run-as-daemon.dev — Kubernetes & cloud-native security, engineered

systemctl list-units --type=service

What I run for you.

Each engagement is scoped like a service unit: a clear job, a healthy state, and a restart policy when something breaks at 3 a.m.

unit 01active

Kubernetes engineering

Design, run and upgrade clusters that don't surprise you. Bare-metal and self-hosted (K3s / kubeadm), HA control planes, controlled version upgrades, no-drama node lifecycle.

k3skubeadmhelmupgrades

unit 02active

Cloud-native security

Defence built into the dataplane: Cilium NetworkPolicy with default-deny, eBPF runtime detection with Tetragon, pod hardening, tight RBAC. Security as architecture, not a scanner bolted on at the end.

ciliumtetragonnetpolrbac

unit 03active

Supply chain & CI/CD

Pipelines that ship without drama. Signed images, SBOMs, reproducible builds, secrets that never live in a manifest. GitHub Actions to a private registry and your own ingress.

gh-actionssigstoresbomsecrets

unit 04active

Zero-trust networking

Private by default. WireGuard / AmneziaWG mesh between nodes and regions, encrypted east-west traffic, links that survive DPI-heavy and sovereignty-constrained networks across BRICS.

wireguardamneziawgmeshdpi-resistant

unit 05active

Incident response & hardening

When it's already on fire: root-cause analysis, secret-leak remediation with coordinated rotation, recovery runbooks so the answer next time is "redeploy," not "archaeology."

forensicsrotationrunbooksaudit

unit 06? inactive

Not sure which unit you need?

Tell me what you're operating today and where it hurts. I'll map it to a scope — or tell you that you don't need me yet.

$ ./reach-out.sh

cat /etc/run-as-daemon/principles.conf

How I work.

Position and tradeoffs, not a price list. This is where the seniority is.

Kubernetes when it earns its keep.

I run Kubernetes well — and I'll tell you when you've outgrown it, or haven't grown into it yet. Most teams under a few dozen services need things scheduled, restarted and secured, not a platform team. The honest answer ships faster than the fashionable one.

Reproducible or it didn't happen.

If a node dies, the answer is "redeploy," not "remember." Everything is code: manifests, pipelines, network policy, the cluster itself. No snowflake servers, no undocumented 3 a.m. fixes.

Security is architecture, not a scan.

Rootless containers, least-privilege RBAC, network default-deny, secrets out of specs, runtime detection in the kernel. Fewer attack surfaces by design beats a long report of findings after the fact.

Boundaries stated up front.

I scope what an audit does and doesn't cover, in writing, before it starts. Direct contact, no account managers, no synergy decks. Specifics of client work stay under NDA — your infrastructure isn't a case study.

uname -a && which everything

The stack I trust.

Boring where it should be, sharp where it matters. Tools chosen because they fail predictably and recover cleanly.

Kubernetes / K3sorchestrationLightweight, single-binary control plane for bare-metal and edge — full k8s API without the operational tax.

Ciliumcni · netpoleBPF dataplane, kube-proxy replacement, identity-aware NetworkPolicy and L7 visibility with Hubble.

Tetragonruntime secKernel-level process and syscall observability — catches what audit logs miss, enforces in eBPF.

PodmancontainersRootless, daemonless OCI runtime. Less attack surface by design than a root-owned socket.

TraefikingressDynamic ingress and TLS termination, automatic certificates, clean routing without YAML sprawl.

WireGuard / AmneziaWGmeshEncrypted node-to-node and region-to-region links; obfuscated transport that survives DPI.

GitHub Actionsci/cdBuild, sign, scan and deploy to a private registry and self-hosted ingress — no third-party control plane.

Rocky Linuxbase osStable, SELinux-enforcing host base. Predictable lifecycle, no surprises on upgrade.

# this site is built and shipped through the same pipeline I set up for clients — static build, signed, deployed to my own Traefik + Podman via GitHub Actions. dogfood or it didn't happen.

ls -la ~/writeups

Writeups.

Field notes from real clusters — the failures, the tradeoffs, the things that aren't in the docs. The main proof of expertise.

2026-05-29Read-only filesystem cascades: when a "healthy" volume isn'tstorage→

2026-05-23Cilium kube-proxy-replacement is a windowed op, not zero-downtimek8s→

2026-05-17Getting secrets out of RO-kubeconfig-readable specssecurity→

2026-05-10eBPF runtime security with Tetragon: what it catches that audit logs don'tebpf→

2026-04-28Keeping clusters private across DPI-heavy networks with AmneziaWGnetwork→

2026-04-15Nomad vs Kubernetes for teams under 50 servicesarchitecture→

› full writeups land in phase 2 (Astro/MDX). Want one early? ask.

journalctl --unit=engagements

Selected engagements.

Anonymised. Patterns, not logos.

legal-tech · production

13-node mesh cluster: flannel → Cilium, hardened end-to-end

Migrated a live multi-region cluster to an eBPF dataplane, moved every plaintext secret out of pod specs, and added runtime detection — without a maintenance outage the users could feel.

loyalty platform · ci/cd

Zero-drama delivery for a payments-adjacent backend

Reproducible GitHub Actions pipelines, signed images, database-backed services with controlled rollouts. Deploys stopped being events.

multi-region · networking

Private mesh across restricted networks

A WireGuard/AmneziaWG backbone linking nodes across jurisdictions with DPI on the path — encrypted, obfuscated, and stable under throttling.

incident · response

Secret-leak remediation under pressure

Mapped the blast radius of a reused credential across hosts, staged a dual-credential rotation, and shipped recovery runbooks so it can't silently recur.

› specifics under NDA. Reference conversations available for serious engagements.

Infrastructure that runs as a daemon.