Highbrow LLC
SecurityEngineer (K3s Security & Isolation Specialist)
Highbrow LLC, Hillsboro, Oregon, United States, 97104
Job Title: SecurityEngineer(K3s Security & Isolation Specialist)
Location: Hillsboro, Oregon (Hybrid) (Relocation cost will be reimbursed)
Context:
The Security Engineer will focus on
hardening and isolating K3s clusters
to minimize blast radius in the event of compromise. This includes enforcing
Linux security modules (SELinux,
AppArmor) , leveraging
TPM for secure boot and attestation , implementing
least privilege across nodes and workloads , and ensuring
multi-tenant isolation
within hybrid Kubernetes environments (x86, ARM, accelerators).
Responsibilities Security Architecture & Policy Enforcement
Design and implement
security-first cluster configurations
for K3s nodes.
Enforce
mandatory access control (MAC)
using
SELinux
and
AppArmor
profiles
for pods and system services.
Integrate
TPM-based attestation and secure boot
for cluster nodes to ensure trust in hardware and OS integrity.
Establish
node, pod, and namespace isolation
strategies to reduce lateral movement risk.
Harden cluster components (API server,etcd,kubelet) following CIS and NSA Kubernetes security benchmarks.
Blast Radius Reduction
Define and enforce
workload sandboxing strategies
(seccomp,AppArmor,SELinuxcontexts,gVisor/Kata if applicable).
Configure
minimal privilege policies
(RBAC,PodSecurityStandards,NetworkPolicies) to ensure least-privilege execution.
Implement
namespace, node pool, and hardware partitioning
to confine workloads and protect sensitive applications.
Apply
resource quotas, limits, and scheduling constraints
to contain denial-of-service blast radius.
Integration with Identity & Secrets Management
Work with Security team to ensure strong
identity, authentication, and authorization
models.
Integrate
TPM-backed secrets storage
and
HSM/KMS systems
for cryptographic operations.
Ensure secure distribution of workload secrets with solutions like
SealedSecrets ,
HashiCorp
Vault
or
SOPS .
Runtime & Supply Chain Security
Enforce
image signing and verification
with cosign or Notary.
Integrate
SBOM scanning and vulnerability management
into CI/CD pipelines.
Monitor workloads for runtime anomalies (Falco, Cilium Tetragon, or equivalent).
Apply
kernel hardening measures
(seccomp-bpf, kernel lockdown, IMA/EVM with TPM).
Monitoring & Incident Response
Build observability hooks for
security events
(audit logs,syscallmonitoring, TPM attestations).
Define
blast radius response runbooks
for compromised pods or nodes.
Work with SRE and Security teams to test
chaos/security drills
simulating breaches.
Deliverables
K3s cluster baseline hardened with
SELinux
and
AppArmor
profiles .
TPM-enabled secure boot and node attestation pipeline.
Enforced
PodSecurityStandards
and workload sandboxing (seccomp,gVisor/Kata optional).
Documentation of
isolation strategies
(namespaces, node pools, network segmentation).
Audit-ready evidence of compliance with CIS/NSA Kubernetes security benchmarks.
Security runbooks for containment and blast radius reduction.
Required Skills & Experience
Strong knowledge of
K3s/Kubernetes internals , especially security features.
Hands‑on experience with
SELinux,
AppArmor, seccomp, and Linux capabilities .
Experience with
TPM (Trusted Platform Module)
for secure boot and attestation.
Deep understanding of
Pod Security (PodSecurityPolicies/Standards, OPA/Gatekeeper/Kyverno) .
Experience implementing
RBAC,
NetworkPolicies,
and workload isolation at scale.
Proficiency in
Linux kernel security mechanisms and debugging.
Familiarity with
container runtimes
(containerd, CRI-O,gVisor, Kata) and their security implications.
Strong background in
incident response, forensic data collection, and audit logging
in Kubernetes.
Nice to Have
Contributions to
Kubernetes SIG-Security or open-source security tooling.
Experience with
supply chain security frameworks
(SLSA, NIST 800-190).
Familiarity with
confidential computing (TEE/SGX/SEV)
for workload isolation.
Hands‑on with
Cilium Tetragon, Falco, or other runtime security tools .
Knowledge of
air-gapped deployments and hardened Linux distributions (e.g., Flatcar,Bottlerocket).
#J-18808-Ljbffr
hardening and isolating K3s clusters
to minimize blast radius in the event of compromise. This includes enforcing
Linux security modules (SELinux,
AppArmor) , leveraging
TPM for secure boot and attestation , implementing
least privilege across nodes and workloads , and ensuring
multi-tenant isolation
within hybrid Kubernetes environments (x86, ARM, accelerators).
Responsibilities Security Architecture & Policy Enforcement
Design and implement
security-first cluster configurations
for K3s nodes.
Enforce
mandatory access control (MAC)
using
SELinux
and
AppArmor
profiles
for pods and system services.
Integrate
TPM-based attestation and secure boot
for cluster nodes to ensure trust in hardware and OS integrity.
Establish
node, pod, and namespace isolation
strategies to reduce lateral movement risk.
Harden cluster components (API server,etcd,kubelet) following CIS and NSA Kubernetes security benchmarks.
Blast Radius Reduction
Define and enforce
workload sandboxing strategies
(seccomp,AppArmor,SELinuxcontexts,gVisor/Kata if applicable).
Configure
minimal privilege policies
(RBAC,PodSecurityStandards,NetworkPolicies) to ensure least-privilege execution.
Implement
namespace, node pool, and hardware partitioning
to confine workloads and protect sensitive applications.
Apply
resource quotas, limits, and scheduling constraints
to contain denial-of-service blast radius.
Integration with Identity & Secrets Management
Work with Security team to ensure strong
identity, authentication, and authorization
models.
Integrate
TPM-backed secrets storage
and
HSM/KMS systems
for cryptographic operations.
Ensure secure distribution of workload secrets with solutions like
SealedSecrets ,
HashiCorp
Vault
or
SOPS .
Runtime & Supply Chain Security
Enforce
image signing and verification
with cosign or Notary.
Integrate
SBOM scanning and vulnerability management
into CI/CD pipelines.
Monitor workloads for runtime anomalies (Falco, Cilium Tetragon, or equivalent).
Apply
kernel hardening measures
(seccomp-bpf, kernel lockdown, IMA/EVM with TPM).
Monitoring & Incident Response
Build observability hooks for
security events
(audit logs,syscallmonitoring, TPM attestations).
Define
blast radius response runbooks
for compromised pods or nodes.
Work with SRE and Security teams to test
chaos/security drills
simulating breaches.
Deliverables
K3s cluster baseline hardened with
SELinux
and
AppArmor
profiles .
TPM-enabled secure boot and node attestation pipeline.
Enforced
PodSecurityStandards
and workload sandboxing (seccomp,gVisor/Kata optional).
Documentation of
isolation strategies
(namespaces, node pools, network segmentation).
Audit-ready evidence of compliance with CIS/NSA Kubernetes security benchmarks.
Security runbooks for containment and blast radius reduction.
Required Skills & Experience
Strong knowledge of
K3s/Kubernetes internals , especially security features.
Hands‑on experience with
SELinux,
AppArmor, seccomp, and Linux capabilities .
Experience with
TPM (Trusted Platform Module)
for secure boot and attestation.
Deep understanding of
Pod Security (PodSecurityPolicies/Standards, OPA/Gatekeeper/Kyverno) .
Experience implementing
RBAC,
NetworkPolicies,
and workload isolation at scale.
Proficiency in
Linux kernel security mechanisms and debugging.
Familiarity with
container runtimes
(containerd, CRI-O,gVisor, Kata) and their security implications.
Strong background in
incident response, forensic data collection, and audit logging
in Kubernetes.
Nice to Have
Contributions to
Kubernetes SIG-Security or open-source security tooling.
Experience with
supply chain security frameworks
(SLSA, NIST 800-190).
Familiarity with
confidential computing (TEE/SGX/SEV)
for workload isolation.
Hands‑on with
Cilium Tetragon, Falco, or other runtime security tools .
Knowledge of
air-gapped deployments and hardened Linux distributions (e.g., Flatcar,Bottlerocket).
#J-18808-Ljbffr