Cleared Software Engineer, Infrastructure
Lumbra, Arlington, TX, United States
About the Role
Lumbra is building Nebula, an agentic harness deployed across commercial cloud, on-prem cloud (AWS GovCloud, C2S, or equivalent), and fully air-gapped classified environments. We're looking for a cleared infrastructure engineer to own the onsite deployment pipeline and ensure the harness runs reliably across this spectrum, from managed Kubernetes with limited connectivity to standalone clusters with no internet access at all.
This role requires an active U.S. security clearance (TS/SCI).
What You'll Own
Own the
air-gapped deployment pipeline
end to end: transferring source code, charts, and configuration to disconnected environments, then building and deploying container images onsite. You need deep experience operating where nothing can be pulled from the internet.
Author and maintain
onsite Helm configurations
that adapt to each deployment target, whether that means leveraging managed services in an on-prem cloud or replacing them with Kubernetes-native alternatives on standalone clusters. Strong Helm skills and an understanding of environment-specific translation are essential.
Deploy and operate
stateful infrastructure services
(databases, caching, workflow orchestration, identity, object storage) on bare Kubernetes without managed cloud backends. Comfort with stateful workloads in constrained environments is a must.
Own the onsite
cluster management and delivery toolchain
including Rancher for Kubernetes lifecycle management, ArgoCD for GitOps-based deployments, and Harbor as the container registry. Experience operating these tools in disconnected environments is essential.
Manage the
secrets lifecycle
in classified environments, ensuring all credentials are generated fresh onsite with no secrets transferred on physical media. Rigorous security practices and familiarity with classified handling procedures are required.
Own
PKI and certificate management
across onsite deployments: CA hierarchies, certificate issuance and rotation, mTLS between services, and trust chain validation in environments where external certificate authorities are unavailable. A fundamental understanding of public key infrastructure is essential.
Build and maintain
OCI-compliant container build pipelines
(Podman, Buildah) for environments where Docker is not available. Experience with rootless, hardened container tooling is needed.
Troubleshoot Kubernetes issues in environments with
no external access : crashed pods, failed migrations, certificate errors, storage problems, all without pulling a debug image or searching the internet. Deep Kubernetes internals knowledge and self-sufficiency are essential.
Profile and optimize
system performance in constrained environments : resource utilization, pod scheduling, storage I/O, and network throughput on clusters where you can't simply scale up. Every millisecond and megabyte matters when hardware is fixed and access is limited.
Ensure
deployment parity
between cloud and onsite by validating that health checks, resource limits, and service configurations stay aligned across both tracks. Own the onsite
monitoring architecture
that gives the team high visibility into system health, resource utilization, and service status across environments. You'll work closely with the cloud infrastructure team to prevent drift.
Author and maintain
database operations tooling
(migrations, backup/restore, schema management) that works reliably in disconnected environments using Kubernetes Job templates.
Write deployment procedures, runbooks, and troubleshooting guides that
onsite operators can follow independently . Clear technical writing for classified operational contexts is important.
Preferred Qualifications
Experience operating
Kubernetes across classified environments : on-prem cloud (GovCloud, C2S), standalone clusters, or SCIF environments at IL4/IL5/IL6
Experience with
Rancher ,
ArgoCD , and
Harbor
in air-gapped or restricted environments
Prior work with
Podman
and
Buildah
for rootless container builds in restricted environments
Experience with
identity provider deployment
(Keycloak or similar) without cloud backends
Background in
workflow orchestration operations
(Temporal or similar), especially schema bootstrapping and upgrades without internet access
Familiarity with DoD-hardened base images, or STIG compliance
Experience authoring
STIGs, SSPs, or ATO documentation
for classified deployments
Prior work with
cross-domain solutions
or data transfer procedures between classification levels
Benefits
Comprehensive medical, dental, and vision plans
Premiums 100% covered by Lumbra
for all employees
Exceptionally low premiums for spouses and dependents
Basic life insurance and disability 100% covered for all employees by Lumbra
Option to purchase additional life insurance available
Take the time off that you need, when you need it\' paid time off, not accrual based
Generous company holiday calendar including a holiday shutdown in December
Supportive leave of absence program including time off for military service, medical events, and parental leave
Full 401(k) retirement plan
for all full-time eligible employees
Company-funded commuter benefits
Free access to on-site gym at office
#J-18808-Ljbffr
Lumbra is building Nebula, an agentic harness deployed across commercial cloud, on-prem cloud (AWS GovCloud, C2S, or equivalent), and fully air-gapped classified environments. We're looking for a cleared infrastructure engineer to own the onsite deployment pipeline and ensure the harness runs reliably across this spectrum, from managed Kubernetes with limited connectivity to standalone clusters with no internet access at all.
This role requires an active U.S. security clearance (TS/SCI).
What You'll Own
Own the
air-gapped deployment pipeline
end to end: transferring source code, charts, and configuration to disconnected environments, then building and deploying container images onsite. You need deep experience operating where nothing can be pulled from the internet.
Author and maintain
onsite Helm configurations
that adapt to each deployment target, whether that means leveraging managed services in an on-prem cloud or replacing them with Kubernetes-native alternatives on standalone clusters. Strong Helm skills and an understanding of environment-specific translation are essential.
Deploy and operate
stateful infrastructure services
(databases, caching, workflow orchestration, identity, object storage) on bare Kubernetes without managed cloud backends. Comfort with stateful workloads in constrained environments is a must.
Own the onsite
cluster management and delivery toolchain
including Rancher for Kubernetes lifecycle management, ArgoCD for GitOps-based deployments, and Harbor as the container registry. Experience operating these tools in disconnected environments is essential.
Manage the
secrets lifecycle
in classified environments, ensuring all credentials are generated fresh onsite with no secrets transferred on physical media. Rigorous security practices and familiarity with classified handling procedures are required.
Own
PKI and certificate management
across onsite deployments: CA hierarchies, certificate issuance and rotation, mTLS between services, and trust chain validation in environments where external certificate authorities are unavailable. A fundamental understanding of public key infrastructure is essential.
Build and maintain
OCI-compliant container build pipelines
(Podman, Buildah) for environments where Docker is not available. Experience with rootless, hardened container tooling is needed.
Troubleshoot Kubernetes issues in environments with
no external access : crashed pods, failed migrations, certificate errors, storage problems, all without pulling a debug image or searching the internet. Deep Kubernetes internals knowledge and self-sufficiency are essential.
Profile and optimize
system performance in constrained environments : resource utilization, pod scheduling, storage I/O, and network throughput on clusters where you can't simply scale up. Every millisecond and megabyte matters when hardware is fixed and access is limited.
Ensure
deployment parity
between cloud and onsite by validating that health checks, resource limits, and service configurations stay aligned across both tracks. Own the onsite
monitoring architecture
that gives the team high visibility into system health, resource utilization, and service status across environments. You'll work closely with the cloud infrastructure team to prevent drift.
Author and maintain
database operations tooling
(migrations, backup/restore, schema management) that works reliably in disconnected environments using Kubernetes Job templates.
Write deployment procedures, runbooks, and troubleshooting guides that
onsite operators can follow independently . Clear technical writing for classified operational contexts is important.
Preferred Qualifications
Experience operating
Kubernetes across classified environments : on-prem cloud (GovCloud, C2S), standalone clusters, or SCIF environments at IL4/IL5/IL6
Experience with
Rancher ,
ArgoCD , and
Harbor
in air-gapped or restricted environments
Prior work with
Podman
and
Buildah
for rootless container builds in restricted environments
Experience with
identity provider deployment
(Keycloak or similar) without cloud backends
Background in
workflow orchestration operations
(Temporal or similar), especially schema bootstrapping and upgrades without internet access
Familiarity with DoD-hardened base images, or STIG compliance
Experience authoring
STIGs, SSPs, or ATO documentation
for classified deployments
Prior work with
cross-domain solutions
or data transfer procedures between classification levels
Benefits
Comprehensive medical, dental, and vision plans
Premiums 100% covered by Lumbra
for all employees
Exceptionally low premiums for spouses and dependents
Basic life insurance and disability 100% covered for all employees by Lumbra
Option to purchase additional life insurance available
Take the time off that you need, when you need it\' paid time off, not accrual based
Generous company holiday calendar including a holiday shutdown in December
Supportive leave of absence program including time off for military service, medical events, and parental leave
Full 401(k) retirement plan
for all full-time eligible employees
Company-funded commuter benefits
Free access to on-site gym at office
#J-18808-Ljbffr