PCI Container Orchestration Guidance for Kubernetes

In September 2022 the PCI council released Guidance for Containers and Container Orchestration Tools which is intended to help organizations who use tools like Docker and Kubernetes in payment systems, do so in a secure fashion. The guidance should also be useful as a general guide to Kubernetes security hardening.

One of the key parts of the document is a table of risks and best practices which span 16 areas.

The guidance is fairly generic, so to help apply this specifically to Kubernetes I’ve been writing a series of blogs to look at each of these areas. This page provides a handy index for those posts. As this guidance will be used by assessors as well, I made some notes on the challenges of doing security assessments on Kubernetes.

• Authentication
• Authorization
• Workload Security
• Network Security
• PKI
• Secrets Management
• Container Orchestration Tool Auditing
• Container Monitoring
• Runtime Security
• Patching
• Resource Management
• Container Image Building
• Registry
• Version Management
• Configuration Management
• Segmentation