Container Runtime Engineer

Boston, NH - USA

Monthly Salary: Not Disclosed

Posted on: 21 days ago

Vacancies: 1 Vacancy

Job Summary

The Compute Nodes team at Datadog manages the foundational Kubernetes infrastructure that powers our global multi-cloud platform. Were responsible for the entire node layer from OS and kernel security to GPU infrastructure storage solutions and container runtime isolation.

The Compute Sandboxing subteam will own the isolation and execution layer managing runtime diversity and sandboxing technologies that enable secure multi-tenant execution. Were investing heavily in Kata Containers to deliver security isolation for running untrusted customer code while exploring alternative sandboxing approaches (gVisor WebAssembly) for different use case requirements.

This role directly supports Datadogs strategic investment in safe execution of untrusted customer code in multi-tenant infrastructure

You will collaborate with the Job Platform team to deliver isolation capabilities that enable new product features while maintaining performance at scale.

Key Responsibilities

Design implement and maintain container isolation infrastructure across multi-cloud Kubernetes environments with primary focus on Kata Containers and microVM technologies
Achieve performance parity for isolated workloads by resolving disk I/O limitations
Develop new Kata backends for diverse infrastructure requirements including potential AWS Nitro Enclaves integration
Evaluate emerging sandboxing technologies (gVisor WebAssembly unikernels) for specific workload requirements
Collaborate with upstream Kata Containers project to contribute improvements and influence roadmap
Act as subject matter expert on container security isolation mentoring engineers on isolation best practices

Requirements

Strong systems programming background with 4 years of experience in container runtimes and Linux kernel primitives
Hands-on experience with container runtime hardening technologies like Kata Containers gVisor Firecracker or similar microVM/sandboxing solutions
Deep understanding of Linux kernel interfaces: namespaces cgroups seccomp capabilities LSMs and virtualization (KVM/QEMU)
Proficiency in systems programming languages (Go Rust or C) with ability to debug low-level code
Knowledge of container runtime specifications (OCI CRI) and containerd architecture

Bonus Points

Upstream contributions to Kata Containers containerd gVisor or related CNCF projects
Experience with AWS Nitro Enclaves confidential computing or hardware security features
Broad Kubernetes expertise including storage (CSI) networking (CNI) or device management (CDI NRI)
Performance tuning for I/O-intensive workloads in virtualized environments
Technical leadership experience driving architectural decisions in complex systems
Familiarity with eBPF GPU passthrough or specialized hardware device management

This role directly supports Datadogs strategic investment in safe execution of untrusted customer code in multi-tenant infrastructure

You will collaborate with the Job Platform team to deliver isolation capabilities that enable new product features while maintaining performance at scale.

Key Responsibilities

Design implement and maintain container isolation infrastructure across multi-cloud Kubernetes environments with primary focus on Kata Containers and microVM technologies
Achieve performance parity for isolated workloads by resolving disk I/O limitations
Develop new Kata backends for diverse infrastructure requirements including potential AWS Nitro Enclaves integration
Evaluate emerging sandboxing technologies (gVisor WebAssembly unikernels) for specific workload requirements
Collaborate with upstream Kata Containers project to contribute improvements and influence roadmap
Act as subject matter expert on container security isolation mentoring engineers on isolation best practices

Requirements

Strong systems programming background with 4 years of experience in container runtimes and Linux kernel primitives
Hands-on experience with container runtime hardening technologies like Kata Containers gVisor Firecracker or similar microVM/sandboxing solutions
Deep understanding of Linux kernel interfaces: namespaces cgroups seccomp capabilities LSMs and virtualization (KVM/QEMU)
Proficiency in systems programming languages (Go Rust or C) with ability to debug low-level code
Knowledge of container runtime specifications (OCI CRI) and containerd architecture

Bonus Points

Upstream contributions to Kata Containers containerd gVisor or related CNCF projects
Experience with AWS Nitro Enclaves confidential computing or hardware security features
Broad Kubernetes expertise including storage (CSI) networking (CNI) or device management (CDI NRI)
Performance tuning for I/O-intensive workloads in virtualized environments
Technical leadership experience driving architectural decisions in complex systems
Familiarity with eBPF GPU passthrough or specialized hardware device management