.
Metrics Server is a lightweight, single-purpose daemon that collects CPU and memory usage data from every node and pod in a Kubernetes cluster and exposes those metrics through a standard Kubernetes API endpoint. It registers as an aggregated extension API server behind the Kubernetes apiserver, making resource utilization data available to the Horizontal Pod Autoscaler and Vertical Pod Autoscaler for automatic replica count and resource request adjustments. The project distinguishes itself by operating as a focused, in-cluster resource metrics collector that polls kubelet summary endpoints a
Secures all node and pod traffic to the API server with HTTPS, client certificates, and service account tokens.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches host-level security configurations to reduce the attack surface of Kubernetes nodes.
This project is a Kubernetes deployment guide and infrastructure provisioner designed for hobbyist and home lab environments. It provides a framework for setting up multi-node clusters across various cloud providers and physical or virtual nodes, acting as a self-hosted cluster orchestrator. The project focuses on security hardening and infrastructure stability through specific implementation guides. This includes a framework for network security that covers host firewalls and encrypted network overlays, as well as detailed instructions for configuring ingress routing to manage external publi
Establishes secure node-to-node networking via encrypted tunnels to protect internal cluster traffic.
This project is a comprehensive technical documentation site and reference manual for configuring and deploying WireGuard VPN tunnels and interfaces. It serves as a guide for establishing encrypted network connections between peers using public key authentication to secure data traffic across untrusted networks. The documentation provides specific technical manuals for implementing NAT traversal solutions, including UDP hole punching and the use of bounce servers to connect peers behind restrictive firewalls. It also includes detailed guides on tunnel implementation and protocol references fo
Documents the establishment of encrypted communication between distributed nodes using public key authentication.
Pigsty is a full-stack orchestration suite for deploying, monitoring, and managing high-availability PostgreSQL clusters and their supporting infrastructure. It functions as a cluster management platform and high-availability suite that automates failover, manages virtual IPs, and ensures data consistency through distributed consensus. The project distinguishes itself by providing a comprehensive database infrastructure-as-code framework and a dedicated observability stack. It incorporates a backup and recovery manager supporting point-in-time recovery via S3-compatible object storage, alongs
Hardens the host environment using SELinux enforcement and restricted sudo privileges to isolate the database.
Ockam ist ein End-to-End-Verschlüsselungs-Framework und ein verteilter Identitätsanbieter, der entwickelt wurde, um eine sichere Kommunikation zwischen Anwendungen und Geräten zu etablieren. Es bietet ein sicheres Netzwerk-Overlay, das kryptografische Identitäten und attributbasierte Zugriffskontrolle nutzt, um Zero-Trust-Netzwerkzugriff zu implementieren. Das Projekt zeichnet sich durch metadatengesteuertes Multi-Hop-Routing und eine steckbare Transportschicht aus, wodurch verschlüsselter Datenverkehr über verschiedene Netzwerktopologien hinweg bewegt werden kann, ohne virtuelle IP-Overlays zu erfordern. Es ermöglicht insbesondere sichere Tunnel für Legacy-Anwendungen, indem roher TCP-Datenverkehr in verschlüsselte Kanäle verpackt wird, was private Netzwerkkonnektivität und Firewall-Bypass über ausgehende Relays ermöglicht. Die Plattform deckt ein breites Spektrum an Fähigkeiten ab, einschließlich verteiltem Identitätsmanagement, der Ausstellung und Verifizierung kryptografischer Anmeldeinformationen sowie der Ausführung zustandsbehafteter, paralleler Akteure. Sie bietet zudem Tools für die Bereitstellung von Knoten im Cloud-Maßstab und die automatisierte Bereitstellung unter Verwendung von Infrastructure-as-Code-Vorlagen.
Provisions encrypted inlet and outlet nodes on cloud infrastructure to establish secure tunnels between distributed services.
Ockam ist ein Zero-Trust-Netzwerk-Framework, das entwickelt wurde, um den Datentransport zwischen verteilten Anwendungen mithilfe eines identitätsbasierten Netzwerk-Overlays abzusichern. Es bietet die notwendigen Primitive, um gegenseitig authentifizierte und End-to-End-verschlüsselte Verbindungen herzustellen, wodurch die Abhängigkeit von traditioneller Netzwerksicherheit auf Schichtebene entfällt. Das Projekt zeichnet sich durch die Verwendung von attributbasierter Zugriffskontrolle und verifizierbaren Anmeldeinformationen aus, um Vertrauen in großem Maßstab zu verwalten. Es implementiert kryptografische Identitätsrotation, um die Identitätskontinuität aufrechtzuerhalten, und integriert sich in hardwaregestützte Schlüsselverwaltungssysteme, um private Schlüssel innerhalb von Enklaven oder Cloud-Schlüsselverwaltungsdiensten zu sichern. Die Plattform deckt ein breites Spektrum an Fähigkeiten ab, einschließlich Multi-Hop-Binär-Routing und Relay-basiertem Netzwerk-Bridging, um disparate Netzwerke zu verbinden. Sie kann Legacy-TCP- oder Kafka-Datenverkehr in sichere Tunnel verpacken, wodurch private Dienste kommunizieren können, ohne lauschende Ports freizugeben. Zudem verwendet sie ein zustandsbehaftetes Akteur-Modell, um Nachrichten asynchron über verteilte Knoten hinweg zu verarbeiten. Die Bereitstellung wird durch Infrastructure-as-Code-Vorlagen für die Bereitstellung sicherer Knoten und Gateways in Cloud-Umgebungen unterstützt.
Creates and manages asynchronous execution environments that run secure protocols and route messages locally or across remote endpoints.
nng ist eine brokerlose Messaging-Bibliothek und eine moderne Implementierung des nanomsg-Protokolls. Sie bietet einen asynchronen Netzwerktransport für die Kommunikation zwischen verteilten Prozessen und nutzt nicht-blockierende Ein- und Ausgaben, um Netzwerkverkehr über mehrere CPU-Kerne zu verteilen. Die Bibliothek ermöglicht die Implementierung skalierbarer Messaging-Muster, wie Request-Reply und Publish-Subscribe, ohne die Notwendigkeit eines zentralen Message-Brokers. Sie enthält integrierte Verschlüsselungsprotokolle, um einen sicheren Nachrichtentransport zu gewährleisten und Datenübertragungen zwischen Netzwerkknoten zu schützen. Das Projekt deckt die Architektur verteilter Systeme ab, einschließlich Service-Discovery und Inter-Process-Messaging. Es nutzt eine austauschbare Transportschicht und einen geschichteten Protokoll-Stack, um die Kommunikation über verschiedene Netzwerkmedien hinweg zu verwalten.
Implements encrypted communication between distributed nodes to prevent unauthorized interception.
Dynomite ist eine verteilte Datensharding-Schicht und ein Key-Value-Speicher-Engine-Proxy. Es fungiert als Verteilungsschicht, die Daten über mehrere Knoten hinweg sharded und repliziert und so Single-Server-Datenspeicher in skalierbare Peer-to-Peer-Systeme umwandelt. Das System agiert als Multi-Datacenter-Datenreplikator, der Daten zwischen verschiedenen geografischen Standorten synchronisiert, um Ausfallsicherheit und hohe Verfügbarkeit bei Standortausfällen zu gewährleisten. Es verwaltet die Verteilung von Key-Value-Daten, um eine lineare Skalierung des Datenspeichers und redundante Speicherung zu ermöglichen. Das Projekt bietet Funktionen für Storage-Engine-Sharding und Hochverfügbarkeits-Networking. Es leitet eingehende Anfragen an lokale oder entfernte Speicher-Engines weiter, während es Kommunikationsprotokolle aufrechterhält und die Inter-Node-Kommunikation durch Verschlüsselung sichert.
Secures data transfers between distributed nodes using encrypted communication protocols.