24 个仓库
Protocols and configurations for establishing encrypted communication between distributed nodes.
Distinguishing note: Focuses on node-to-node network security rather than general cluster networking.
Explore 24 awesome GitHub repositories matching security & cryptography · Secure Node Networking. Refine with filters or upvote what's useful.
K3s is a lightweight Kubernetes distribution designed for resource-constrained environments, edge computing, and simplified deployment across diverse hardware architectures. It functions as a container orchestration engine that automates the deployment, scaling, and management of containerized applications. By bundling all necessary control plane components and dependencies into a single binary, it minimizes the system footprint and streamlines the installation process. The project distinguishes itself through a flexible architecture that supports both high-availability clustering and minimal
Establishes encrypted and authenticated communication between distributed nodes.
Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o
Configures password-less authentication between cluster nodes to allow automated service management.
NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t
Limits message flow between local and remote systems by applying authorization policies to leaf node connections.
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
Verifies host identity using certificates and private keys to ensure secure peer-to-peer communication.
Kubo is a peer-to-peer implementation of the InterPlanetary File System (IPFS) designed for decentralized data storage and content delivery. It uses content-addressing, directed acyclic graphs, and distributed hash tables to identify, distribute, and retrieve data across a network without relying on central servers. The project differentiates itself by providing a virtual filesystem via FUSE, which maps decentralized network namespaces to local operating system directories for direct file access. It also includes integrated HTTP gateways that translate peer-to-peer content into standard web t
Configures a node as a client to ensure it does not serve discovery records for other peers.
Presto is a distributed SQL query engine designed for high-performance analytical processing across heterogeneous data sources. It functions as a data federation platform and massively parallel processing engine, allowing users to execute interactive queries against diverse storage systems without requiring data migration. By mapping remote metadata and structures to a unified relational namespace, it enables seamless cross-platform analysis through a standard SQL interface. The engine distinguishes itself through a pluggable connector architecture and a shared-nothing distributed processing
Enforces SSL/TLS encryption for all internal network traffic between cluster nodes.
Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule en
Encrypts network traffic between distributed nodes using security certificates to prevent unauthorized interception.
Lnd is a full implementation of the Lightning Network protocol, functioning as a Bitcoin Layer 2 daemon that manages payment channels and settles transactions on the Bitcoin blockchain. It serves as an off-chain payment processor and a cryptographic wallet manager, enabling the execution of instant, scalable transactions through a network node. The project distinguishes itself through a focus on secure node networking and programmatic control. It provides gRPC and REST API servers for automating payment workflows and utilizes macaroon-based authorization to delegate granular permissions via c
Implements a network node that establishes encrypted communication and maintains peer connections for the Lightning Network.
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Teaches how to protect individual servers using local access lists, packet filters, and anti-virus software.
Calico is a cloud-native networking and security solution designed to connect containerized workloads across virtual machines, bare metal, and multi-cloud environments. It provides a routing solution based on the Border Gateway Protocol to manage cluster traffic and implement the Container Network Interface for pod connectivity and IP address management. The project distinguishes itself through a security layer that enforces network policies based on identities and labels rather than static addresses. It includes a policy engine for controlling traffic flow, a cluster network encryptor for se
Encrypts data in transit between nodes and implements authorization policies to secure communication between workloads.
Storm is a distributed stream processing framework designed to execute unbounded computations across a cluster to process real-time data streams. It functions as a data pipeline orchestrator that allows users to define and deploy declarative data flow graphs connecting streaming sources to processing components. The system operates as a multi-tenant distributed compute engine that isolates workloads and limits resource usage across shared clusters using dedicated pools and access control. It is also a secure distributed processing engine that employs encrypted node communication and SSL-secur
Encrypts and authenticates messaging between worker nodes to prevent unauthorized data processing.
Metrics Server is a lightweight, single-purpose daemon that collects CPU and memory usage data from every node and pod in a Kubernetes cluster and exposes those metrics through a standard Kubernetes API endpoint. It registers as an aggregated extension API server behind the Kubernetes apiserver, making resource utilization data available to the Horizontal Pod Autoscaler and Vertical Pod Autoscaler for automatic replica count and resource request adjustments. The project distinguishes itself by operating as a focused, in-cluster resource metrics collector that polls kubelet summary endpoints a
Secures all node and pod traffic to the API server with HTTPS, client certificates, and service account tokens.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches host-level security configurations to reduce the attack surface of Kubernetes nodes.
这是一个专为爱好者和家庭实验室环境设计的 Kubernetes 部署指南和基础设施配置工具。它提供了一个在各种云服务商及物理或虚拟节点上设置多节点集群的框架,充当自托管集群编排器。 该项目通过特定的实施指南专注于安全加固和基础设施稳定性。这包括涵盖主机防火墙和加密网络覆盖的网络安全框架,以及关于配置 Ingress 路由以通过 DNS 映射和流量控制器管理外部公共流量的详细说明。 其功能范围扩展到分布式存储配置,提供了实现复制块存储和持久卷的方法,确保容器重启后数据不丢失。它还涵盖了用于加密连接的自动化证书管理以及基于角色的访问控制配置。
Establishes secure node-to-node networking via encrypted tunnels to protect internal cluster traffic.
This project is a comprehensive technical documentation site and reference manual for configuring and deploying WireGuard VPN tunnels and interfaces. It serves as a guide for establishing encrypted network connections between peers using public key authentication to secure data traffic across untrusted networks. The documentation provides specific technical manuals for implementing NAT traversal solutions, including UDP hole punching and the use of bounce servers to connect peers behind restrictive firewalls. It also includes detailed guides on tunnel implementation and protocol references fo
Documents the establishment of encrypted communication between distributed nodes using public key authentication.
Pigsty is a full-stack orchestration suite for deploying, monitoring, and managing high-availability PostgreSQL clusters and their supporting infrastructure. It functions as a cluster management platform and high-availability suite that automates failover, manages virtual IPs, and ensures data consistency through distributed consensus. The project distinguishes itself by providing a comprehensive database infrastructure-as-code framework and a dedicated observability stack. It incorporates a backup and recovery manager supporting point-in-time recovery via S3-compatible object storage, alongs
Hardens the host environment using SELinux enforcement and restricted sudo privileges to isolate the database.
Ockam 是一个端到端加密框架和分布式身份提供商,旨在建立应用与设备之间的安全通信。它提供了一个安全网络覆盖层,利用加密身份和基于属性的访问控制来实现零信任网络访问。 该项目的特色在于元数据驱动的多跳路由和可插拔传输层,允许加密流量跨越不同的网络拓扑移动,而无需虚拟 IP 覆盖。它专门通过将原始 TCP 流量封装到加密通道中,为遗留应用实现安全隧道,从而通过出站中继实现私有网络连接和防火墙绕过。 该平台涵盖了广泛的功能,包括分布式身份管理、加密凭证颁发与验证,以及有状态并发 Actor 的执行。它还提供用于云规模节点配置和使用基础设施即代码模板进行自动化部署的工具。
Provisions encrypted inlet and outlet nodes on cloud infrastructure to establish secure tunnels between distributed services.
Ockam 是一个零信任网络框架,旨在通过基于身份的网络覆盖层来保护分布式应用之间的数据传输。它提供了建立双向认证和端到端加密连接所需的基础原语,从而消除了对传统网络层安全性的依赖。 该项目的特点是使用基于属性的访问控制和可验证凭证来大规模管理信任。它实现了加密身份轮换以保持身份连续性,并与硬件支持的密钥管理系统集成,从而将私钥安全地存储在安全隔离区或云密钥管理服务中。 该平台涵盖了广泛的功能,包括多跳二进制路由和基于中继的网络桥接,以连接不同的网络。它可以将传统的 TCP 或 Kafka 流量封装在安全隧道中,使私有服务能够在不暴露监听端口的情况下进行通信。此外,它还采用有状态的 Actor 模型,在分布式节点间异步处理消息。 部署方面,它支持通过基础设施即代码 (IaC) 模板在云环境中配置安全节点和网关。
Creates and manages asynchronous execution environments that run secure protocols and route messages locally or across remote endpoints.
nng 是一个无代理(Brokerless)消息传递库,也是 nanomsg 协议的现代实现。它为分布式进程之间的通信提供异步网络传输,利用非阻塞输入输出将网络流量分配到多个 CPU 核心。 该库支持实现可扩展的消息传递模式(如请求-响应和发布-订阅),而无需中央消息代理。它包含内置加密协议,以提供安全的消息传输并保护网络节点之间的数据传输。 该项目涵盖分布式系统架构,包括服务发现和进程间消息传递。它利用可插拔的传输层和分层协议栈来管理跨各种网络介质的通信。
Implements encrypted communication between distributed nodes to prevent unauthorized interception.
Dynomite 是一个分布式数据分片层和键值存储引擎代理。它作为一个分片和跨多个节点复制数据的分发层,将单服务器数据存储转换为可扩展的点对点系统。 该系统充当多数据中心数据复制器,在不同地理位置之间同步数据,以确保站点故障期间的弹性和高可用性。它管理键值数据的分发,以实现线性数据存储扩展和冗余存储。 该项目提供了存储引擎分片和高可用性网络的能力。它将传入请求路由到本地或远程存储引擎,同时维护通信协议,并通过加密保护节点间通信。
Secures data transfers between distributed nodes using encrypted communication protocols.