Security blueprint: PCI on GKE

Last reviewed 2023-12-06 UTC

The PCI on Google Kubernetes Engine blueprint contains a set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud. The core of this blueprint is the Online Boutique application, where users can browse items, add them to the cart, and purchase them.

This blueprint was developed for Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1. The blueprint lets you deploy workloads on GKE that align with the PCI DSS in a repeatable, supported, and secure way.

Architecture

In this blueprint, you bootstrap a cardholder data environment (CDE) in Google Cloud that contains the following resource hierarchy:

  • An Organizational resource.
  • A Folder resource. Folder resources provide a grouping mechanism and isolation boundaries between projects.
  • Project resources. You deploy the following Google Cloud projects:

    • Network: The host project for the Shared VPC.
    • Management: A project that will hold the logging and monitoring infrastructure, such as Cloud Logging.
    • In-scope: A project that contains the in-scope resources. In this solution, the project consists of a GKE cluster that's designed to run the in-scope applications. In the example, this includes the Frontend, Payment, and Checkout services.
    • Out-of-scope: A project that contains the out-of-scope resources. In the solution, that's a GKE cluster that's designed to run the rest of the services.

Project overview.

The following diagram illustrates the CDE boundary on Google Cloud and which projects are in the scope of your PCI assessment of the Microservices Demo application. As you build your environment, you use an illustration like this to communicate Google Cloud about resources into and out of your PCI boundary.

The path labeled 1 shows log data from Kubernetes clusters going to Cloud Logging.

Application deployment.

This diagram illustrates the network and subnet details within each project. It documents the data flows between projects and into and out of the CDE boundary.

Network layout.

This diagram illustrates the encrypted traffic going into and out of the PCI boundary:

  1. TLS-encrypted (HTTPS) traffic from outside the VPC goes to the in-scope public load balancer.
  2. TLS-encrypted traffic between in-scope Kubernetes cluster nodes to the out-of-scope cluster goes to internal load balancers.
  3. Traffic from the internal load balancers to the out-of-scope cluster is encrypted with mTLS using Istio.
  4. Communication within each cluster is encrypted with mTLS using Istio.

Encrypted traffic.

Compliance mapping

The blueprint described in this document addresses a range of PCI DSS compliance requirements. The table in this section highlights some of those requirements.

The items in the following table don't address all requirements; compliance with some requirements is met by the Google Cloud infrastructure as part of the shared responsibility between you and Google. Compliance with other requirements needs to be implemented by you. For a detailed explanation of the shared responsibility model, see Exploring container security: the shared responsibility model in GKE on the Google Cloud blog.

The numbers in parentheses refer to sections of the Payment Card Industry (PCI) Data Security Standard document. You can download the document from the PCI Security Standards Council website's document library.

Requirement Section Description
Implement segmentation and boundary protection 1.3.2, 1.3.4 This blueprint helps you implement a logical segmentation by using Google Cloud projects; the segmentation lets you create a boundary for your PCI assessment. This blueprint runs Istio on Google Kubernetes Engine as an add-on that lets you create a service mesh around the GKE cluster that includes all of the components you need. The blueprint also creates a security perimeter using VPC around all of the Google Cloud projects that are in scope for PCI.
Configure least-privilege access to Google Cloud resources 7.1, 7.2 This blueprint helps you to implement role-based access control to manage who has access to Google Cloud resources. The blueprint also implements GKE-specific access controls like role-based access control (RBAC) and namespaces to restrict access to cluster resources.
Establish Organization-level policies   With this blueprint, you establish policies that apply to your Google Cloud Organization resource, such as the following:
Enforce separation of duties through Shared VPC 7.1.2, 7.1.3 This blueprint uses Shared VPC for connectivity and segregated network control to enforce separation of duties.
Harden your cluster's security 2.2, 2.2.5 The GKE clusters in this blueprint are hardened as described in the GKE hardening guide.

This list is just a subset of the security controls implemented in this blueprint that can meet PCI DSS requirements. You can find a full list of those requirements that are addressed in the PCI DSS Requirements (PDF) document on GitHub.

Deployable assets

The PCI and GKE Blueprint repository on GitHub contains a set of Terraform configurations and scripts that show how to bootstrap a PCI environment in Google Cloud. The PCI on GKE project also showcases Google Cloud services, tools, and projects that are useful to start your own Google Cloud PCI environment.

Frequently asked questions

The PCI on GKE blueprint provides you with prescriptive information and instructions for creating or migrating workloads on GKE that align with PCI compliance requirements.

The blueprint is made up of the following elements:

We recommend that you read through the implementation guide and review the reference architectures before deploying the PCI environment using Terraform. We've provided a demo ecommerce application that you can deploy to test the PCI blueprint environment.

No. PCI DSS is a set of security standards and there are many ways to interpret and implement the controls to satisfy the standards. This blueprint is designed as a set of best practices and recommendations to support your own PCI DSS compliance.

While some of the guidance in this blueprint is applicable to GKE Enterprise, the focus is on Google Kubernetes Engine (GKE) running on Google Cloud.

This blueprint addresses a range of PCI DSS compliance requirements. You can find a full list of those requirements in the PCI DSS Requirements document (PDF) on GitHub. This list addresses only the PCI compliance requirements that are supported by the Google Cloud infrastructure as part of the shared responsibility between you and Google. Note that the implementation of any PCI compliance controls is the sole responsibility of the customer and you should conduct your own evaluation of your organization's PCI compliance. For more information about the shared responsibility model, see Exploring container security: the shared responsibility model in GKE on the Google Cloud blog.

For a full list of supported services, see the top of the README file in the PCI on GKE repository on GitHub.

Yes. You can submit a pull request or fork the repository.

Resources

  • PCI DSS compliance on Google Cloud. This guide helps you address concerns unique to Google Kubernetes Engine (GKE) applications when you are implementing customer responsibilities for PCI DSS requirements.