Capgemini Engineering
Sr. Kubernetes K3s Security & Isolation Engineer
Capgemini Engineering, Oregon, Wisconsin, United States, 53575
Sr. Kubernetes K3s Security & Isolation Engineer at Capgemini Engineering
Join our team in Portland, OR as a Kubernetes K3s Security & Isolation Engineer supporting the aerospace industry. In this onsite role you will focus on hardening and isolating K3s clusters to minimize blast radius in the event of compromise.
Your role
Architect and deploy security-first Kubernetes K3s cluster configurations across diverse hardware platforms, including x86, ARM, and accelerators.
Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services.
Integrate TPM for secure boot and attestation, ensuring hardware and OS integrity and support cryptographic operations with HSM/KMS systems.
Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius.
Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate denial-of-service risks.
Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks, and implement kernel-level protections like seccomp-bpf and IMA/EVM.
Secure workload secrets using TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS for safe distribution and access control.
Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management.
Monitor runtime behavior with tools like Falco and Cilium Tetragon, and collaborate with SRE and Security teams to develop incident response runbooks and conduct breach simulation drills.
Your Skills And Experience
Bachelor’s degree in Computer Science, Engineering, or a related technical field, with 8–10 years of experience in infrastructure, security, or systems engineering.
Deep expertise in Kubernetes (especially K3s) internals, including cluster hardening, multi-tenant isolation, and security architecture.
Advanced proficiency in Linux security features such as SELinux, AppArmor, seccomp, and kernel-level protections.
Hands-on experience with TPM for secure boot, attestation, and integration with HSM/KMS for cryptographic operations and secrets management.
Strong understanding of Pod Security frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno) and implementation of RBAC, NetworkPolicies, and workload isolation at scale.
Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments.
Experience with runtime and supply chain security tools and frameworks, including Falco, Cilium Tetragon, cosign, Notary, SLSA, and NIST 800-190.
Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions like Flatcar and Bottlerocket.
Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law. This is a general description of the duties, responsibilities and qualifications required for this position. Physical, mental, sensory or environmental demands may be referenced in an attempt to communicate the manner in which this position traditionally is performed. Whenever necessary to provide individuals with disabilities an equal employment opportunity, Capgemini will consider reasonable accommodations that might involve varying job requirements and/or changing the way this job is performed, provided that such accommodations do not pose an undue hardship.
#J-18808-Ljbffr
Your role
Architect and deploy security-first Kubernetes K3s cluster configurations across diverse hardware platforms, including x86, ARM, and accelerators.
Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services.
Integrate TPM for secure boot and attestation, ensuring hardware and OS integrity and support cryptographic operations with HSM/KMS systems.
Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius.
Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate denial-of-service risks.
Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks, and implement kernel-level protections like seccomp-bpf and IMA/EVM.
Secure workload secrets using TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS for safe distribution and access control.
Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management.
Monitor runtime behavior with tools like Falco and Cilium Tetragon, and collaborate with SRE and Security teams to develop incident response runbooks and conduct breach simulation drills.
Your Skills And Experience
Bachelor’s degree in Computer Science, Engineering, or a related technical field, with 8–10 years of experience in infrastructure, security, or systems engineering.
Deep expertise in Kubernetes (especially K3s) internals, including cluster hardening, multi-tenant isolation, and security architecture.
Advanced proficiency in Linux security features such as SELinux, AppArmor, seccomp, and kernel-level protections.
Hands-on experience with TPM for secure boot, attestation, and integration with HSM/KMS for cryptographic operations and secrets management.
Strong understanding of Pod Security frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno) and implementation of RBAC, NetworkPolicies, and workload isolation at scale.
Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments.
Experience with runtime and supply chain security tools and frameworks, including Falco, Cilium Tetragon, cosign, Notary, SLSA, and NIST 800-190.
Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions like Flatcar and Bottlerocket.
Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law. This is a general description of the duties, responsibilities and qualifications required for this position. Physical, mental, sensory or environmental demands may be referenced in an attempt to communicate the manner in which this position traditionally is performed. Whenever necessary to provide individuals with disabilities an equal employment opportunity, Capgemini will consider reasonable accommodations that might involve varying job requirements and/or changing the way this job is performed, provided that such accommodations do not pose an undue hardship.
#J-18808-Ljbffr