K3s Security Engineer

At Capgemini Engineering, the world leader in engineering services, we bring together a global team of engineers, scientists, and architects to help the world’s most innovative companies unleash their potential. From autonomous cars to life-saving robots, our digital and software technology experts think outside the box as they provide unique R&D and engineering services across all industries. Join us for a career full of opportunities. Where you can make a difference. Where no two days are the same.

Overview

We are looking for a Security Engineer specializing in hardening and isolating K3s clusters to minimize blast radius in the event of compromise. This role focuses on Linux security modules (SELinux, AppArmor), TPM-backed attestation, least-privilege enforcement, and multi-tenant isolation across hybrid Kubernetes environments (x86, ARM, accelerators).

This position requires 4–5 hours of overlap with PST.

Key Responsibilities

Security Architecture & Policy Enforcement

• Design and implement security-first configurations for K3s cluster nodes.
• Enforce mandatory access control (MAC) via SELinux and AppArmor for pods and system services.
• Integrate TPM-backed secure boot and attestation pipelines to guarantee hardware/OS integrity.
• Design isolation boundaries across nodes, pods, namespaces, and workloads.
• Harden cluster components (API server, etcd, kubelet) according to CIS and NSA Kubernetes security benchmarks.
  
  

Blast Radius Reduction

• Define and enforce workload sandboxing systems (seccomp, AppArmor, SELinux, gVisor, Kata Containers).
• Implement least-privilege policies across RBAC, PodSecurityStandards, and NetworkPolicies.
• Apply namespace, node pool, and hardware partitioning strategies for multi-tenancy.
• Use quotas, limits, taints, tolerations, and scheduler constraints to reduce DoS blast radius.
  
  

Identity & Secrets Integration

• Collaborate with the Security team on strong identity, authentication, and authorization models.
• Integrate TPM-backed secrets, HSM/KMS systems, and secure bootstrapping.
• Implement secure secret distribution solutions (SealedSecrets, Vault, SOPS).
  
  

Runtime & Supply Chain Security

• Enforce image signing and verification (cosign, Notary).
• Integrate SBOM generation and vulnerability scanning into CI/CD.
• Deploy runtime anomaly detection (Falco, Cilium Tetragon, etc.).
• Apply Linux kernel hardening: seccomp-bpf, IMA/EVM, kernel lockdown.
  
  

Monitoring & Incident Response

• Build observability for audit logs, syscall monitoring, TPM attestations, and kernel events.
• Create incident response runbooks focused on containment and blast-radius reduction.
• Partner with SRE/Security teams for chaos drills and breach simulations.
  
  

Required Skills And Experience

• Strong understanding of K3s and Kubernetes internals and native security features.
• Hands-on experience with SELinux, AppArmor, seccomp, and Linux capabilities.
• Experience with TPM for secure boot and attestation workflows.
• Deep knowledge of Pod Security including Security Standards, OPA Gatekeeper, and Kyverno.
• Proficiency with RBAC, NetworkPolicies, and multi-tenant isolation.
• Solid background in Linux kernel security and low-level debugging.
• Familiarity with container runtimes such as containerd, CRI-O, gVisor, and Kata.
• Experience with forensic data collection, audit logging, and Kubernetes IR.
  
  

Nice to Have

• Contributions to Kubernetes SIG-Security or security tooling.
• Knowledge of supply chain security frameworks like SLSA and NIST 800-190.
• Experience with confidential computing including SGX, SEV, and TEE.
• Hands-on with Cilium Tetragon, Falco, or similar runtime security tools.
• Familiarity with air-gapped clusters and hardened OS like Flatcar or Bottlerocket.
  
  

What You Will Love About Working Here

We care about all our employees and want them to feel as comfortable as possible. That's why we offer health insurance from the first days, regardless of the probationary period.The Gift from the Company - Christmas holidays from December 25 to December 31.Cooperation with Superhumans center and Veteran HUB. Capgemini Engineering has supported the launch of psychological rehabilitation department of Superhumans. Our team also donated over UAH 500 000 prosthetics for three Ukrainian defenders. Currently, we support psychological counseling provided by the Veteran Hub, and we have implemented an internal policy making the company friendly to military and veterans with the assistance of the Hub.

Capgemini is a global business and technology transformation partner, helping organizations to accelerate their dual transition to a digital and sustainable world, while creating tangible impact for enterprises and society. It is a responsible and diverse group of 340,000 team members in more than 50 countries. With its strong over 55-year heritage, Capgemini is trusted by its clients to unlock the value of technology to address the entire breadth of their business needs. It delivers end-to-end services and solutions leveraging strengths from strategy and design to engineering, all fueled by its market leading capabilities in AI, generative AI, cloud and data, combined with its deep industry expertise and partner ecosystem.