PCI-DSS can be achieved by 3rd party solutions.

(Disclaimer - I'm an employee of Twistlock, which has brought a PCI-DSS solution, if you're interested in it please check the following link - https://info.twistlock.com/guide-to-pci-compliance-for-containers)

I've implemented and got PCI-DSS Level 1 certified a K8S Cluster as Cardholder Data Environment for the company I work for.

Don't get intimidated by the requirements, there's always a way to make them "not applicable" or meet them with some elbow oil.

The basics you need to meet to make it compliant are:

• use COS so you can skip all the Nodes hardening hassle.
• use the --enable-master-authorized-networks flag (Beta) although I haven't had any problems with it yet.
• manage the network CIDRs yourself as you need to provide classes that don't change for the docs and show how only those are authorized to access the cluster.
• you must implement a NAT gateway cluster and pass all the K8S traffic through it and setup on the systems a silly outgoing IDS/IPS solution, I used Suricata. (it's silly, I know)
• you need to whitelist all outgoing traffic IPs for any API you're eventually calling from your apps and deny everything else.

PS: I know it sounds like BS, but you gotta do it if you wanna pass compliance. PPS: remember to harden the NAT gateways, I used ansible with the STIG playbook.

These were the trickiest parts, everything else was cumbersome but manageable. Glad to help.

Re-iterating Tim's comment above: As far as I know nobody has implemented a fully PCI-compliant kubernetes install yet (they might have done and not told us). I don't know of anything specific to Docker or Kubernetes that would prevent you from getting your deployment certified.

see this article. While the author is referring to "public iaas" it seems that one could substitute "private kubernetes".