Capgemini Engineering
Kubernetes K3s Security & Isolation Engineer
Capgemini Engineering, Oregon, Illinois, United States, 61061
Overview
Role:
Kubernetes K3s Security & Isolation Engineer Location: Portland, OR (onsite). This role focuses on hardening and isolating K3s clusters to minimize blast radius in the event of compromise, including enforcing Linux security modules, TPM-based security, least privilege, and multi-tenant isolation in hybrid Kubernetes environments across x86, ARM, and accelerator-based architectures. Responsibilities
Architect and deploy security-first Kubernetes K3s cluster configurations across diverse hardware platforms (x86, ARM, accelerators). Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services. Integrate TPM for secure boot and attestation; support cryptographic operations with HSM/KMS systems. Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius. Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate DoS risks. Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks; implement kernel protections such as seccomp-bpf and IMA/EVM. Secure workload secrets with TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS. Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management. Monitor runtime behavior with Falco and Cilium Tetragon; collaborate with SRE and Security teams to develop incident response runbooks and breach simulation drills. Qualifications
Bachelor’s degree in Computer Science, Engineering, or a related technical field; 8–10 years of experience in infrastructure, security, or systems engineering. Deep expertise in Kubernetes (especially K3s) internals, including cluster hardening, multi-tenant isolation, and security architecture. Advanced proficiency in Linux security features (SELinux, AppArmor, seccomp) and kernel-level protections. Hands-on experience with TPM for secure boot, attestation, and integration with HSM/KMS for cryptographic operations and secrets management. Strong understanding of Pod Security standards and related frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno); experience with RBAC, NetworkPolicies, and workload isolation at scale. Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments. Experience with runtime and supply chain security tools and frameworks (Falco, Cilium Tetragon, cosign, Notary, SLSA, NIST 800-190). Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions (e.g., Flatcar, Bottlerocket). Life at Capgemini
Capgemini supports all aspects of well-being throughout career stages. Eligible employees have access to: Healthcare including dental, vision, mental health, and well-being programs Financial well-being programs such as 401(k) and Employee Share Ownership Plan Paid time off and paid holidays Paid parental leave Family-building benefits (adoption assistance, surrogacy, cryopreservation) Social well-being benefits (back-up child/elder care and tutoring) Mentoring, coaching and learning programs Employee Resource Groups Disaster Relief About Capgemini Engineering
World leader in engineering and R&D services, Capgemini Engineering combines broad industry knowledge with cutting-edge technologies in digital and software to support the convergence of the physical and digital worlds. It operates in over 30 countries with 65,000 engineers and scientists across sectors including Aeronautics, Space, Defense, Naval, Automotive, Rail, Energy, Life Sciences, and more. Capgemini Engineering is part of the Capgemini Group, a global technology and transformation partner with 340,000 team members in more than 50 countries. The group emphasizes AI, cloud, and data, with revenues of €22.1 billion in 2024. Get the future you want | www.capgemini.com Disclaimer
Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law. Capgemini will provide reasonable accommodations during recruitment as needed. Applicants for employment in the US must have valid work authorization without requiring visa sponsorship. Job details
Seniority level: Not Applicable Employment type: Full-time Job function: Information Technology, Engineering, and Consulting Industries: Computer and Network Security, Engineering Services, and Aviation and Aerospace Component Manufacturing Referrals increase your chances of interviewing at Capgemini Engineering. We’re not providing any claims about current openings beyond the information in this description.
#J-18808-Ljbffr
Role:
Kubernetes K3s Security & Isolation Engineer Location: Portland, OR (onsite). This role focuses on hardening and isolating K3s clusters to minimize blast radius in the event of compromise, including enforcing Linux security modules, TPM-based security, least privilege, and multi-tenant isolation in hybrid Kubernetes environments across x86, ARM, and accelerator-based architectures. Responsibilities
Architect and deploy security-first Kubernetes K3s cluster configurations across diverse hardware platforms (x86, ARM, accelerators). Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services. Integrate TPM for secure boot and attestation; support cryptographic operations with HSM/KMS systems. Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius. Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate DoS risks. Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks; implement kernel protections such as seccomp-bpf and IMA/EVM. Secure workload secrets with TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS. Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management. Monitor runtime behavior with Falco and Cilium Tetragon; collaborate with SRE and Security teams to develop incident response runbooks and breach simulation drills. Qualifications
Bachelor’s degree in Computer Science, Engineering, or a related technical field; 8–10 years of experience in infrastructure, security, or systems engineering. Deep expertise in Kubernetes (especially K3s) internals, including cluster hardening, multi-tenant isolation, and security architecture. Advanced proficiency in Linux security features (SELinux, AppArmor, seccomp) and kernel-level protections. Hands-on experience with TPM for secure boot, attestation, and integration with HSM/KMS for cryptographic operations and secrets management. Strong understanding of Pod Security standards and related frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno); experience with RBAC, NetworkPolicies, and workload isolation at scale. Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments. Experience with runtime and supply chain security tools and frameworks (Falco, Cilium Tetragon, cosign, Notary, SLSA, NIST 800-190). Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions (e.g., Flatcar, Bottlerocket). Life at Capgemini
Capgemini supports all aspects of well-being throughout career stages. Eligible employees have access to: Healthcare including dental, vision, mental health, and well-being programs Financial well-being programs such as 401(k) and Employee Share Ownership Plan Paid time off and paid holidays Paid parental leave Family-building benefits (adoption assistance, surrogacy, cryopreservation) Social well-being benefits (back-up child/elder care and tutoring) Mentoring, coaching and learning programs Employee Resource Groups Disaster Relief About Capgemini Engineering
World leader in engineering and R&D services, Capgemini Engineering combines broad industry knowledge with cutting-edge technologies in digital and software to support the convergence of the physical and digital worlds. It operates in over 30 countries with 65,000 engineers and scientists across sectors including Aeronautics, Space, Defense, Naval, Automotive, Rail, Energy, Life Sciences, and more. Capgemini Engineering is part of the Capgemini Group, a global technology and transformation partner with 340,000 team members in more than 50 countries. The group emphasizes AI, cloud, and data, with revenues of €22.1 billion in 2024. Get the future you want | www.capgemini.com Disclaimer
Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law. Capgemini will provide reasonable accommodations during recruitment as needed. Applicants for employment in the US must have valid work authorization without requiring visa sponsorship. Job details
Seniority level: Not Applicable Employment type: Full-time Job function: Information Technology, Engineering, and Consulting Industries: Computer and Network Security, Engineering Services, and Aviation and Aerospace Component Manufacturing Referrals increase your chances of interviewing at Capgemini Engineering. We’re not providing any claims about current openings beyond the information in this description.
#J-18808-Ljbffr