Kubernetes & docker containers PCI DSS compliance

Question

We are creating a new version of payment gateway processor and We want to use docker container with kubernetes but we are worried if Kubernetes and docker container follow the PCI DSS requirements.

We don't find anything clear in PCI DSS specifications.

Answer 1

Re-iterating Tim's comment above: As far as I know nobody has implemented a fully PCI-compliant kubernetes install yet (they might have done and not told us). I don't know of anything specific to Docker or Kubernetes that would prevent you from getting your deployment certified.

Answer 2

I've implemented and got PCI-DSS Level 1 certified a K8S Cluster as Cardholder Data Environment for the company I work for.

Don't get intimidated by the requirements, there's always a way to make them "not applicable" or meet them with some elbow oil.

The basics you need to meet to make it compliant are:

• use COS so you can skip all the Nodes hardening hassle.
• use the --enable-master-authorized-networks flag (Beta) although I haven't had any problems with it yet.
• manage the network CIDRs yourself as you need to provide classes that don't change for the docs and show how only those are authorized to access the cluster.
• you must implement a NAT gateway cluster and pass all the K8S traffic through it and setup on the systems a silly outgoing IDS/IPS solution, I used Suricata. (it's silly, I know)
• you need to whitelist all outgoing traffic IPs for any API you're eventually calling from your apps and deny everything else.

PS: I know it sounds like BS, but you gotta do it if you wanna pass compliance. PPS: remember to harden the NAT gateways, I used ansible with the STIG playbook.

These were the trickiest parts, everything else was cumbersome but manageable. Glad to help.