Open to opportunities

Hi, I'm Himanshu Gupta

Platform Lead · DevSecOps Engineer · Cloud Architect

I build secure, scalable cloud platforms. 10+ years turning complex infrastructure into automated, zero-trust systems at companies like PayPal, Charter Communications, and Silicon Valley Bank.

Get In Touch View Code Lab →
10+
Years Experience
100+
Microservices Managed
20+
EKS Clusters
99.9%
Uptime Achieved
About Me

Building Secure Platforms at Scale

I'm a DevSecOps Platform Lead with a deep passion for building infrastructure that's not just scalable, but secure by design. My journey spans from writing my first Ansible playbook at Accenture to leading multi-account Kubernetes platform strategy at Charter Communications.

I specialize in Kubernetes (EKS/CAPA), CI/CD pipeline security, Infrastructure as Code, and cloud-native architecture across AWS and Azure. I'm currently exploring the intersection of AI/ML and DevOps - using machine learning for anomaly detection, intelligent alerting, and automated remediation.

Recently relocated to Hyderabad, India, and open to remote/global opportunities in DevSecOps leadership, Platform Engineering, and AI-driven infrastructure roles.

πŸ›‘οΈ

Security-First

Zero-trust architecture, WAF rules, YARA signatures, secrets management

☸️

K8s Platform

Multi-account EKS with CAPA, Helm, GitOps, service mesh

πŸ€–

AI + DevOps

ML-powered monitoring, anomaly detection, intelligent automation

πŸ”„

CI/CD Expert

GitLab CI, Jenkins, GitOps workflows with integrated security scanning

Career

Professional Experience

Charter Communications
Sr. DevSecOps Engineer / Platform Lead
Oct 2022 - Present
  • Led Kubernetes platform strategy across multi-account AWS using CAPA, managing 20+ EKS clusters
  • Architected DR framework achieving RTO < 30min and RPO < 5min
  • Designed zero-trust bastion architecture, reducing attack surface by 70%
  • Built GitLab CI/CD with integrated security scanning across 50+ repositories
  • Integrated AWS KMS + Secrets Manager with least-privilege IAM policies
PayPal
Sr. Cloud / DevOps Engineer
Sep 2020 - Oct 2022
  • Spearheaded on-prem to AWS migration, containerizing 30+ Java applications
  • Implemented LDAP-based SSO and centralized authentication
  • Built GitOps workflows with full lifecycle CI/CD pipelines
  • Automated Datadog/Splunk monitoring for 30+ microservices
Silicon Valley Bank
Sr. Cloud / DevOps Engineer
Mar 2019 - Aug 2020
  • Built NGINX WAF and YARA rules for automated threat detection
  • Deployed HashiCorp Vault on AWS and on-prem for secrets management
  • Implemented ELK Stack with CloudWatch + Lambda integration
HGST (Western Digital)
Cloud / DevOps Engineer
Apr 2018 - Feb 2019
  • Azure infrastructure with Site Recovery and automated backup strategies
  • Kubernetes clusters with Ansible-automated provisioning and Helm charts
Accenture
DevOps Engineer
Jun 2016 - Dec 2017
  • AWS IaaS with multi-zone infrastructure and Ansible/CloudFormation automation
  • Python/Lambda automation reducing infrastructure costs by 40%
Expertise

Technical Skills

☸️ Container & Orchestration

Kubernetes EKS CAPA KOPS Docker Helm ArgoCD Istio

☁️ Cloud Platforms

AWS Azure EC2 Lambda S3 RDS VPC CloudFormation

πŸ›‘οΈ Security

DevSecOps WAF Vault KMS IAM/RBAC LDAP YARA Zero Trust

πŸ”§ IaC & Config Management

Terraform Ansible Chef Puppet Packer CloudFormation

πŸ”„ CI/CD & GitOps

GitLab CI Jenkins GitHub Actions Concourse CI GitOps Artifactory

πŸ“Š Observability

Datadog Splunk ELK Stack Prometheus Grafana CloudWatch New Relic
Portfolio

Featured Projects

πŸ—οΈ Multi-Account EKS Platform (CAPA)

Enterprise Kubernetes platform managing 20+ clusters across multiple AWS accounts using Cluster API Provider. Includes automated provisioning, DR, and GitOps-based deployments.

KubernetesCAPATerraformGitLab CIHelm

πŸ” Zero-Trust Infrastructure

Designed and deployed bastion host architecture with IAM integration, network segmentation, KMS encryption, and automated vulnerability scanning across all environments.

AWS IAMKMSVPCWAFVault

πŸš€ Cloud Migration Engine

Led migration of 30+ on-prem Java applications to AWS containers at PayPal. Windows Tomcat to Linux Docker with full automation documentation and SOPs.

DockerAWS ECSTerraformAnsiblePython

πŸ€– AI-Powered Monitoring (POC)

Proof of concept integrating ML models with Datadog/CloudWatch for anomaly detection, intelligent alerting, and automated remediation workflows.

PythonLambdaCloudWatchMLDatadog
Code Lab

Infrastructure Templates & Examples

Production-ready templates I use in my daily work. Feel free to adapt them.

Secure K8s Deployment with Health Checks YAML 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-api
  labels:
    app: secure-api
    security.policy/scan: "true"
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app: secure-api
  template:
    metadata:
      labels:
        app: secure-api
    spec:
      serviceAccountName: secure-api-sa
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 2000
      containers:
      - name: api
        image: registry.example.com/api:v1.2.0
        ports:
        - containerPort: 8080
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "500m"
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 15
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values: ["secure-api"]
              topologyKey: "topology.kubernetes.io/zone"
Production-ready deployment with security context, resource limits, anti-affinity for multi-AZ spread, and health probes.
GitLab CI/CD with Security Scanning .gitlab-ci.yml 
stages:
  - test
  - security
  - build
  - deploy

variables:
  DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

unit-tests:
  stage: test
  image: python:3.11-slim
  script:
    - pip install -r requirements.txt
    - pytest tests/ --cov=src --cov-report=xml
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

sast-scan:
  stage: security
  image: registry.gitlab.com/security-products/sast:latest
  script:
    - /analyzer run
  artifacts:
    reports:
      sast: gl-sast-report.json
  allow_failure: false

container-scan:
  stage: security
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker build -t $DOCKER_IMAGE .
    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock
        aquasec/trivy image --exit-code 1
        --severity HIGH,CRITICAL $DOCKER_IMAGE

build-push:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build -t $DOCKER_IMAGE .
    - docker push $DOCKER_IMAGE
  only:
    - main

deploy-eks:
  stage: deploy
  image: bitnami/kubectl:latest
  script:
    - kubectl set image deployment/app app=$DOCKER_IMAGE -n production
    - kubectl rollout status deployment/app -n production --timeout=300s
  environment:
    name: production
  when: manual
  only:
    - main
Full CI/CD pipeline with SAST scanning, container vulnerability scanning (Trivy), and staged deployment to EKS.
Terraform EKS Cluster Module HCL 
module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 19.0"

  cluster_name    = var.cluster_name
  cluster_version = "1.28"

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  cluster_endpoint_public_access  = false
  cluster_endpoint_private_access = true

  # Encryption at rest
  cluster_encryption_config = {
    provider_key_arn = aws_kms_key.eks.arn
    resources        = ["secrets"]
  }

  # Managed node groups
  eks_managed_node_groups = {
    general = {
      desired_size = 3
      min_size     = 2
      max_size     = 10

      instance_types = ["m6i.xlarge"]
      capacity_type  = "ON_DEMAND"

      labels = {
        role        = "general"
        environment = var.environment
      }

      update_config = {
        max_unavailable_percentage = 33
      }
    }

    spot = {
      desired_size = 2
      min_size     = 1
      max_size     = 8

      instance_types = ["m6i.xlarge", "m5.xlarge", "m5a.xlarge"]
      capacity_type  = "SPOT"

      labels = {
        role = "spot-workloads"
      }

      taints = [{
        key    = "spot"
        value  = "true"
        effect = "NO_SCHEDULE"
      }]
    }
  }

  # IRSA for pod-level IAM
  enable_irsa = true

  tags = merge(var.common_tags, {
    "kubernetes.io/cluster/${var.cluster_name}" = "owned"
  })
}

resource "aws_kms_key" "eks" {
  description = "EKS Secret Encryption Key"
  policy      = data.aws_iam_policy_document.eks_kms.json
}
Production EKS cluster with private endpoints, KMS encryption, mixed node groups (on-demand + spot), and IRSA enabled.
K8s Network Policy - Zero Trust YAML 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: secure-api
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress-nginx
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: postgres
      ports:
        - protocol: TCP
          port: 5432
    - to:  # Allow DNS
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
Zero-trust network policy: only allows ingress from nginx ingress and frontend, egress only to postgres and DNS.
Writing

Blog

Kubernetes

K8s Networking: NodePort vs LoadBalancer vs Ingress

A visual cheat-sheet and decision tree for choosing the right way to expose your Kubernetes applications.

June 2026 · 6 min read
DevSecOps

Shift-Left Security: Building Secure CI/CD Pipelines That Actually Work

How I built security-first GitLab CI/CD pipelines with SAST, container scanning, and dependency checks.

June 2026 · 8 min read
AI + DevOps

Using ML for Anomaly Detection in Infrastructure Monitoring

Building intelligent alerting with Isolation Forest and Lambda that learns from your infrastructure patterns.

June 2026 · 10 min read
Credentials

Certifications & Education

πŸŽ“

M.S. Computer Science

California State University, Fresno · 2018-2020

πŸŽ“

B.Tech Computer Science

JECRC University, Jaipur · 2012-2016

☸️

AWS EKS Masterclass

Udemy · Feb 2024

πŸ”„

GitLab CI/CD Hands-On (50+ Pipelines)

Udemy · Mar 2024

Get In Touch

Let's Work Together

Open to Opportunities

I'm currently looking for DevSecOps leadership, Platform Engineering, and AI/ML Ops roles. Based in Hyderabad, India, and open to remote/global opportunities.

πŸ“§ himdevops5@gmail.com πŸ’Ό linkedin.com/in/himz πŸ“ Hyderabad, India