PCI-DSS Compliance in Kubernetes
PCI-DSS Compliance in Kubernetes
Payment Card Industry Data Security Standard (PCI-DSS) compliance requires specific controls for systems processing payment card data. Kubernetes environments handling cardholder data must implement network segmentation, access controls, vulnerability management, and logging requirements. The dynamic nature of containers requires adapted approaches to traditional PCI controls.
Network segmentation in Kubernetes uses multiple layers to achieve PCI-required isolation. Dedicated node pools for PCI workloads provide physical separation. Network policies enforce logical segmentation between PCI and non-PCI workloads. Service mesh policies add application-layer controls. This defense-in-depth approach satisfies segmentation requirements while maintaining operational flexibility.
# PCI-DSS compliant namespace configuration
apiVersion: v1
kind: Namespace
metadata:
name: pci-production
labels:
compliance: pci-dss
environment: production
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
---
# Network isolation for PCI namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: pci-namespace-isolation
namespace: pci-production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress only from PCI-approved sources
- from:
- namespaceSelector:
matchLabels:
pci-approved: "true"
- podSelector:
matchLabels:
tier: pci-gateway
ports:
- protocol: TCP
port: 443
egress:
# Allow egress only to required services
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
# Internal PCI services
- to:
- podSelector:
matchLabels:
compliance: pci-dss
ports:
- protocol: TCP
port: 443
# External payment processor
- to:
- ipBlock:
cidr: 198.51.100.0/24 # Payment processor IP range
ports:
- protocol: TCP
port: 443
---
# PCI-compliant pod specification
apiVersion: v1
kind: Pod
metadata:
name: payment-processor
namespace: pci-production
labels:
app: payment-processor
compliance: pci-dss
spec:
serviceAccountName: payment-processor-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
# Node selection for PCI-dedicated nodes
nodeSelector:
node-pool: pci-compliant
# Toleration for PCI node taints
tolerations:
- key: compliance
operator: Equal
value: pci-dss
effect: NoSchedule
containers:
- name: payment-app
image: registry.company.com/payment-processor:v2.1.0@sha256:abc123...
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# Environment-specific configuration
env:
- name: LOG_LEVEL
value: "INFO"
- name: ENABLE_AUDIT
value: "true"
- name: TLS_MIN_VERSION
value: "1.2"
# Secrets from external vault
envFrom:
- secretRef:
name: payment-credentials
volumeMounts:
- name: tmp
mountPath: /tmp
- name: audit-logs
mountPath: /var/log/audit
# Resource limits for stability
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
# Health checks for availability
livenessProbe:
httpGet:
path: /health
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: tmp
emptyDir: {}
- name: audit-logs
persistentVolumeClaim:
claimName: pci-audit-logs
Access control for PCI environments requires strong authentication and authorization. Multi-factor authentication for administrative access, segregation of duties through RBAC, and regular access reviews ensure compliance. Privileged access management solutions integrate with Kubernetes RBAC to provide just-in-time access with full audit trails.