sushink70 - Overview

Hi there 👋 I'm Sushin K

I'm a Senior Cloud Security Software Engineer with over 7+ years of experience building secure, scalable cloud-native systems. Based in Bengaluru, I specialize in securing Kubernetes clusters, container runtimes, service meshes, and cloud infrastructure through code. I focus on security-first design for distributed systems, building tools that harden cloud workloads, and automating security controls at scale across AWS, GCP, and on-premise data centers.

Core Skills:

Languages: Go, Rust, Python, TypeScript, C/C++, Zig, Assembly (x86-64, ARM64), Bash/Shell scripting, Lua, eBPF C
Core CS Concepts: Data Structures and Algorithms, OOPs concepts, Distributed systems, Concurrency patterns, Consensus algorithms (Raft, Paxos), CAP theorem, Event-driven architecture, CQRS/Event Sourcing, Microservices patterns, Zero-trust architecture
Cloud & Platforms: AWS, Azure, GCP, Kubernetes (EKS, GKE, AKS), RHEL, Crossplane, Terraform, OpenStack, VMware vSphere, Proxmox, CloudStack, Pulumi, Ansible, OpenShift, Rancher, k3s, k0s, Talos Linux
Containers & Observability: containerd, CRI-O, Docker, Helm, Prometheus, Grafana, OpenTelemetry, Jaeger, Tempo, Loki, Fluentd, Fluent Bit, Thanos, Cortex, VictoriaMetrics, Datadog, New Relic, Elastic Stack (ELK), Kiali, Pixie
Kernel & Low-Level: eBPF, XDP, io_uring, cgroups, namespaces, seccomp, AppArmor, SELinux, Landlock LSM, nftables, iptables, DPDK, AF_XDP, BPF CO-RE, libbpf, bpftrace
Security & Compliance: Falco, MITRE ATT&CK, SPIRE/SPIFFE, cert-manager, Aqua, Tracee, Tetragon, in-toto, Sigstore (Cosign, Rekor, Fulcio), Notary, Harbor, Trivy, Grype, Syft, Clair, Snyk, OPA (Open Policy Agent), Kyverno, Gatekeeper, Vault, External Secrets Operator, Sealed Secrets, KMS (AWS/Azure/GCP), Keycloak, Dex, OAuth2-Proxy, Istio AuthZ, Linkerd Policy, Envoy external authz, CIS Benchmarks, NIST frameworks, PCI-DSS, SOC 2, ISO 27001
Networking & Mesh: BGP, NATS, mTLS, gRPC, CNI, Cilium, Calico, Istio, Linkerd, Consul, Envoy, Traefik, NGINX, HAProxy, CoreDNS, MetalLB, Multus, Weave Net, Flannel, VPN (WireGuard, IPsec), VXLAN, Geneve, OSI model, TCP/IP stack, HTTP/2, HTTP/3 (QUIC), Service Mesh Interface (SMI), Gateway API, Ingress controllers
Runtime & Execution: wasmcloud, WasmEdge, Wasmtime, gVisor, Kata Containers, Firecracker, Cloud Hypervisor, QEMU/KVM, runc, crun, youki, Podman, Lima, Inclavare Containers, SGX enclaves, AMD SEV, Confidential Computing
Libraries & SDKs: kube-rs, client-go, controller-runtime, Kubernetes Operator SDK, AWS SDK (Boto3, aws-sdk-go), Azure SDK, Google Cloud Client Libraries, Tokio, async-std, actix, axum, hyper, tonic (gRPC), prost (protobuf), serde, clap, crossbeam, rayon
Database & Data Infrastructure: PostgreSQL RLS, TDE, pgaudit, MongoDB RBAC, Vitess, CockroachDB, TiDB, etcd, Consul KV, Redis, Valkey, KeyDB, Dragonfly, Apache Cassandra, ScyllaDB, ClickHouse, TimescaleDB, InfluxDB, DynamoDB, CosmosDB, Spanner, Patroni, Stolon, PgBouncer, ProxySQL
Security Practices: Secret rotation, Zero-trust networking, Defense in depth, Least privilege access, Threat modeling (STRIDE, DREAD), Security by design, Secure SDLC, Shift-left security, Penetration testing, Red team/Blue team, Vulnerability management, Incident response (NIST, SANS), Chaos engineering, Fuzzing (AFL, LibFuzzer, cargo-fuzz), SAST/DAST, SCA, SBOM, Supply chain security, Air-gapped deployments
DevSecOps: GitHub Actions, GitLab CI, Jenkins, Argo (CD/Workflows/Rollouts/Events), Flux, Tekton, Spinnaker, CircleCI, Drone CI, Buildkite, Prow, SonarQube, Semgrep, CodeQL, Dependabot, Renovate, Checkov, Terrascan, tfsec, Anchore, Artifactory, Nexus, Container registries (Harbor, ECR, ACR, GCR, GHCR)

🔭 I'm currently working on:

❤️ Rust 🦀 + Go for cloud security tooling

Cloud-native security automation at Lumen Technologies: Building Kubernetes admission controllers, OPA policies, and security operators using Go/Rust
Container runtime security: Developing eBPF-based runtime security monitors and syscall filtering for containerd/CRI-O
Infrastructure security: Hardening service mesh configurations (Istio/Linkerd), implementing mTLS at scale, and automating zero-trust network policies
Personal projects:
- Kubernetes security scanner (Rust + kube-rs)
- Cloud workload identity and SPIFFE/SPIRE integrations
- Infrastructure-as-code security scanner for Terraform/Pulumi
- eBPF-based DDoS mitigation for cloud workloads

🌱 I'm currently learning:

CNCF security ecosystem: Falco, Tetragon, Cilium, OPA/Gatekeeper, cert-manager, Sigstore
eBPF for cloud security: Building runtime security tools with Aya (Rust) and libbpf-rs
Zero-trust architectures: SPIFFE/SPIRE, Istio ambient mesh, BeyondCorp patterns
Supply chain security: In-toto, SLSA, image signing with Cosign/Sigstore
Advanced Kubernetes security: Pod Security Standards, seccomp/AppArmor profiles, admission control
Cloud-native threat detection: Building detection rules for Falco, integrating with SIEM/SOAR

🚀 I'm looking to collaborate on:

CNCF security projects: Contributing to Falco, Cilium, OPA, Tetragon, or similar runtime/network security tools
Open-source Kubernetes security: Admission controllers, security operators, policy engines
Cloud security automation: Infrastructure scanning, compliance-as-code, security posture management
eBPF security tooling: Runtime security, network policy enforcement, observability

🤔 I'm looking for help with:

Scaling eBPF-based security solutions across heterogeneous Kubernetes clusters (kernel version compatibility)
Optimizing Rust async runtime performance for high-throughput security event processing (Tokio vs async-std tradeoffs)

💬 Ask me about:

Kubernetes security: Hardening clusters, Pod Security Standards, admission control, RBAC design, secrets management (Vault, External Secrets Operator)
Container security: Image scanning (Trivy, Grype), runtime protection, seccomp/AppArmor, rootless containers
Service mesh security: Istio/Linkerd configuration, mTLS automation, authorization policies
Cloud infrastructure security: AWS Security Hub, GCP Security Command Center, IAM policy automation
IaC security: Terraform/Pulumi best practices, policy-as-code with OPA/Sentinel
Network security in cloud: Calico, Cilium, network policies, microsegmentation

📫 How to reach me:

GitHub: sushink70
Email: sushink70@gmail.com | sushink70@protonmail.com
LinkedIn: sushink70
Website: https://sushink70.github.io/sushink70/

😄 Pronouns: He/Him

⚡ Fun fact:

I've automated security compliance across 1000+ cloud workloads and reduced container vulnerability remediation time by 75% through CI/CD pipeline integration!

🛠️ Cloud Security Tech Stack

Core Languages: Rust, Go, Python, C/C++
Orchestration/Control Plane: TypeScript, Python, Bash

Cloud Native & Kubernetes

Platforms: Kubernetes, OpenShift, EKS, GKE, AKS
Container Runtimes: containerd, CRI-O, Docker
Service Mesh: Istio, Linkerd, Cilium
Policy & Admission: OPA/Gatekeeper, Kyverno, Falco
Observability: Prometheus, Grafana, Jaeger, OpenTelemetry
Secret Management: HashiCorp Vault, External Secrets Operator, Sealed Secrets

Security & Compliance

Runtime Security: Falco, Tetragon, Tracee, Sysdig
Network Security: Cilium, Calico, Network Policies
Image Security: Trivy, Grype, Clair, Harbor
Supply Chain: Cosign, Sigstore, in-toto, SLSA
eBPF Tools: Aya (Rust), libbpf, bpftrace
Policy as Code: OPA (Rego), Cedar, Kyverno policies
Security Testing: OWASP ZAP, Nuclei, Burp Suite, Metasploit

Cloud Platforms & Infrastructure

Cloud Providers: AWS (EKS, GuardDuty, Security Hub, IAM, KMS), GCP (GKE, Security Command Center, Workload Identity)
IaC: Terraform, Pulumi, Crossplane, Helm
CI/CD: GitHub Actions, GitLab CI, ArgoCD, Flux
Identity: SPIFFE/SPIRE, OAuth2/OIDC, Workload Identity

Systems & Low-Level

Languages: Rust (kube-rs, tokio, aya), Go (client-go, operator-sdk), C++
Datastores: PostgreSQL, ScyllaDB, etcd, Redis
Sandboxing: gVisor, Kata Containers, Firecracker

🚀 Key Cloud Security Projects

Production Systems (Lumen Technologies)

Cloud DDoS Mitigation Platform: Built Kubernetes-native DDoS detection and mitigation using Cilium eBPF, with automated BGP flowspec injection. Reduced mitigation time from 15min to <30s.

Kubernetes Security Posture Scanner: Developed Go-based operator that continuously audits cluster security (PSS violations, RBAC misconfigurations, exposed services). Integrated with Falco for runtime correlation.

Multi-Cloud Secret Rotation Pipeline: Automated secret rotation across AWS/GCP using External Secrets Operator + Vault, with zero-downtime rollout via progressive delivery (Argo Rollouts).

Open Source Contributions

Falco Rules: Custom rulesets for detecting cloud-native attacks (container escapes, privilege escalation, crypto mining)
kube-rs: Contributed admission webhook framework and controller examples
Cilium: Network policy testing and documentation improvements

Personal Projects

k8s-security-scanner (Rust + kube-rs): Admission controller that validates security contexts, secrets exposure, and image provenance using Sigstore verification.

ebpf-runtime-guardian (Rust + aya): eBPF-based syscall filter that blocks suspicious container behavior (network to sensitive ports, filesystem writes outside allowlist).

iac-policy-engine (Go + OPA): Terraform/Pulumi scanner that enforces security policies pre-deployment (exposed S3 buckets, overprivileged IAM, unencrypted resources).

spiffe-workload-attestor (Rust): Lightweight SPIFFE workload attestor for non-Kubernetes environments with hardware-backed attestation (TPM).

🎓 Education & Certifications

B.E. in Electronics and Communication Engineering – Anna University, Chennai (2016)
Certified Kubernetes Security Specialist (CKS) – CNCF
Certified Kubernetes Administrator (CKA) – CNCF
Certified Ethical Hacker v11 (CEH) – EC-Council (2021-2022)
AWS Certified Security – Specialty – Amazon
Google Professional Cloud Security Engineer – Google Cloud
CCNA/CCNP Security – Networkers Home (2019)

🏆 Career Achievements

Reduced Kubernetes security incidents by 80% through automated admission control and runtime monitoring
Implemented zero-trust networking across 500+ microservices using Istio + SPIFFE
Built security automation that cut cloud compliance audit time from weeks to hours
Promoted to P3 at Lumen Technologies for cloud security platform contributions
Achieved 99.9% uptime for DDoS mitigation services protecting 1000+ customer networks

🌟 Core Focus Areas

Cloud-native security: Kubernetes, containers, service mesh hardening
Runtime security: eBPF-based detection, syscall filtering, anomaly detection
Zero-trust architecture: Workload identity, mTLS automation, policy enforcement
Supply chain security: Image signing, SBOM generation, provenance verification
Security automation: Policy-as-code, compliance-as-code, infrastructure hardening

📚 CNCF Projects I Work With

Security: Falco, OPA, Notary, TUF, in-toto, SPIFFE/SPIRE
Networking: Cilium, Calico, Istio, Linkerd, Envoy
Runtime: containerd, CRI-O, gVisor, Kata Containers
Observability: Prometheus, Jaeger, OpenTelemetry, Fluentd
Orchestration: Kubernetes, Helm, Argo (CD/Rollouts/Events)

Check out my GitHub for cloud security tools and CNCF contributions!

⚠️ Important Notice

I create cloud security software strictly for defensive and ethical purposes.
By using any of my code, you agree to the following:

❌ You must not use my work for illegal, harmful, or unethical activities
❌ My code is prohibited from use in:
- Offensive security operations without proper authorization
- Systems that violate privacy or data protection laws
- Financial exploitation or gambling platforms
- NSFW or adult content infrastructure
- Any project that causes harm to individuals or organizations

✅ My intention is to strengthen cloud infrastructure security, promote secure-by-default practices, and contribute to the CNCF ecosystem.

I am not responsible for any misuse, damages, or consequences caused by those who ignore these terms. Use responsibly.