22 repositorios
Protocols and configurations for establishing encrypted communication between distributed nodes.
Distinguishing note: Focuses on node-to-node network security rather than general cluster networking.
Explore 22 awesome GitHub repositories matching security & cryptography · Secure Node Networking. Refine with filters or upvote what's useful.
K3s is a lightweight Kubernetes distribution designed for resource-constrained environments, edge computing, and simplified deployment across diverse hardware architectures. It functions as a container orchestration engine that automates the deployment, scaling, and management of containerized applications. By bundling all necessary control plane components and dependencies into a single binary, it minimizes the system footprint and streamlines the installation process. The project distinguishes itself through a flexible architecture that supports both high-availability clustering and minimal
Establishes encrypted and authenticated communication between distributed nodes.
Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o
Configures password-less authentication between cluster nodes to allow automated service management.
NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t
Limits message flow between local and remote systems by applying authorization policies to leaf node connections.
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
Verifies host identity using certificates and private keys to ensure secure peer-to-peer communication.
Kubo is a peer-to-peer implementation of the InterPlanetary File System (IPFS) designed for decentralized data storage and content delivery. It uses content-addressing, directed acyclic graphs, and distributed hash tables to identify, distribute, and retrieve data across a network without relying on central servers. The project differentiates itself by providing a virtual filesystem via FUSE, which maps decentralized network namespaces to local operating system directories for direct file access. It also includes integrated HTTP gateways that translate peer-to-peer content into standard web t
Configures a node as a client to ensure it does not serve discovery records for other peers.
Presto is a distributed SQL query engine designed for high-performance analytical processing across heterogeneous data sources. It functions as a data federation platform and massively parallel processing engine, allowing users to execute interactive queries against diverse storage systems without requiring data migration. By mapping remote metadata and structures to a unified relational namespace, it enables seamless cross-platform analysis through a standard SQL interface. The engine distinguishes itself through a pluggable connector architecture and a shared-nothing distributed processing
Enforces SSL/TLS encryption for all internal network traffic between cluster nodes.
Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule en
Encrypts network traffic between distributed nodes using security certificates to prevent unauthorized interception.
Lnd is a full implementation of the Lightning Network protocol, functioning as a Bitcoin Layer 2 daemon that manages payment channels and settles transactions on the Bitcoin blockchain. It serves as an off-chain payment processor and a cryptographic wallet manager, enabling the execution of instant, scalable transactions through a network node. The project distinguishes itself through a focus on secure node networking and programmatic control. It provides gRPC and REST API servers for automating payment workflows and utilizes macaroon-based authorization to delegate granular permissions via c
Implements a network node that establishes encrypted communication and maintains peer connections for the Lightning Network.
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Teaches how to protect individual servers using local access lists, packet filters, and anti-virus software.
Calico is a cloud-native networking and security solution designed to connect containerized workloads across virtual machines, bare metal, and multi-cloud environments. It provides a routing solution based on the Border Gateway Protocol to manage cluster traffic and implement the Container Network Interface for pod connectivity and IP address management. The project distinguishes itself through a security layer that enforces network policies based on identities and labels rather than static addresses. It includes a policy engine for controlling traffic flow, a cluster network encryptor for se
Encrypts data in transit between nodes and implements authorization policies to secure communication between workloads.
Storm is a distributed stream processing framework designed to execute unbounded computations across a cluster to process real-time data streams. It functions as a data pipeline orchestrator that allows users to define and deploy declarative data flow graphs connecting streaming sources to processing components. The system operates as a multi-tenant distributed compute engine that isolates workloads and limits resource usage across shared clusters using dedicated pools and access control. It is also a secure distributed processing engine that employs encrypted node communication and SSL-secur
Encrypts and authenticates messaging between worker nodes to prevent unauthorized data processing.
Metrics Server is a lightweight, single-purpose daemon that collects CPU and memory usage data from every node and pod in a Kubernetes cluster and exposes those metrics through a standard Kubernetes API endpoint. It registers as an aggregated extension API server behind the Kubernetes apiserver, making resource utilization data available to the Horizontal Pod Autoscaler and Vertical Pod Autoscaler for automatic replica count and resource request adjustments. The project distinguishes itself by operating as a focused, in-cluster resource metrics collector that polls kubelet summary endpoints a
Secures all node and pod traffic to the API server with HTTPS, client certificates, and service account tokens.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches host-level security configurations to reduce the attack surface of Kubernetes nodes.
Este proyecto es una guía de despliegue de Kubernetes y un provisionador de infraestructura diseñado para entornos de aficionados y laboratorios domésticos (home labs). Proporciona un framework para configurar clústeres multi-nodo en varios proveedores de nube y nodos físicos o virtuales, actuando como un orquestador de clústeres autohospedado. El proyecto se centra en el endurecimiento de la seguridad y la estabilidad de la infraestructura mediante guías de implementación específicas. Esto incluye un framework para la seguridad de red que cubre firewalls de host y overlays de red cifrados, así como instrucciones detalladas para configurar el enrutamiento de entrada (ingress) para gestionar el tráfico público externo mediante mapeo DNS y controladores de tráfico. La capacidad se extiende al aprovisionamiento de almacenamiento distribuido, proporcionando métodos para implementar almacenamiento en bloque replicado y volúmenes persistentes que sobreviven a los reinicios de contenedores. También cubre la gestión automatizada de certificados para conexiones cifradas y la configuración de controles de acceso basados en roles.
Establishes secure node-to-node networking via encrypted tunnels to protect internal cluster traffic.
This project is a comprehensive technical documentation site and reference manual for configuring and deploying WireGuard VPN tunnels and interfaces. It serves as a guide for establishing encrypted network connections between peers using public key authentication to secure data traffic across untrusted networks. The documentation provides specific technical manuals for implementing NAT traversal solutions, including UDP hole punching and the use of bounce servers to connect peers behind restrictive firewalls. It also includes detailed guides on tunnel implementation and protocol references fo
Documents the establishment of encrypted communication between distributed nodes using public key authentication.
Pigsty is a full-stack orchestration suite for deploying, monitoring, and managing high-availability PostgreSQL clusters and their supporting infrastructure. It functions as a cluster management platform and high-availability suite that automates failover, manages virtual IPs, and ensures data consistency through distributed consensus. The project distinguishes itself by providing a comprehensive database infrastructure-as-code framework and a dedicated observability stack. It incorporates a backup and recovery manager supporting point-in-time recovery via S3-compatible object storage, alongs
Hardens the host environment using SELinux enforcement and restricted sudo privileges to isolate the database.
Ockam es un framework de cifrado end-to-end y proveedor de identidad distribuida diseñado para establecer comunicación segura entre aplicaciones y dispositivos. Proporciona una superposición de red segura que utiliza identidades criptográficas y control de acceso basado en atributos para implementar el acceso a la red de confianza cero (zero trust). El proyecto se distingue por el enrutamiento de múltiples saltos impulsado por metadatos y una capa de transporte conectable, permitiendo que el tráfico cifrado se mueva a través de diversas topologías de red sin requerir superposiciones de IP virtuales. Permite específicamente el túnel seguro para aplicaciones heredadas envolviendo el tráfico TCP crudo en canales cifrados, permitiendo la conectividad de red privada y el bypass de firewall a través de relés de salida. La plataforma cubre una amplia gama de capacidades, incluyendo gestión de identidad distribuida, emisión y verificación de credenciales criptográficas y la ejecución de actores concurrentes con estado. También proporciona herramientas para el aprovisionamiento de nodos a escala de nube y despliegue automatizado utilizando plantillas de infraestructura como código.
Provisions encrypted inlet and outlet nodes on cloud infrastructure to establish secure tunnels between distributed services.
Ockam es un framework de redes de confianza cero diseñado para asegurar el tránsito de datos entre aplicaciones distribuidas utilizando una superposición de red basada en identidad. Proporciona las primitivas necesarias para establecer conexiones autenticadas mutuamente y cifradas de extremo a extremo, eliminando la dependencia de la seguridad tradicional de la capa de red. El proyecto se distingue por su uso de control de acceso basado en atributos y credenciales verificables para gestionar la confianza a escala. Implementa la rotación de identidad criptográfica para mantener la continuidad de la identidad y se integra con sistemas de gestión de claves respaldados por hardware para asegurar claves privadas dentro de enclaves o servicios de gestión de claves en la nube. La plataforma cubre una amplia gama de capacidades, incluyendo enrutamiento binario de múltiples saltos y puente de red basado en relés para conectar redes dispares. Puede envolver tráfico TCP o Kafka heredado en túneles seguros, permitiendo que los servicios privados se comuniquen sin exponer puertos de escucha. Además, emplea un modelo de actor con estado para procesar mensajes de forma asíncrona a través de nodos distribuidos. El despliegue es compatible a través de plantillas de infraestructura como código para el aprovisionamiento de nodos seguros y pasarelas en entornos de nube.
Creates and manages asynchronous execution environments that run secure protocols and route messages locally or across remote endpoints.
nng es una librería de mensajería sin broker y una implementación moderna del protocolo nanomsg. Proporciona un transporte de red asíncrono para la comunicación entre procesos distribuidos, utilizando entrada y salida sin bloqueo para distribuir el tráfico de red a través de múltiples núcleos de CPU. La librería permite la implementación de patrones de mensajería escalables, como solicitud-respuesta y publicación-suscripción, sin necesidad de un broker de mensajes central. Incluye protocolos de cifrado integrados para proporcionar un transporte de mensajes seguro y proteger las transmisiones de datos entre nodos de red. El proyecto cubre la arquitectura de sistemas distribuidos, incluyendo el descubrimiento de servicios y la mensajería entre procesos. Utiliza una capa de transporte conectable y una pila de protocolos en capas para gestionar la comunicación a través de varios medios de red.
Implements encrypted communication between distributed nodes to prevent unauthorized interception.
Dynomite es una capa de fragmentación (sharding) de datos distribuida y un motor de almacenamiento clave-valor proxy. Funciona como una capa de distribución que fragmenta y replica datos a través de múltiples nodos, transformando almacenes de datos de un solo servidor en sistemas peer-to-peer escalables. El sistema actúa como un replicador de datos multidatos, sincronizando datos entre diferentes ubicaciones geográficas para asegurar la resiliencia y la alta disponibilidad durante fallos en los sitios. Gestiona la distribución de datos clave-valor para permitir el escalado lineal del almacén de datos y el almacenamiento redundante. El proyecto proporciona capacidades para la fragmentación del motor de almacenamiento y redes de alta disponibilidad. Enruta las solicitudes entrantes a motores de almacenamiento locales o remotos mientras mantiene protocolos de comunicación y asegura la comunicación entre nodos mediante cifrado.
Secures data transfers between distributed nodes using encrypted communication protocols.