Job Description

We are seeking a highly skilled Network Security Engineer with deep expertise in securing Kubernetes/K3s environments, enforcing workload isolation, and minimizing blast radius across hybrid compute infrastructures. The ideal candidate will have hands-on experience with Linux security modules, TPM-based attestation, workload sandboxing, and advanced network segmentation techniques to protect multi-tenant environments.

This role focuses on hardening, isolating, and securing K3s clusters running across x86, ARM, and accelerator-based node pools. The engineer will design and implement end-to-end security controls spanning architecture, runtime security, identity enforcement, and incident response.

• Design and implement security-first Kubernetes/K3s architectures with strong network isolation.

• Harden cluster components (API server, etcd, kubelet) following CIS/NSA Kubernetes benchmarks .

• Enforce Linux Mandatory Access Control (MAC) using SELinux and AppArmor across nodes and workloads.

• Integrate TPM-based secure boot and attestation to ensure hardware and OS integrity.

• Establish isolation frameworks including node, pod, namespace, and network segmentation .

• Define and implement sandboxing strategies using seccomp, SELinux/AppArmor, gVisor, or Kata Containers.

• Configure RBAC , Pod Security Standards , and Network Policies to ensure least-privilege execution.

• Implement namespace and node pool partitioning to protect sensitive workloads from lateral movement.

• Apply resource limits, quotas, and scheduling constraints to limit denial-of-service impact.

• Integrate strong authentication and authorization models across clusters.

• Implement TPM-backed secrets protection and integrate with HSM/KMS platforms.

• Ensure secure workload secret distribution using Vault, SOPS, or SealedSecrets .

• Enforce image signing and verification (cosign/Notary).

• Integrate SBOM scanning and vulnerability management in CI/CD workflows.

• Deploy runtime monitoring tools such as Falco or Cilium Tetragon .

• Implement kernel-level protections including seccomp-bpf, IMA/EVM, and kernel lockdown.

• Develop observability pipelines for security events , audit logs, syscalls, and TPM attestations.

• Collaborate with SRE/Security teams to build breach containment & blast radius response runbooks .

• Support periodic chaos/security drills and simulation-based security testing.

• Strong knowledge of K3s/Kubernetes internals , cluster architecture, and security model.

• Proven experience with SELinux, AppArmor, seccomp, Linux capabilities , and OS-level hardening.

• Hands-on expertise with TPM technology for secure boot and remote attestation.

• Deep understanding of Pod Security Standards , OPA/Gatekeeper/Kyverno policies.

• Strong knowledge of NetworkPolicies , micro-segmentation, and multi-tenant isolation.

• Experience with container runtimes (containerd, CRI-O, gVisor, Kata).

• Solid experience in incident response, forensic data collection, and audit logging .

• Proficiency with kernel security mechanisms and low-level debugging.

• Contributions to Kubernetes SIG-Security or relevant Open Source projects.

• Knowledge of supply chain security frameworks (SLSA, NIST 800-190).

• Experience with confidential computing (TEE/SGX/SEV).

• Hands-on knowledge of Falco, Tetragon, or other runtime detection tools .

• Experience working with air-gapped environments or hardened distros (Flatcar, Bottlerocket).

• Fully hardened K3s cluster baseline with SELinux/AppArmor profiles.

• TPM-enabled secure boot and attestation workflow.

• Enforced PodSecurityStandards and workload sandboxing.

• Documented cluster isolation strategies (network, namespace, node pools).

• Audit-ready artifacts demonstrating CIS/NSA Kubernetes compliance.

• Runbooks for containment, isolation, and blast radius reduction.

Job Tags

Similar Jobs