Kubernetes Security Engineer

At Capgemini Engineering, the world leader in engineering services, we bring together a global team of engineers, scientists, and architects to help the world’s most innovative companies unleash their potential. From autonomous cars to life-saving robots, our digital and software technology experts think outside the box as they provide unique R&D and engineering services across all industries. Join us for a career full of opportunities. Where you can make a difference. Where no two days are the same.

About the role you're considering

We’re seeking a Kubernetes Security Engineer to help design and operate security‑first platforms for complex, multi‑tenant environments. In this role, you’ll architect and deploy hardened Kubernetes clusters across diverse hardware architectures, applying advanced Linux security controls, hardware‑rooted trust, and least‑privilege principles to protect critical workloads. You’ll work hands‑on with modern container runtimes, supply‑chain security, and runtime threat detection, collaborating closely with infrastructure, SRE, and security teams to build resilient systems that minimize risk and scale securely.

Your role

• Architect and deploy security-first Kubernetes cluster configurations across diverse hardware platforms, including x86, ARM, and accelerators.
• Enforce Linux security modules (SELinux, AppArmor) and sandboxing techniques (seccomp, gVisor, Kata) to protect workloads and system services.
• Integrate TPM for secure boot and attestation, ensuring hardware and OS integrity, and support cryptographic operations with HSM/KMS systems.
• Design multi-tenant isolation strategies using namespaces, node pools, and hardware partitioning to prevent lateral movement and reduce blast radius.
• Apply least-privilege policies using RBAC, PodSecurityStandards, NetworkPolicies, and resource constraints to secure workload execution and mitigate denial-of-service risks.
• Harden Kubernetes components (API server, etcd, kubelet) using CIS and NSA benchmarks, and implement kernel-level protections like seccomp-bpf and IMA/EVM.
• Secure workload secrets using TPM-backed storage and tools like SealedSecrets, HashiCorp Vault, or SOPS for safe distribution and access control.
• Strengthen supply chain security through image signing (cosign, Notary), SBOM scanning, and CI/CD vulnerability management.
• Monitor runtime behavior with tools like Falco and Cilium Tetragon, and collaborate with SRE and Security teams to develop incident response runbooks and conduct breach simulation drills.

Your skills and experience

• Bachelor’s degree in Computer Science, Engineering, or a related technical field, with 8–10 years of experience in infrastructure, security, or systems engineering.
• Deep expertise in Kubernetes internals, including cluster hardening, multi-tenant isolation, and security architecture.
• Advanced proficiency in Linux security features such as SELinux, AppArmor, seccomp, and kernel-level protections.
• Hands-on experience with TPM for secure boot, attestation, and integration with HSM/KMS for cryptographic operations and secrets management.
• Strong understanding of Pod Security frameworks (PodSecurityStandards, OPA, Gatekeeper, Kyverno) and implementation of RBAC, NetworkPolicies, and workload isolation at scale.
• Familiarity with container runtimes (containerd, CRI-O, gVisor, Kata) and their security implications in hybrid environments.
• Experience with runtime and supply chain security tools and frameworks, including Falco, Cilium Tetragon, cosign, Notary, SLSA, and NIST 800-190.
• Knowledge of confidential computing (TEE, SGX, SEV), air-gapped deployments, and hardened Linux distributions like Flatcar and Bottlerocket.

The base compensation range for this role in the posted location is: $76,200 - $187,740

Capgemini provides compensation range information in accordance with applicable national, state, provincial, and local pay transparency laws. The base compensation range listed for this position reflects the minimum and maximum target compensation Capgemini, in good faith, believes it may pay for the role at the time of this posting. This range may be subject to change as permitted by law.

The actual compensation offered to any candidate may fall outside of the posted range and will be determined based on multiple factors legally permitted in the applicable jurisdiction.

These may include, but are not limited to: Geographic location, Education and qualifications, Certifications and licenses, Relevant experience and skills, Seniority and performance, Market and business consideration, Internal pay equity.

It is not typical for candidates to be hired at or near the top of the posted compensation range.

In addition to base salary, this role may be eligible for additional compensation such as variable incentives, bonuses, or commissions, depending on the position and applicable laws.

Capgemini offers a comprehensive, non-negotiable benefits package to all regular, full-time employees. In the U.S. and Canada, available benefits are determined by local policy and eligibility and may include:

• Paid time off based on employee grade (A-F), defined by policy: Vacation: 12-25 days, depending on grade, Company paid holidays, Personal Days, Sick Leave

• Medical, dental, and vision coverage (or provincial healthcare coordination in Canada)
• Retirement savings plans (e.g., 401(k) in the U.S., RRSP in Canada)
• Life and disability insurance
• Employee assistance programs
• Other benefits as provided by local policy and eligibility

Important Notice: Compensation (including bonuses, commissions, or other forms of incentive pay) is not considered earned, vested, or payable until it becomes due under the terms of applicable plans or agreements and is subject to Capgemini’s discretion, consistent with applicable laws. The Company reserves the right to amend or withdraw compensation programs at any time, within the limits of applicable legislation.

Disclaimers

Capgemini is an Equal Opportunity Employer encouraging inclusion in the workplace. Capgemini also participates in the Partnership Accreditation in Indigenous Relations (PAIR) program which supports meaningful engagement with Indigenous communities across Canada by promoting fairness, accessibility, inclusion and respect. We value the rich cultural heritage and contributions of Indigenous Peoples and actively work to create a welcoming and respectful environment. All qualified applicants will receive consideration for employment without regard to race, national origin, gender identity/expression, age, religion, disability, sexual orientation, genetics, veteran status, marital status or any other characteristic protected by law.

This is a general description of the Duties, Responsibilities and Qualifications required for this position. Physical, mental, sensory or environmental demands may be referenced in an attempt to communicate the manner in which this position traditionally is performed. Whenever necessary to provide individuals with disabilities an equal employment opportunity, Capgemini will consider reasonable accommodations that might involve varying job requirements and/or changing the way this job is performed, provided that such accommodation does not pose an undue hardship. Capgemini is committed to providing reasonable accommodation during our recruitment process. If you need assistance or accommodation, please reach out to your recruiting contact.

Please be aware that Capgemini may capture your image (video or screenshot) during the interview process and that image may be used for verification, including during the hiring and onboarding process.

Click the following link for more information on your rights as an Applicant in the United States.

Capgemini is a global business and technology transformation partner, helping organizations to accelerate their dual transition to a digital and sustainable world, while creating tangible impact for enterprises and society. It is a responsible and diverse group of 340,000 team members in more than 50 countries. With its strong over 55-year heritage, Capgemini is trusted by its clients to unlock the value of technology to address the entire breadth of their business needs. It delivers end-to-end services and solutions leveraging strengths from strategy and design to engineering, all fueled by its market leading capabilities in AI, generative AI, cloud and data, combined with its deep industry expertise and partner ecosystem.