Container Runtime Engineer

The Compute Nodes team at Datadog manages the foundational Kubernetes infrastructure that powers our global multi-cloud platform. We're responsible for the entire node layer, from OS and kernel security to GPU infrastructure, storage solutions, and container runtime isolation. The Compute Sandboxing subteam will own the isolation and execution layer, managing runtime diversity and sandboxing technologies that enable secure multi-tenant execution. We're investing heavily in Kata Containers to deliver security isolation for running untrusted customer code, while exploring alternative sandboxing approaches (gVisor, WebAssembly) for different use case requirements. This role directly supports Datadog's strategic investment in safe execution of untrusted customer code in multi-tenant infrastructure You will collaborate with the Job Platform team to deliver isolation capabilities that enable new product features while maintaining performance at scale. Key Responsibilities Design, implement, and maintain container isolation infrastructure across multi-cloud Kubernetes environments, with primary focus on Kata Containers and microVM technologies Achieve performance parity for isolated workloads by resolving disk I/O limitations Develop new Kata backends for diverse infrastructure requirements, including potential AWS Nitro Enclaves integration Evaluate emerging sandboxing technologies ( gVisor , WebAssembly , unikernels ) for specific workload requirements Collaborate with upstream Kata Containers project to contribute improvements and influence roadmap Act as subject matter expert on container security isolation, mentoring engineers on isolation best practices Requirements Strong systems programming background with 4+ years of experience in container runtimes and Linux kernel primitives Hands-on experience with container runtime hardening technologies like Kata Containers, gVisor, Firecracker, or similar microVM/sandboxing solutions Deep understanding of Linux kernel interfaces: namespaces, cgroups, seccomp, capabilities, LSMs, and virtualization (KVM/QEMU) Proficiency in systems programming languages (Go, Rust, or C) with ability to debug low-level code Knowledge of container runtime specifications (OCI, CRI) and containerd architecture Bonus Points Upstream contributions to Kata Containers, containerd, gVisor, or related CNCF projects Experience with AWS Nitro Enclaves, confidential computing, or hardware security features Broad Kubernetes expertise including storage (CSI), networking (CNI), or device management (CDI, NRI) Performance tuning for I/O-intensive workloads in virtualized environments Technical leadership experience driving architectural decisions in complex systems Familiarity with eBPF, GPU passthrough, or specialized hardware device management Datadog values people from all walks of life. We understand not everyone will meet all the above qualifications on day one. That's okay. If you’re passionate about technology and want to grow your skills, we encourage you to apply. Benefits and Growth: New hire stock equity (RSUs) and employee stock purchase plan (ESPP) Continuous professional development, product training, and career pathing Intradepartmental mentor and buddy program for in-house networking An inclusive company culture, ability to join our Community Guilds (Datadog employee resource groups) Free, global Spring Health benefits for employees and dependents age 6+ Competitive global benefits and giving programs Benefits and Growth listed above may vary based on the country of your employment and the nature of your employment with Datadog. #LI-Hybrid Datadog offers a competitive salary and equity package, and may include variable compensation. Actual compensation is based on factors such as the candidate's skills, qualifications, and experience. In addition, Datadog offers a wide range of best in class, comprehensive and inclusive employee benefits for this role includi ... (truncated, view full listing at source)