Systems Automation Engineer
Indexed description
Description
The Systems Automation Engineer architects, secures, and sustains a fully air-gapped, multi-account Kubernetes platform in AWS GovCloud, built on RHEL, RKE2, and self-managed GitLab. This role is built on an automation-first mindset infrastructure-as-code, one-shot repeatable deployments, CI/CD pipelines, and containerization to deliver highly scalable, resilient, and secure solutions in a disconnected environment. The engineer eliminates manual processes in favor of bundled, offline-reproducible deployments, embeds DevSecOps and zero-trust identity across the full system lifecycle, and operates the platform to meet NIST, RMF, STIG, and IL5/IL6/TS-SCI requirements.
Platform & Infrastructure Engineering
- Designing, deploying, and sustaining RHEL 8/9/10 environments and RKE2 Kubernetes clusters across multiple AWS accounts and VPCs
- Operating the cluster control plane and per-environment agent pools (dev/test/staging/prod) with node labeling, taints, and workload isolation
- Performing hardening, patching, and performance tuning in a disconnected environment using bundled RPM delivery (no upstream repos), SELinux, and host firewalls
- Administering platform-native core services CoreDNS, AWS Route 53, ingress/load balancing, and certificate lifecycle (cert-manager / TLS secrets)
- Designing HA/DR and resilience multi-node control planes, automated backup/restore of stateful workloads (PVCs, GitLab, databases), and failover across availability zones
- Architecting and managing AWS GovCloud environments (EC2, S3, EBS, VPC, IAM, Route 53) across multiple accounts with cross-account roles, key pairs, and AMI strategy
- Designing secure, scalable multi-VPC network architectures Transit Gateway meshes, subnets, routing, and CIDR-based security-group rules (cross-VPC SG references are not available in GovCloud)
- Implementing all infrastructure as code with Terraform (reusable per-VPC modules, cross-account providers, programmatically rendered variables)
- Standing up and operating an in-environment OCI/container registry and bootstrap services for offline image distribution
- Optimizing cloud cost, performance, and availability through right-sizing, repeatable destroy/redeploy, and monitoring
- Building and sustaining CI/CD pipelines on self-managed GitLab EE, including version-ladder upgrades, the container registry, and auto-registered Kubernetes runners
- Integrating DevSecOps container/image CVE scanning (e.g., Trivy, Grype, Clair), secrets management, and policy/gating in pipelines
- Operating container build and delivery tooling (Docker/podman, kaniko, Helm) with helm-template-derived, air-gap-reproducible image bundles
- Implementing GitOps delivery with ArgoCD (pull-based, per-app Applications, environment promotion and prod gating)
- Developing automation that eliminates manual intervention single-command, phase-driven deployments validated end-to-end before delivery
- Engineering self-contained, offline deployment bundles (RPMs, OCI images, Helm charts, binaries) for reproducible installs in disconnected networks
- Writing and maintaining automation in Ansible, Python, and Bash; automating provisioning, configuration management, and patching
- Maintaining idempotent, resumable deploy/upgrade/teardown workflows
- Implementing zero-trust identity and SSO with Keycloak (OIDC/SAML), federating platform services (GitLab, ArgoCD, monitoring, admin UIs) and supporting CAC/PIV X.509 smart-card authentication
- Implementing system hardening in accordance with DISA STIGs and NIST baselines as automated, repeatable controls
- Supporting RMF/ATO processes authoring control evidence, security documentation, POA&M items, and continuous-monitoring inputs
- Implementing centralized logging, monitoring, and alerting (Elastic/SIEM, host/audit telemetry, and AWS-native sources where applicable)
- Ensuring IL5/IL6/TS-SCI compliance through enforced security controls, secrets-at-rest protection, and system hardening
- Standing up and operating monitoring/observability (Prometheus, Grafana, node/cluster metrics) and vulnerability scanning (ACAS Tenable.sc/Nessus)
- Monitoring system performance, availability, and capacity to ensure reliability and scalability
- Troubleshooting complex, cross-component issues across the platform (networking, DNS, container runtime, registry, identity) to restore operations
- Providing Tier III support and leading root-cause analysis to resolve issues and prevent recurrence
- Maintaining architecture documentation, deployment guides, and standard operating procedures/runbooks
- Five plus years of experience in systems/infrastructure engineering with strong Linux (RHEL 8/9/10) depth
- Five plus years of experience in DevSecOps, automation, and AWS cloud environments
- Strong hands-on experience with AWS core services and multi-account/VPC networking
- Production experience operating Kubernetes (RKE2 preferred) RBAC, ingress, Helm, troubleshooting
- Experience with scripting/automation in Ansible, Python, and Bash
- Hands-on experience with Infrastructure as Code (Terraform)
- Experience building and sustaining CI/CD pipelines (GitLab)
- Working knowledge of networking fundamentals (routing, host firewalls, load balancers, DNS)
- Experience applying DISA STIG / NIST hardening and supporting RMF/ATO in DoD or regulated environments
- Ability to obtain/maintain a security clearance consistent with IL5/IL6/TS-SCI work
- Red Hat Certified System Administrator (RHCSA) or higher
- Certified Kubernetes Administrator (CKA)
- CompTIA Security+ (or higher, e.g., CISSP) DoD 8570/8140 baseline
- AWS Certified Solutions Architect (Associate or Professional)
- Experience with Kubernetes (RKE2, EKS, OpenShift, NKP, Rancher Federal, or similar)
- Knowledge of zero-trust architecture and modern identity solutions
- Experience with HashiCorp Vault, ArgoCD, or GitOps workflows, and service mesh technologies
- Familiarity with monitoring tools (Prometheus, Grafana)
- Experience in DoD or regulated environments (RMF, IL5/IL6/TS-SCI)
- Locally within US Space Command's Colorado Springs AOR. Peterson SFB, Schriever SFB and other locations in Colorado Springs
- Up to two weeks per month to US Space Command facilities at Redstone Arsenal, Hunstville Alabama
SRC offers a generous benefit package, including medical, dental, and vision plans, 401(k) with a company match, life insurance, vacation and sick paid time off accruals with amounts increasing based on role and years of service, 11 paid holidays, tuition reimbursement, and a work environment that encourages excellence and more. For positions requiring a security clearance, selected applicants will be subject to a government security investigation and must meet eligibility requirements for access to classified information.
EEO
Scientific Research Corporation is an equal opportunity employer that does not discriminate in employment.
All qualified applicants will receive consideration for employment without regard to their race, color, religion, sex, age, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other protected characteristic under federal, state or local law.
Scientific Research Corporation endeavors to make www.scires.com accessible to any and all users. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact [email protected] for assistance. This contact information is for accommodation requests only and cannot be used to inquire about the status of applications.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search