Senior Kubernetes Security Engineer
Minor Hotels Europe and Americas
full-time
Posted on:
Location Type: Office
Location: Portland • Texas • 🇺🇸 United States
Visit company websiteSalary
💰 $108,000 - $148,000 per year
Job Level
Senior
Tech Stack
KubernetesLinuxNode.jsVault
About the role
- Architect and deploy security-first Kubernetes cluster configurations across diverse hardware platforms, including x86, ARM, and accelerators
- Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services
- Integrate TPM for secure boot and attestation, ensuring hardware and OS integrity, and support cryptographic operations with HSM/KMS systems
- Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius
- Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate denial-of-service risks
- Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks, and implement kernel-level protections like seccomp-bpf and IMA/EVM
- Secure workload secrets using TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS for safe distribution and access control
- Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management
- Monitor runtime behavior with tools like Falco and Cilium Tetragon, and collaborate with SRE and Security teams to develop incident response runbooks and conduct breach simulation drills
Requirements
- Bachelor’s degree in Computer Science, Engineering, or a related technical field
- 8–10 years of experience in infrastructure, security, or systems engineering
- Deep expertise in Kubernetes internals, including cluster hardening, multi-tenant isolation, and security architecture
- Advanced proficiency in Linux security features such as SELinux, AppArmor, seccomp, and kernel-level protections
- Hands-on experience with TPM for secure boot, attestation, and integration with HSM/KMS for cryptographic operations and secrets management
- Strong understanding of Pod Security frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno) and implementation of RBAC, NetworkPolicies, and workload isolation at scale
- Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments
- Experience with runtime and supply chain security tools and frameworks, including Falco, Cilium Tetragon, cosign, Notary, SLSA, and NIST 800-190
- Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions like Flatcar and Bottlerocket
Benefits
- Paid time off based on employee grade (A-F), defined by policy: Vacation: 12-25 days, depending on grade
- Company paid holidays
- Personal Days
- Sick Leave
- Medical, dental, and vision coverage (or provincial healthcare coordination in Canada)
- Retirement savings plans (e.g., 401(k) in the U.S., RRSP in Canada)
- Life and disability insurance
- Employee assistance programs
Applicant Tracking System Keywords
Tip: use these terms in your resume and cover letter to boost ATS matches.
Hard skills
KubernetesLinux securityTPMRBACPodSecurityStandardsseccompHSMcryptographic operationssupply chain securityruntime security