Capgemini
Kubernetes K3s Security & Isolation Engineer
Capgemini, Portland, Oregon, United States, 97204
Overview
Sr. Kubernetes K3s Security & Isolation Engineer – Portland, OR. Join Capgemini Engineering to secure cloud-native infrastructure in mission-critical environments. This onsite role focuses on hardening and isolating K3s clusters to minimize blast radius in case of compromise, including enforcing Linux security modules, TPM-based security, least privilege, and multi-tenant isolation across hybrid Kubernetes environments (x86, ARM, and accelerators). Your role
Architect and deploy security-first Kubernetes K3s cluster configurations across diverse hardware platforms, including x86, ARM, and accelerators. Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services. Integrate TPM for secure boot and attestation, supporting cryptographic operations with HSM/KMS systems. Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius. Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate denial-of-service risks. Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks; implement kernel-level protections like seccomp-bpf and IMA/EVM. Secure workload secrets with TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS for safe distribution and access control. Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management. Monitor runtime behavior with tools like Falco and Cilium Tetragon; collaborate with SRE and Security teams to develop incident response runbooks and conduct breach simulations. Skills and experience
Bachelor’s degree in Computer Science, Engineering, or related field; 8–10 years in infrastructure, security, or systems engineering. Deep expertise in Kubernetes (especially K3s) internals, including cluster hardening, multi-tenant isolation, and security architecture. Advanced proficiency in Linux security features (SELinux, AppArmor, seccomp) and kernel-level protections. Hands-on experience with TPM for secure boot and attestation; integration with HSM/KMS for cryptographic operations and secrets management. Strong understanding of Pod Security frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno) and implementation of RBAC, NetworkPolicies, and workload isolation at scale. Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments. Experience with runtime and supply chain security tools and frameworks (Falco, Cilium Tetragon, cosign, Notary, SLSA, NIST 800-190). Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions like Flatcar and Bottlerocket. Life at Capgemini
Flexible work arrangements Healthcare including dental, vision, mental health, and well-being programs Financial well-being programs such as 401(k) and Employee Share Ownership Plan Paid time off and paid holidays Paid parental leave Family-building benefits like adoption assistance, surrogacy, and cryopreservation Social well-being benefits like subsidized back-up child/elder care and tutoring Mentoring, coaching and learning programs Employee Resource Groups Disaster Relief About Capgemini Engineering
World leader in engineering and R&D services, Capgemini Engineering combines its broad industry knowledge and cutting-edge technologies in digital and software to support the convergence of the physical and digital worlds. Capgemini Engineering has 65,000 engineers and scientists in over 30 countries across sectors including Aeronautics, Space, Defense, Naval, Automotive, Rail, Infrastructure & Transportation, Energy, Utilities & Chemicals, Life Sciences, Communications, Semiconductor & Electronics, Industrial & Consumer, Software & Internet. Capgemini Engineering is part of the Capgemini Group, a global business and technology transformation partner with 340,000 team members in more than 50 countries. The Group reported 2024 global revenues of €22.1 billion. Get the future you want | www.capgemini.com Disclaimer
Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law. This is a general description of the duties, responsibilities and qualifications required for this position. Capgemini may capture your image during the interview process for verification, including during hiring and onboarding. Capgemini is committed to providing reasonable accommodations during our recruitment process. If you need assistance or accommodation, please reach out to your recruiting contact. Applicants for employment in the US must have valid work authorization without requirement for visa sponsorship. Job details
Job : Developer Schedule : Full-time Primary Location : US-OR-Portland Organization : ERD PPL US
#J-18808-Ljbffr
Sr. Kubernetes K3s Security & Isolation Engineer – Portland, OR. Join Capgemini Engineering to secure cloud-native infrastructure in mission-critical environments. This onsite role focuses on hardening and isolating K3s clusters to minimize blast radius in case of compromise, including enforcing Linux security modules, TPM-based security, least privilege, and multi-tenant isolation across hybrid Kubernetes environments (x86, ARM, and accelerators). Your role
Architect and deploy security-first Kubernetes K3s cluster configurations across diverse hardware platforms, including x86, ARM, and accelerators. Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services. Integrate TPM for secure boot and attestation, supporting cryptographic operations with HSM/KMS systems. Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius. Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate denial-of-service risks. Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks; implement kernel-level protections like seccomp-bpf and IMA/EVM. Secure workload secrets with TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS for safe distribution and access control. Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management. Monitor runtime behavior with tools like Falco and Cilium Tetragon; collaborate with SRE and Security teams to develop incident response runbooks and conduct breach simulations. Skills and experience
Bachelor’s degree in Computer Science, Engineering, or related field; 8–10 years in infrastructure, security, or systems engineering. Deep expertise in Kubernetes (especially K3s) internals, including cluster hardening, multi-tenant isolation, and security architecture. Advanced proficiency in Linux security features (SELinux, AppArmor, seccomp) and kernel-level protections. Hands-on experience with TPM for secure boot and attestation; integration with HSM/KMS for cryptographic operations and secrets management. Strong understanding of Pod Security frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno) and implementation of RBAC, NetworkPolicies, and workload isolation at scale. Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments. Experience with runtime and supply chain security tools and frameworks (Falco, Cilium Tetragon, cosign, Notary, SLSA, NIST 800-190). Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions like Flatcar and Bottlerocket. Life at Capgemini
Flexible work arrangements Healthcare including dental, vision, mental health, and well-being programs Financial well-being programs such as 401(k) and Employee Share Ownership Plan Paid time off and paid holidays Paid parental leave Family-building benefits like adoption assistance, surrogacy, and cryopreservation Social well-being benefits like subsidized back-up child/elder care and tutoring Mentoring, coaching and learning programs Employee Resource Groups Disaster Relief About Capgemini Engineering
World leader in engineering and R&D services, Capgemini Engineering combines its broad industry knowledge and cutting-edge technologies in digital and software to support the convergence of the physical and digital worlds. Capgemini Engineering has 65,000 engineers and scientists in over 30 countries across sectors including Aeronautics, Space, Defense, Naval, Automotive, Rail, Infrastructure & Transportation, Energy, Utilities & Chemicals, Life Sciences, Communications, Semiconductor & Electronics, Industrial & Consumer, Software & Internet. Capgemini Engineering is part of the Capgemini Group, a global business and technology transformation partner with 340,000 team members in more than 50 countries. The Group reported 2024 global revenues of €22.1 billion. Get the future you want | www.capgemini.com Disclaimer
Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law. This is a general description of the duties, responsibilities and qualifications required for this position. Capgemini may capture your image during the interview process for verification, including during hiring and onboarding. Capgemini is committed to providing reasonable accommodations during our recruitment process. If you need assistance or accommodation, please reach out to your recruiting contact. Applicants for employment in the US must have valid work authorization without requirement for visa sponsorship. Job details
Job : Developer Schedule : Full-time Primary Location : US-OR-Portland Organization : ERD PPL US
#J-18808-Ljbffr