24 repository-uri
Protocols and configurations for establishing encrypted communication between distributed nodes.
Distinguishing note: Focuses on node-to-node network security rather than general cluster networking.
Explore 24 awesome GitHub repositories matching security & cryptography · Secure Node Networking. Refine with filters or upvote what's useful.
K3s is a lightweight Kubernetes distribution designed for resource-constrained environments, edge computing, and simplified deployment across diverse hardware architectures. It functions as a container orchestration engine that automates the deployment, scaling, and management of containerized applications. By bundling all necessary control plane components and dependencies into a single binary, it minimizes the system footprint and streamlines the installation process. The project distinguishes itself through a flexible architecture that supports both high-availability clustering and minimal
Establishes encrypted and authenticated communication between distributed nodes.
Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o
Configures password-less authentication between cluster nodes to allow automated service management.
NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t
Limits message flow between local and remote systems by applying authorization policies to leaf node connections.
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
Verifies host identity using certificates and private keys to ensure secure peer-to-peer communication.
Kubo is a peer-to-peer implementation of the InterPlanetary File System (IPFS) designed for decentralized data storage and content delivery. It uses content-addressing, directed acyclic graphs, and distributed hash tables to identify, distribute, and retrieve data across a network without relying on central servers. The project differentiates itself by providing a virtual filesystem via FUSE, which maps decentralized network namespaces to local operating system directories for direct file access. It also includes integrated HTTP gateways that translate peer-to-peer content into standard web t
Configures a node as a client to ensure it does not serve discovery records for other peers.
Presto is a distributed SQL query engine designed for high-performance analytical processing across heterogeneous data sources. It functions as a data federation platform and massively parallel processing engine, allowing users to execute interactive queries against diverse storage systems without requiring data migration. By mapping remote metadata and structures to a unified relational namespace, it enables seamless cross-platform analysis through a standard SQL interface. The engine distinguishes itself through a pluggable connector architecture and a shared-nothing distributed processing
Enforces SSL/TLS encryption for all internal network traffic between cluster nodes.
Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule en
Encrypts network traffic between distributed nodes using security certificates to prevent unauthorized interception.
Lnd is a full implementation of the Lightning Network protocol, functioning as a Bitcoin Layer 2 daemon that manages payment channels and settles transactions on the Bitcoin blockchain. It serves as an off-chain payment processor and a cryptographic wallet manager, enabling the execution of instant, scalable transactions through a network node. The project distinguishes itself through a focus on secure node networking and programmatic control. It provides gRPC and REST API servers for automating payment workflows and utilizes macaroon-based authorization to delegate granular permissions via c
Implements a network node that establishes encrypted communication and maintains peer connections for the Lightning Network.
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Teaches how to protect individual servers using local access lists, packet filters, and anti-virus software.
Calico is a cloud-native networking and security solution designed to connect containerized workloads across virtual machines, bare metal, and multi-cloud environments. It provides a routing solution based on the Border Gateway Protocol to manage cluster traffic and implement the Container Network Interface for pod connectivity and IP address management. The project distinguishes itself through a security layer that enforces network policies based on identities and labels rather than static addresses. It includes a policy engine for controlling traffic flow, a cluster network encryptor for se
Encrypts data in transit between nodes and implements authorization policies to secure communication between workloads.
Storm is a distributed stream processing framework designed to execute unbounded computations across a cluster to process real-time data streams. It functions as a data pipeline orchestrator that allows users to define and deploy declarative data flow graphs connecting streaming sources to processing components. The system operates as a multi-tenant distributed compute engine that isolates workloads and limits resource usage across shared clusters using dedicated pools and access control. It is also a secure distributed processing engine that employs encrypted node communication and SSL-secur
Encrypts and authenticates messaging between worker nodes to prevent unauthorized data processing.
Metrics Server is a lightweight, single-purpose daemon that collects CPU and memory usage data from every node and pod in a Kubernetes cluster and exposes those metrics through a standard Kubernetes API endpoint. It registers as an aggregated extension API server behind the Kubernetes apiserver, making resource utilization data available to the Horizontal Pod Autoscaler and Vertical Pod Autoscaler for automatic replica count and resource request adjustments. The project distinguishes itself by operating as a focused, in-cluster resource metrics collector that polls kubelet summary endpoints a
Secures all node and pod traffic to the API server with HTTPS, client certificates, and service account tokens.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches host-level security configurations to reduce the attack surface of Kubernetes nodes.
Acest proiect este un ghid de deployment pentru Kubernetes și un provisioner de infrastructură conceput pentru medii de tip hobbyist și home lab. Oferă un framework pentru configurarea clusterelor multi-nod pe diverși furnizori cloud și noduri fizice sau virtuale, acționând ca un orchestrator de cluster self-hosted. Proiectul se concentrează pe securizarea și stabilitatea infrastructurii prin ghiduri de implementare specifice. Aceasta include un framework pentru securitatea rețelei care acoperă firewall-uri de host și overlay-uri de rețea criptate, precum și instrucțiuni detaliate pentru configurarea rutării de tip ingress pentru gestionarea traficului public extern prin mapare DNS și controlere de trafic. Capabilitățile se extind la furnizarea de stocare distribuită, oferind metode pentru implementarea stocării pe blocuri replicate și volume persistente care supraviețuiesc restartării containerelor. Acoperă, de asemenea, gestionarea automată a certificatelor pentru conexiuni criptate și configurarea controlului accesului bazat pe roluri.
Establishes secure node-to-node networking via encrypted tunnels to protect internal cluster traffic.
This project is a comprehensive technical documentation site and reference manual for configuring and deploying WireGuard VPN tunnels and interfaces. It serves as a guide for establishing encrypted network connections between peers using public key authentication to secure data traffic across untrusted networks. The documentation provides specific technical manuals for implementing NAT traversal solutions, including UDP hole punching and the use of bounce servers to connect peers behind restrictive firewalls. It also includes detailed guides on tunnel implementation and protocol references fo
Documents the establishment of encrypted communication between distributed nodes using public key authentication.
Pigsty is a full-stack orchestration suite for deploying, monitoring, and managing high-availability PostgreSQL clusters and their supporting infrastructure. It functions as a cluster management platform and high-availability suite that automates failover, manages virtual IPs, and ensures data consistency through distributed consensus. The project distinguishes itself by providing a comprehensive database infrastructure-as-code framework and a dedicated observability stack. It incorporates a backup and recovery manager supporting point-in-time recovery via S3-compatible object storage, alongs
Hardens the host environment using SELinux enforcement and restricted sudo privileges to isolate the database.
Ockam este un framework de criptare end-to-end și un furnizor de identitate distribuit conceput pentru a stabili o comunicare securizată între aplicații și dispozitive. Oferă un overlay de rețea securizat care utilizează identități criptografice și controlul accesului bazat pe atribute pentru a implementa accesul la rețea de tip zero trust. Proiectul se distinge prin rutarea multi-hop bazată pe metadate și un strat de transport pluggable, permițând traficului criptat să se deplaseze prin topologii de rețea diverse fără a necesita overlay-uri IP virtuale. Acesta permite în mod specific tunelarea securizată pentru aplicațiile legacy prin împachetarea traficului TCP brut în canale criptate, permițând conectivitatea la rețeaua privată și bypass-ul firewall-ului prin relee de ieșire. Platforma acoperă o gamă largă de capabilități, inclusiv gestionarea identității distribuite, emiterea și verificarea acreditărilor criptografice și execuția actorilor concurenți cu stare. De asemenea, oferă instrumente pentru provizionarea nodurilor la scară cloud și implementarea automată folosind template-uri de infrastructură ca cod.
Provisions encrypted inlet and outlet nodes on cloud infrastructure to establish secure tunnels between distributed services.
Ockam este un framework de rețea zero-trust conceput pentru a securiza tranzitul datelor între aplicații distribuite folosind un overlay de rețea bazat pe identitate. Oferă primitivele necesare pentru a stabili conexiuni autentificate reciproc și criptate end-to-end, eliminând dependența de securitatea tradițională la nivel de rețea. Proiectul se distinge prin utilizarea controlului accesului bazat pe atribute și a acreditărilor verificabile pentru a gestiona încrederea la scară. Implementează rotația identității criptografice pentru a menține continuitatea identității și se integrează cu sisteme de gestionare a cheilor bazate pe hardware pentru a securiza cheile private în enclave sau servicii de gestionare a cheilor în cloud. Platforma acoperă o gamă largă de capabilități, inclusiv rutarea binară multi-hop și bridging-ul de rețea bazat pe relee pentru a conecta rețele disparate. Poate împacheta traficul legacy TCP sau Kafka în tuneluri securizate, permițând serviciilor private să comunice fără a expune porturi de ascultare. În plus, utilizează un model de actor cu stare pentru a procesa mesajele asincron pe noduri distribuite. Implementarea este susținută prin template-uri de infrastructură ca cod pentru provizionarea nodurilor și gateway-urilor securizate în medii cloud.
Creates and manages asynchronous execution environments that run secure protocols and route messages locally or across remote endpoints.
nng este o bibliotecă de mesagerie fără broker și o implementare modernă a protocolului nanomsg. Oferă un transport de rețea asincron pentru comunicarea între procese distribuite, utilizând input și output non-blocking pentru a distribui traficul de rețea pe mai multe nuclee CPU. Biblioteca permite implementarea unor modele de mesagerie scalabile, cum ar fi request-reply și publish-subscribe, fără a fi nevoie de un broker de mesaje central. Include protocoale de criptare încorporate pentru a oferi un transport securizat al mesajelor și a proteja transmisiile de date între nodurile de rețea. Proiectul acoperă arhitectura sistemelor distribuite, inclusiv descoperirea serviciilor și mesageria inter-proces. Utilizează un strat de transport pluggable și o stivă de protocoale stratificată pentru a gestiona comunicarea prin diverse medii de rețea.
Implements encrypted communication between distributed nodes to prevent unauthorized interception.
Dynomite este un strat de sharding de date distribuit și un proxy pentru motorul de stocare key-value. Acesta funcționează ca un strat de distribuție care fragmentează (shard) și replică datele pe mai multe noduri, transformând datastore-urile cu un singur server în sisteme peer-to-peer scalabile. Sistemul acționează ca un replicator de date multi-datacenter, sincronizând datele între diferite locații geografice pentru a asigura reziliența și disponibilitatea ridicată în timpul defecțiunilor site-ului. Gestionează distribuția datelor key-value pentru a permite scalarea liniară a datastore-ului și stocarea redundantă. Proiectul oferă capabilități pentru sharding-ul motorului de stocare și rețelistică de înaltă disponibilitate. Acesta rutează cererile primite către motoarele de stocare locale sau la distanță, menținând în același timp protocoalele de comunicare și securizând comunicarea între noduri prin criptare.
Secures data transfers between distributed nodes using encrypted communication protocols.