Key skills
Service meshDNS-based service discoveryTLS/SNI routingPolicy-as-code authorizationmTLSQUICHTTP3Event-driven control plane architectureRouting information base (RIB)Distributed routing systemsSPIFFE URIsState machine modelingExponential backoffJWT tokensECDSA signingJWKS verificationIndependent design decision makingJWTGitHubService MeshCollaboration
About this role
Orbis is seeking a Senior Network Engineer to own medium-sized features and cross-component surfaces end to end within Catalyst — their secure, multi-cluster service mesh platform. The role involves setting the architecture for feature areas, driving testing standards, and leading design direction for various systems.
Responsibilities:
- Own architecture for medium-sized features end to end; identify cross-cutting concerns and flag them before they become problems
- Trace and debug requests across the full mesh request flow: DNS, TLS/SNI routing, policy authorization, and inter-cluster tunnel forwarding
- Design and implement control plane features: event pipeline stages, state mutation logic, route acceptance algorithms, and plugin-based side-effect systems
- Own and extend policy-as-code authorization: identity extraction, entity modeling, evaluation semantics, and policy lifecycle management
- Define testing standards for your feature area; drive shift-left testing practices and own the quality bar
- Participate in on-call rotation; conduct post-mortems with actionable follow-ups; own operational health for your surfaces
- Formally mentor junior engineers; lead team rituals including retros, standups, and planning sessions
Requirements:
- 4–7 years of experience in infrastructure, networking, or platform engineering with demonstrated ownership of meaningful product surfaces
- Deep understanding of multi-hop service mesh request flows: DNS-based service discovery, TLS/SNI-based proxy filter chain selection, external authorization via policy engines, and encrypted tunnel forwarding between clusters using QUIC/HTTP3 with mTLS
- Thorough knowledge of event-driven control plane architectures: serialized dispatch pipelines, pure/deterministic state mutation functions, journal-backed state with crash recovery via event replay, and plugin-based side-effect systems
- Experience with routing information base (RIB) or route table logic: route acceptance/rejection based on loop detection, path length comparison, staleness, and convergence behavior in distributed routing systems
- Complete understanding of policy-as-code authorization in a service mesh context: identity extraction from mTLS certificates (SPIFFE URIs), hierarchical entity modeling, evaluation semantics (permit, forbid, default-deny, fail-closed), and policy hot-reload
- Working knowledge of distributed peer connection lifecycle management: state machine modeling, reconnection with exponential backoff, graceful and error-driven teardown, and operator vs. protocol-initiated transitions
- Has made architectural decisions within distributed systems and lived with the consequences; comfortable leading design direction independently
- Applicants must include a link to their GitHub profile within their resume, demonstrating relevant code repositories, projects, and contributions that reflect their technical experience and capabilities
- Experience with worker thread isolation patterns that separate I/O-bound operations (peer connections, filesystem writes, DNS zone generation) from a main event loop
- Understanding of certificate-bound JWT tokens: ECDSA signing (ES384), certificate thumbprint binding (RFC 8705), and JWKS-based distributed verification
- Ability to articulate the tradeoffs between different service mesh authorization models: per-RPC application-layer JWT auth vs. per-connection network-layer mTLS-based policy enforcement
- Experience in mission-critical or national security environments where auditability, security, and operational reliability are foundational requirements
- Willingness to travel 10–20% for customer engagement, integration support, or team collaboration