×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Cybersecurity Systems Engineer Network Security Security Manager

SecurityEngineer; K3s Security & Isolation Specialist

Job in Hillsboro, Washington County, Oregon, 97104, USA
Listing for: Highbrow LLC
Full Time position
Listed on 2025-12-27
Job specializations:
  • IT/Tech
    Cybersecurity, Systems Engineer, Network Security, Security Manager
Job Description & How to Apply Below
Position: Security Engineer (K3s Security & Isolation Specialist)

Job Title:

Security Engineer(K3s Security & Isolation Specialist)

Location:

Hillsboro, Oregon (Hybrid) (Relocation cost will be reimbursed) Context:

The Security Engineer will focus on hardening and isolating K3s clusters to minimize blast radius in the event of compromise. This includes enforcing Linux security modules (SELinux,
App Armor), leveraging TPM for secure boot and attestation
, implementing least privilege across nodes and workloads
, and ensuring multi-tenant isolation within hybrid Kubernetes environments (x86, ARM, accelerators).

Responsibilities Security Architecture & Policy Enforcement
  • Design and implement security-first cluster configurations for K3s nodes.
  • Enforce mandatory access control (MAC) using SELinux and App Armor
    profiles for pods and system services.
  • Integrate TPM-based attestation and secure boot for cluster nodes to ensure trust in hardware and OS integrity.
  • Establish node, pod, and namespace isolation strategies to reduce lateral movement risk.
  • Harden cluster components (API server,etcd,kubelet) following CIS and NSA Kubernetes security benchmarks.
Blast Radius Reduction
  • Define and enforce workload sandboxing strategies (seccomp,App Armor,SELinuxcontexts,gVisor/Kata if applicable).
  • Configure minimal privilege policies (RBAC,Pod Security Standards ,Network Policies) to ensure least-privilege execution.
  • Implement namespace, node pool, and hardware partitioning to confine workloads and protect sensitive applications.
  • Apply resource quotas, limits, and scheduling constraints to contain denial-of-service blast radius.
Integration with Identity & Secrets Management
  • Work with Security team to ensure strong identity, authentication, and authorization models.
  • Integrate TPM-backed secrets storage and HSM/KMS systems for cryptographic operations.
  • Ensure secure distribution of workload secrets with solutions like Sealed Secrets
    , Hashi Corp
    Vault or SOPS
    .
Runtime & Supply Chain Security
  • Enforce image signing and verification with cosign or Notary.
  • Integrate SBOM scanning and vulnerability management into CI/CD pipelines.
  • Monitor workloads for runtime anomalies (Falco, Cilium Tetragon, or equivalent).
  • Apply kernel hardening measures (seccomp-bpf, kernel lockdown, IMA/EVM with TPM).
Monitoring & Incident Response
  • Build observability hooks for security events (audit logs,syscallmonitoring, TPM attestations).
  • Define blast radius response runbooks for compromised pods or nodes.
  • Work with SRE and Security teams to test chaos/security drills simulating breaches.
Deliverables
  • K3s cluster baseline hardened with SELinux
    and
    App Armor
    profiles
    .
  • TPM-enabled secure boot and node attestation pipeline.
  • Enforced Pod Security Standards and workload sandboxing (seccomp,gVisor/Kata optional).
  • Documentation of isolation strategies (name spaces, node pools, network segmentation).
  • Audit-ready evidence of compliance with CIS/NSA Kubernetes security benchmarks.
  • Security runbooks for containment and blast radius reduction.
Required Skills & Experience
  • Strong knowledge of K3s/Kubernetes internals
    , especially security features.
  • Hands‑on experience with SELinux,
    App Armor, seccomp, and Linux capabilities
    .
  • Experience with TPM (Trusted Platform Module) for secure boot and attestation.
  • Deep understanding of Pod Security (Pod Security Policies /Standards, OPA/Gatekeeper/Kyverno).
  • Experience implementing RBAC,
    Network Policies, and workload isolation at scale.
  • Proficiency in Linux kernel security mechanisms
    and debugging.
  • Familiarity with container runtimes (containerd, CRI-O,gVisor, Kata) and their security implications.
  • Strong background in incident response, forensic data collection, and audit logging in Kubernetes.
Nice to Have
  • Contributions to Kubernetes SIG-Security
    or open-source security tooling.
  • Experience with supply chain security frameworks (SLSA, NIST 800-190).
  • Familiarity with confidential computing (TEE/SGX/SEV) for workload isolation.
  • Hands‑on with Cilium Tetragon, Falco, or other runtime security tools
    .
  • Knowledge of air-gapped deployments
    and hardened Linux distributions (e.g., Flatcar,Bottlerocket).
#J-18808-Ljbffr
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)

Job Posting Language
Employment Category
Education (minimum level)
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search