Container Runtime Engineer

<p data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">The Compute Nodes team at Datadog manages the foundational Kubernetes infrastructure that powers our global multi-cloud platform. We're responsible for the entire node layer, from OS and kernel security to GPU infrastructure, storage solutions, and container runtime isolation.</p> <p data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">The <strong data-prosemirror-content-type="mark" data-prosemirror-mark-name="strong">Compute Sandboxing</strong> subteam will own the isolation and execution layer, managing runtime diversity and sandboxing technologies that enable secure multi-tenant execution. We're investing heavily in <a href="https://github.com/kata-containers/kata-containers" data-prosemirror-content-type="mark" data-prosemirror-mark-name="link"><strong data-prosemirror-content-type="mark" data-prosemirror-mark-name="strong"><u data-prosemirror-content-type="mark" data-prosemirror-mark-name="underline">Kata Containers</u></strong></a> to deliver security isolation for running untrusted customer code, while exploring alternative sandboxing approaches (gVisor, WebAssembly) for different use case requirements.</p> <p data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">This role directly supports Datadog's strategic investment in safe execution of untrusted customer code in multi-tenant infrastructure</p> <p data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">You will collaborate with the Job Platform team to deliver isolation capabilities that enable new product features while maintaining performance at scale.</p> <h3 data-prosemirror-content-type="node" data-prosemirror-node-name="heading" data-prosemirror-node-block="true">Key Responsibilities</h3> <ul> <li data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">Design, implement, and maintain container isolation infrastructure across multi-cloud Kubernetes environments, with primary focus on Kata Containers and microVM technologies</li> <li data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">Achieve performance parity for isolated workloads by resolving disk I/O limitations</li> <li data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">Develop new Kata backends for diverse infrastructure requirements, including potential <a href="https://aws.amazon.com/ec2/nitro/nitro-enclaves/" data-prosemirror-content-type="mark" data-prosemirror-mark-name="link"><u data-prosemirror-content-type="mark" data-prosemirror-mark-name="underline">AWS Nitro Enclaves</u></a> integration</li> <li data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">Evaluate emerging sandboxing technologies (<a href="https://gvisor.dev/" data-prosemirror-content-type="mark" data-prosemirror-mark-name="link"><u data-prosemirror-content-type="mark" data-prosemirror-mark-name="underline">gVisor</u></a>, <a href="https://www.cncf.io/blog/2024/03/12/webassembly-on-kubernetes-from-containers-to-wasm-part-01/" data-prosemirror-content-type="mark" data-prosemirror-mark-name="link"><u data-prosemirror-content-type="mark" data-prosemirror-mark-name="underline">WebAssembly</u></a>, <a href="https://unikraft.org/" data-prosemirror-content-type="mark" data-prosemirror-mark-name="link"><u data-prosemirror-content-type="mark" data-prosemirror-mark-name="underline">unikernels</u></a>) for specific workload requirements</li> <li data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-prosemirror-node-block="true">Collaborate with upstream Kata Containers project to contribute improvements and influence roadmap</li> <li data-prosemirror-content-type="node" data-prosemirror-node-name="paragraph" data-p