Security Engineer (K3s Security & Isolation Specialist)

About The Position

Requirements

• Strong knowledge of K3s/Kubernetes internals , especially security features.
• Hands-on experience with SELinux, AppArmor, seccomp, and Linux capabilities .
• Experience with TPM (Trusted Platform Module) for secure boot and attestation.
• Deep understanding of Pod Security (PodSecurityPolicies/Standards, OPA/Gatekeeper/Kyverno) .
• Experience implementing RBAC, NetworkPolicies, and workload isolation at scale.
• Proficiency in Linux kernel security mechanisms and debugging.
• Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications.
• Strong background in incident response, forensic data collection, and audit logging in Kubernetes.

Nice To Haves

• Contributions to Kubernetes SIG-Security or open-source security tooling.
• Experience with supply chain security frameworks (SLSA, NIST 800-190).
• Familiarity with confidential computing (TEE/SGX/SEV) for workload isolation.
• Hands-on with Cilium Tetragon, Falco, or other runtime security tools .
• Knowledge of air-gapped deployments and hardened Linux distributions (e.g., Flatcar, Bottlerocket).

Responsibilities

• Security Architecture & Policy Enforcement Design and implement security-first cluster configurations for K3s nodes.
• Enforce mandatory access control (MAC) using SELinux and AppArmor profiles for pods and system services.
• Integrate TPM-based attestation and secure boot for cluster nodes to ensure trust in hardware and OS integrity.
• Establish node, pod, and namespace isolation strategies to reduce lateral movement risk.
• Harden cluster components (API server, etcd, kubelet) following CIS and NSA Kubernetes security benchmarks.
• Blast Radius Reduction Define and enforce workload sandboxing strategies (seccomp, AppArmor, SELinux contexts, gVisor/Kata if applicable).
• Configure minimal privilege policies (RBAC, PodSecurityStandards, NetworkPolicies) to ensure least-privilege execution.
• Implement namespace, node pool, and hardware partitioning to confine workloads and protect sensitive applications.
• Apply resource quotas, limits, and scheduling constraints to contain denial-of-service blast radius.
• Integration with Identity & Secrets Management Work with Security team to ensure strong identity, authentication, and authorization models.
• Integrate TPM-backed secrets storage and HSM/KMS systems for cryptographic operations.
• Ensure secure distribution of workload secrets with solutions like SealedSecrets, HashiCorp Vault, or SOPS .
• Runtime & Supply Chain Security Enforce image signing and verification with cosign or Notary.
• Integrate SBOM scanning and vulnerability management into CI/CD pipelines.
• Monitor workloads for runtime anomalies (Falco, Cilium Tetragon, or equivalent).
• Apply kernel hardening measures (seccomp-bpf, kernel lockdown, IMA/EVM with TPM).
• Monitoring & Incident Response Build observability hooks for security events (audit logs, syscall monitoring, TPM attestations).
• Define blast radius response runbooks for compromised pods or nodes.
• Work with SRE and Security teams to test chaos/security drills simulating breaches.
• Deliverables K3s cluster baseline hardened with SELinux and AppArmor profiles .
• TPM-enabled secure boot and node attestation pipeline.
• Enforced PodSecurityStandards and workload sandboxing (seccomp, gVisor/Kata optional).
• Documentation of isolation strategies (namespaces, node pools, network segmentation).
• Audit-ready evidence of compliance with CIS/NSA Kubernetes security benchmarks.
• Security runbooks for containment and blast radius reduction.