Security blueprint: PCI on GKE

The PCI on GKE blueprint contains a set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud. The core of this blueprint is the Online Boutique application, where users can browse items, add them to the cart, and purchase them.

This blueprint enables you to quickly and easily deploy workloads on GKE that align with the Payment Card Industry Data Security Standard (PCI DSS) in a repeatable, supported, and secure way.

Architecture

Project overview

In this blueprint, you bootstrap a cardholder data environment (CDE) in Google Cloud that contains the following resource hierarchy:

  • An Organizational resource.
  • A Folder resource. Folder resources provide a grouping mechanism and isolation boundaries between projects.
  • Project resources. You deploy the following Google Cloud projects:

    • Network: The host project for the Shared VPC.
    • Management: A project that will hold the logging and monitoring infrastructure, such as Cloud Logging.
    • In-scope: A project that contains the in-scope resources. In this solution, the project consists of a GKE cluster that's designed to run the in-scope applications. In the example, this includes the Frontend, Payment, and Checkout services.
    • Out-of-scope: A project that contains the out-of-scope resources. In the solution, that's a GKE cluster that's designed to run the rest of the services.

Project overview.

Application and projects

The following diagram illustrates the CDE boundary on Google Cloud and which projects are in the scope of your PCI assessment of the Microservices Demo application. As you build your environment, you use an illustration like this to communicate Google Cloud about resources into and out of your PCI boundary.

The path labeled 1 shows log data from Kubernetes clusters going to Cloud Logging.

Application deployment.

Network layout

This diagram illustrates the network and subnet details within each project. It documents the data flows between projects and into and out of the CDE boundary.

Network layout.

Encrypted traffic

This diagram illustrates the encrypted traffic going into and out of the PCI boundary:

  1. TLS-encrypted (HTTPS) traffic from outside the VPC goes to the in-scope public load balancer.
  2. TLS-encrypted traffic between in-scope Kubernetes cluster nodes to the out-of-scope cluster goes to internal load balancers.
  3. Traffic from the internal load balancers to the out-of-scope cluster is encrypted with mTLS using Istio.
  4. Communication within each cluster is encrypted with mTLS using Istio.

Encrypted traffic.

Compliance mapping

The blueprint described in this document addresses a range of PCI DSS compliance requirements. The table in this section highlights some of those requirements.

The items in the following table don't address all requirements; compliance with some requirements is met by the Google Cloud infrastructure as part of the shared responsibility between you and Google. Compliance with other requirements needs to be implemented by you. For a detailed explanation of the shared responsibility model, see Exploring container security: the shared responsibility model in GKE on the Google Cloud blog.

The numbers in parentheses refer to sections of the Payment Card Industry (PCI) Data Security Standard document. You can download the document from the PCI Security Standards Council website's document library.

Requirement Section Description
Implement segmentation and boundary protection 1.3.2, 1.3.4 This blueprint helps you implement a logical segmentation by using Google Cloud projects; the segmentation lets you create a boundary for your PCI assessment. This blueprint runs Istio on Google Kubernetes Engine as an add-on that lets you create a service mesh around the GKE cluster that includes all of the components you need. The blueprint also creates a security perimeter using VPC around all of the Google Cloud projects that are in scope for PCI.
Configure least-privilege access to Google Cloud resources 7.1, 7.2 This blueprint helps you to implement role-based access control to manage who has access to Google Cloud resources. The blueprint also implements GKE-specific access controls like role-based access control (RBAC) and namespaces to restrict access to cluster resources.
Establish Organization-level policies   With this blueprint, you establish policies that apply to your Google Cloud Organization resource, such as the following:
Enforce separation of duties through Shared VPC 7.1.2, 7.1.3 This blueprint uses Shared VPC for connectivity and segregated network control to enforce separation of duties.
Harden your cluster's security 2.2, 2.2.5 The GKE clusters in this blueprint are hardened as described in the GKE hardening guide.

This list is just a subset of the security controls implemented in this blueprint that can meet PCI DSS requirements. You can find a full list of those requirements that are addressed in the PCI DSS Requirements (PDF) document on GitHub.

Deployable assets

The PCI and GKE Blueprint repository on GitHub contains a set of Terraform configurations and scripts that show how to bootstrap a PCI environment in Google Cloud. The PCI on GKE project also showcases Google Cloud services, tools, and projects that are useful to start your own Google Cloud PCI environment.

Frequently asked questions

Resources

  • PCI DSS compliance on Google Cloud. This guide helps you address concerns unique to Google Kubernetes Engine (GKE) applications when you are implementing customer responsibilities for PCI DSS requirements.