US_East | Platform Engineering - Linux/Unix Admin_L3

"Possible 3 Month CTH | No Fees | Do Not Re-Post| Confidential

TMR ID: S8T5PH

Role: K3s SecurityEngineer

Work location: Portland, Oregon

Background and Meet and Greet: MANDATORY

Job Description:

"K3s Security & Isolation Specialist

Context:

The Security Engineer will focus on hardening and isolating K3s clusters to minimize blast radius in the event of compromise. This includes enforcing Linux security modules (SELinux, AppArmor), leveraging TPM for secure boot and attestation, implementing least privilege across nodes and workloads, and ensuring multi-tenant isolation within hybrid Kubernetes environments (x86, ARM, accelerators).

"

Key Responsibilities:

"Security Architecture & Policy Enforcement

• Design and implement security-first cluster configurations for K3s nodes.
• Enforce mandatory access control (MAC) using SELinux and AppArmor profiles for pods and system services.
• Integrate TPM-based attestation and secure boot for cluster nodes to ensure trust in hardware and OS integrity.
• Establish node, pod, and namespace isolation strategies to reduce lateral movement risk.
• Harden cluster components (API server, etcd, kubelet) following CIS and NSA Kubernetes security benchmarks.
  
  

Blast Radius Reduction

• Define and enforce workload sandboxing strategies (seccomp, AppArmor, SELinux contexts, gVisor/Kata if applicable).
• Configure minimal privilege policies (RBAC, PodSecurityStandards, NetworkPolicies) to ensure least-privilege execution.
• Implement namespace, node pool, and hardware partitioning to confine workloads and protect sensitive applications.
• Apply resource quotas, limits, and scheduling constraints to contain denial-of-service blast radius.
  
  

Integration with Identity & Secrets Management

• Work with Security team to ensure strong identity, authentication, and authorization models.
• Integrate TPM-backed secrets storage and HSM/KMS systems for cryptographic operations.
• Ensure secure distribution of workload secrets with solutions like SealedSecrets, HashiCorp Vault, or SOPS.
  
  

Runtime & Supply Chain Security

• Enforce image signing and verification with cosign or Notary.
• Integrate SBOM scanning and vulnerability management into CI/CD pipelines.
• Monitor workloads for runtime anomalies (Falco, Cilium Tetragon, or equivalent).
• Apply kernel hardening measures (seccomp-bpf, kernel lockdown, IMA/EVM with TPM).
  
  

Monitoring & Incident Response

• Build observability hooks for security events (audit logs, syscall monitoring, TPM attestations).
• Define blast radius response runbooks for compromised pods or nodes.
• Work with SRE and Security teams to test chaos/security drills simulating breaches.
  
  

"

What are the Mandatory skills and skill proficiencies required for this position?

"

• Strong knowledge of K3s/Kubernetes internals, especially security features.
• Hands-on experience with SELinux, AppArmor, seccomp, and Linux capabilities.
• Experience with TPM (Trusted Platform Module) for secure boot and attestation.
• Deep understanding of Pod Security (PodSecurityPolicies/Standards, OPA/Gatekeeper/Kyverno).
• Experience implementing RBAC, NetworkPolicies, and workload isolation at scale.
• Proficiency in Linux kernel security mechanisms and debugging.
• Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications.
• Strong background in incident response, forensic data collection, and audit logging in Kubernetes.
  
  

"

What are the Optional skills and skill proficiencies for this position?

"

• Contributions to Kubernetes SIG-Security or open-source security tooling.
• Experience with supply chain security frameworks (SLSA, NIST 800-190).
• Familiarity with confidential computing (TEE/SGX/SEV) for workload isolation.
• Hands-on with Cilium Tetragon, Falco, or other runtime security tools.
• Knowledge of air-gapped deployments and hardened Linux distributions (e.g., Flatcar, Bottlerocket).
  
  

"

The following details must accompany your submission:

First Name, Middle name, and Last Name:

City and State:

Open to Relocate?

Rate:

Availability:

Phone #:

Mobile #:

Email address:

Visa type:

Visa Expiration Date:

Hiring Status:

MiguelAngel Buonafina - ERM

• North America
  
  

Tel.: ***"