Cleared Software Engineer, Infrastructure

Lumbra is building Nebula, an agentic harness deployed across commercial cloud, on-prem cloud (AWS GovCloud, C2S, or equivalent), and fully air-gapped classified environments. We're looking for a cleared infrastructure engineer to own the onsite deployment pipeline and ensure the harness runs reliably across this spectrum, from managed Kubernetes with limited connectivity to standalone clusters with no internet access at all.

This role requires an active U.S. security clearance (TS/SCI).

• Own the air-gapped deployment pipeline end to end: transferring source code, charts, and configuration to disconnected environments, then building and deploying container images onsite. You need deep experience operating where nothing can be pulled from the internet.

• Author and maintain onsite Helm configurations that adapt to each deployment target, whether that means leveraging managed services in an on-prem cloud or replacing them with Kubernetes-native alternatives on standalone clusters. Strong Helm skills and an understanding of environment-specific translation are essential.

• Deploy and operate stateful infrastructure services (databases, caching, workflow orchestration, identity, object storage) on bare Kubernetes without managed cloud backends. Comfort with stateful workloads in constrained environments is a must.

• Own the onsite cluster management and delivery toolchain including Rancher for Kubernetes lifecycle management, ArgoCD for GitOps-based deployments, and Harbor as the container registry. Experience operating these tools in disconnected environments is essential.

• Manage the secrets lifecycle in classified environments, ensuring all credentials are generated fresh onsite with no secrets transferred on physical media. Rigorous security practices and familiarity with classified handling procedures are required.

• Own PKI and certificate management across onsite deployments: CA hierarchies, certificate issuance and rotation, mTLS between services, and trust chain validation in environments where external certificate authorities are unavailable. A fundamental understanding of public key infrastructure is essential.

• Build and maintain OCI-compliant container build pipelines (Podman, Buildah) for environments where Docker is not available. Experience with rootless, hardened container tooling is needed.

• Troubleshoot Kubernetes issues in environments with no external access: crashed pods, failed migrations, certificate errors, storage problems, all without pulling a debug image or searching the internet. Deep Kubernetes internals knowledge and self-sufficiency are essential.

• Profile and optimize system performance in constrained environments: resource utilization, pod scheduling, storage I/O, and network throughput on clusters where you can't simply scale up. Every millisecond and megabyte matters when hardware is fixed and access is limited.

• Ensure deployment parity between cloud and onsite by validating that health checks, resource limits, and service configurations stay aligned across both tracks. Own the onsite monitoring architecture that gives the team high visibility into system health, resource utilization, and service status across environments. You'll work closely with the cloud infrastructure team to prevent drift.

• Author and maintain database operations tooling (migrations, backup/restore, schema management) that works reliably in disconnected environments using Kubernetes Job templates.

• Write deployment procedures, runbooks, and troubleshooting guides that onsite operators can follow independently. Clear technical writing for classified operational contexts is important.

• Experience operating Kubernetes across classified environments: on-prem cloud (GovCloud, C2S), standalone clusters, or SCIF environments at IL4/IL5/IL6

• Experience with Rancher, ArgoCD, and Harbor in air-gapped or restricted environments

• Prior work with Podman and Buildah for rootless container builds in restricted environments

• Experience with identity provider deployment (Keycloak or similar) without cloud backends

• Background in workflow orchestration operations (Temporal or similar), especially schema bootstrapping and upgrades without internet access

• Familiarity with DoD-hardened base images, or STIG compliance

• Experience authoring STIGs, SSPs, or ATO documentation for classified deployments

• Prior work with cross-domain solutions or data transfer procedures between classification levels

• Comprehensive medical, dental, and vision plans

• Premiums 100% covered by Lumbra for all employees

• Exceptionally low premiums for spouses and dependents

• Basic life insurance and disability 100% covered for all employees by Lumbra

• Option to purchase additional life insurance available

• Take the time off that you need, when you need it' paid time off, not accrual based

• Generous company holiday calendar including a holiday shutdown in December

• Supportive leave of absence program including time off for military service, medical events, and parental leave

• Full 401(k) retirement plan for all full-time eligible employees

• Company-funded commuter benefits

• Free access to on-site gym at office