PCI compliance requires separation of functionality on a per node basis, is it possible to ensure that only one container will be present on a node at any given time under any given eventuality. I can set up an auto scaling group for nodes in AWS but that again does not explicitly guarantee this, I don’t disagree that there is an implicit guarantee…

Please advise.

In swarm mode you can set constraints to “stick” service task instances (containers) to nodes with certain properties.

Note the sensitive difference between node labels and engine labels in this regard.