Engineering Tech Lead (vNode)

About The Position

Requirements

• Deep container runtime experience: You have shipped production work against containerd directly, not just consumed it through Docker or Kubernetes. Direct experience with Kata Containers, gVisor, or another sandboxed/isolated runtime is a strong plus.
• Kubernetes node-level depth: You have worked inside the kubelet, the CRI layer, or a node-resident agent. You know what cgroups v2, OCI hooks, and the kubelet's PLEG do and where they break.
• Go systems programming chops: You write production Go for systems-level code (syscalls, namespaces, file descriptors, process lifecycle), not just service handlers.
• Linux isolation fluency: User namespaces, seccomp-bpf, capabilities, and Landlock are not abstract concepts; you have shipped against them and can reason about their failure modes.
• Tech Lead instincts: You set technical direction by writing the design doc, prototyping the hard part, and then bringing the team along. You raise the bar without becoming the bottleneck.

Nice To Haves

• Upstream contribution history: Meaningful commits to containerd, runc, Kata, gVisor, Kubernetes SIG-Node, or related projects.
• Tenant Isolation domain expertise: You have built or operated infrastructure where the threat model includes hostile workloads on shared hosts (AI Cloud operators, multi-tenant SaaS, regulated industries).
• Public technical voice: Talks, posts, or RFCs that move the conversation on container isolation.

Responsibilities

• Owning the vNode technical execution: Drive the architecture for how vNode wraps containerd, integrates with the kubelet, and exposes safe isolation primitives. You will set the bar for what ships, what gets deferred, and what gets redesigned.
• Going deep on container runtimes and isolation: Lead the work where vNode meets containerd, Kata Containers, gVisor, runc, and the kernel. You will be the person who can explain (and improve) exactly what happens between a Pod spec and a process running under a constrained user namespace with a tight seccomp profile.
• Shipping the kubelet integration surface: Own how vNode plugs into the node lifecycle: CRI, kubelet device plugins, cgroups v2, eviction, and the rough edges between Kubernetes' node model and a runtime that does not assume one tenant per node.
• Raising the engineering bar: Run technical design reviews, set the pattern for testing isolation guarantees, and mentor the engineers shipping alongside you. You are not a people manager, but you are the engineer the team copies.
• Being Customer Zero for vNode: Run vNode against vCluster Platform tenant clusters internally before customers see it. You will close the loop between what AI Cloud operators need and what vNode actually does in production.
• Representing vNode externally: Contribute upstream where it matters (containerd, runc, Kubernetes SIG-Node), write the technical posts that explain why namespace-based isolation is the right answer, and represent vCluster Labs at KubeCon-class venues when the timing is right.

Benefits

• Competitive Salary: We offer a competitive compensation package, including equity.
• Platinum-Level Insurance: Health, dental, vision, and life Insurance, including plans for you and eligible dependents (benefits vary depending on country).
• Flexible Working Schedule: You have a doctor’s appointment or need to head to the supermarket to get groceries at 2pm? We won’t have an issue with that. To us, results matter more than clocking in and out at the same time every day.
• Workplace Flexibility: We’re very flexible about where you work. We know things can change in life and we’re happy to adjust the work environment for you along the way.