Container Runtime Engineer

The Compute Nodes team at Datadog manages the foundational Kubernetes infrastructure that powers our global multi-cloud platform. We're responsible for the entire node layer, from OS and kernel security to GPU infrastructure, storage solutions, and container runtime isolation.

The Compute Sandboxing subteam will own the isolation and execution layer, managing runtime diversity and sandboxing technologies that enable secure multi-tenant execution. We're investing heavily in Kata Containers to deliver security isolation for running untrusted customer code, while exploring alternative sandboxing approaches (gVisor, WebAssembly) for different use case requirements.

This role directly supports Datadog's strategic investment in safe execution of untrusted customer code in multi-tenant infrastructure

You will collaborate with the Job Platform team to deliver isolation capabilities that enable new product features while maintaining performance at scale.

Key Responsibilities

• Design, implement, and maintain container isolation infrastructure across multi-cloud Kubernetes environments, with primary focus on Kata Containers and microVM technologies
• Achieve performance parity for isolated workloads by resolving disk I/O limitations
• Develop new Kata backends for diverse infrastructure requirements, including potential AWS Nitro Enclaves integration
• Evaluate emerging sandboxing technologies (gVisor, WebAssembly, unikernels) for specific workload requirements
• Collaborate with upstream Kata Containers project to contribute improvements and influence roadmap