Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> internal, but by design usually accessible on the public internet

Your API can be accessible obviously, but put ZeroMQ behind a firewall so only the API server can reach it.

If it’s running on the same server, at least block the port ZeroMQ is listening on from the outside world.



People make fun of Kubernetes or "resume driven development" for making things more complex than they need to be, but this is why you want mTLS via a sidecar with short auto renewed certificates on a mesh inside your distributed system of a operating stack, when the system is big enough to justify that complexity. Something the size of, like, Airbnb should have that.


Or a wireguard VPN. Or even just socat with mTLS inside systemd.

There are easier ways to achieve that than kubernetes with sidecar mesh.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: