Security blueprint: PCI on GKE
The PCI on Google Kubernetes Engine blueprint contains a set ofTerraform configurations and scripts that demonstrate how to bootstrap a PCI environmentin Google Cloud. The core of this blueprint is theOnline Boutique application, where users can browse items, add them to the cart, and purchasethem.
This blueprint was developed forPayment Card Industry Data Security Standard(PCI DSS) version 3.2.1. The blueprint lets you deploy workloads onGKE that align with the PCI DSSin a repeatable, supported, and secure way.
Architecture
Project overview
In this blueprint, you bootstrap a cardholder data environment (CDE)in Google Cloud that contains the following resource hierarchy:
- AnOrganizational resource.
- AFolder resource. Folder resources provide a grouping mechanismand isolation boundaries between projects.
Project resources. You deploy the following Google Cloud projects:
- Network: The host project for the Shared VPC.
- Management: A project that will hold the logging and monitoringinfrastructure, such as Cloud Logging.
- In-scope: A project that contains the in-scope resources. Inthis solution, the project consists of a GKE clusterthat's designed to run the in-scope applications. In the example,this includes the Frontend, Payment, and Checkout services.
- Out-of-scope: A project that contains the out-of-scope resources.In the solution, that's a GKE cluster that'sdesigned to run the rest of the services.
Application and projects
The following diagram illustrates the CDE boundary on Google Cloud andwhich projects are in the scope of your PCI assessment of the MicroservicesDemo application. As you build your environment, you use an illustrationlike this to communicate Google Cloud about resources into and out ofyour PCI boundary.
The path labeled1 shows log data from Kubernetes clusters going toCloud Logging.
Network layout
This diagram illustrates the network and subnet details within eachproject. It documents the data flows between projects and into andout of the CDE boundary.
Encrypted traffic
This diagram illustrates the encrypted traffic going into and out ofthe PCI boundary:
- TLS-encrypted (HTTPS) traffic from outside the VPC goes to thein-scope public load balancer.
- TLS-encrypted traffic between in-scope Kubernetes cluster nodes tothe out-of-scope cluster goes to internal load balancers.
- Traffic from the internal load balancers to the out-of-scope clusteris encrypted with mTLS using Istio.
- Communication within each cluster is encrypted with mTLS using Istio.
Compliance mapping
The blueprint described in this document addresses a range of PCI DSScompliance requirements. The table in this section highlights some of thoserequirements.
Note: ThePCI on GKE Blueprint Review for PCI Compliance whitepaper (PDF) provides an independent, third-party assessment ofthe blueprint performed byCoalfire,Google's PCI-DSS auditor. It also provides guidance on elements that you shouldaddress when you adopt the blueprint.The items in the following table don't address all requirements; compliance withsome requirements is met by the Google Cloud infrastructure as part of theshared responsibility between you and Google. Compliance with other requirementsneeds to be implemented by you. For a detailed explanation of the sharedresponsibility model, seeExploring container security: the shared responsibility model in GKE on the Google Cloud blog.
Note: The compliance mapping describes how controls implemented in thisblueprint help you comply with a PCI requirement; however, the blueprint doesnot guarantee PCI compliance for the requirements specified later in thisdocument. It's important to note that the description of the implementationdetails in this blueprint must be reviewed, evaluated, assessed, and approved byyou and your Qualified Security Assessor (QSA), and layered with other securityfeatures that address all of the in-scope systems and applications for aholistic solution to meet the PCI requirements.The numbers in parentheses refer to sections of thePayment Card Industry (PCI) Data Security Standard document. You can downloadthe document from the PCI Security Standards Council website'sdocument library.
| Requirement | Section | Description |
|---|---|---|
| Implement segmentation and boundary protection | 1.3.2, 1.3.4 | This blueprint helps you implement a logical segmentation by using Google Cloud projects; the segmentation lets you create a boundary for your PCI assessment. This blueprint runs Istio on Google Kubernetes Engine as an add-on that lets you create a service mesh around the GKE cluster that includes all of the components you need. The blueprint also creates a security perimeter using VPC around all of the Google Cloud projects that are in scope for PCI. |
| Configure least-privilege access to Google Cloud resources | 7.1, 7.2 | This blueprint helps you to implement role-based access control to manage who has access to Google Cloud resources. The blueprint also implements GKE-specific access controls like role-based access control (RBAC) and namespaces to restrict access to cluster resources. |
| Establish Organization-level policies | With this blueprint, you establish policies that apply to your Google Cloud Organization resource, such as the following:
| |
| Enforce separation of duties through Shared VPC | 7.1.2, 7.1.3 | This blueprint usesShared VPC for connectivity and segregated network control to enforceseparation of duties. |
| Harden your cluster's security | 2.2, 2.2.5 | The GKE clusters in this blueprint are hardened as described in the GKE hardening guide. |
This list is just a subset of the security controls implemented in thisblueprint that can meet PCI DSS requirements. You can find a full list of thoserequirements that are addressed in thePCI DSS Requirements (PDF) document on GitHub.
Deployable assets
ThePCI and GKE Blueprint repository on GitHub contains a set of Terraform configurations and scripts thatshow how to bootstrap a PCI environment in Google Cloud. The PCI onGKE project also showcases Google Cloud services, tools,and projects that are useful to start your own Google Cloud PCIenvironment.
Frequently asked questions
How do I use this blueprint?
The PCI on GKE blueprint provides you with prescriptive information and instructions for creating or migrating workloads on GKE that align with PCI compliance requirements.
The blueprint is made up of the following elements:
- An implementation guide
- Reference architectures
- Terraform scripts that implement infrastructure as code (IaC)
- A demo application
- PCI compliance mappings
We recommend that you read through the implementation guide and review the reference architectures before deploying the PCI environment using Terraform. We've provided a demo ecommerce application that you can deploy to test the PCI blueprint environment.
Is this the only way to run PCI-compliant workloads on Google Cloud?
No. PCI DSS is a set of security standards and there are many ways to interpret and implement the controls to satisfy the standards. This blueprint is designed as a set of best practices and recommendations to support your own PCI DSS compliance.
Does this blueprint include best practices for PCI compliance for Google Distributed Cloud?
While some of the guidance in this blueprint is applicable to Google Distributed Cloud, the focus is on Google Kubernetes Engine (GKE) running on Google Cloud.
Do you have a list of PCI requirements that this blueprint can help satisfy?
This blueprint addresses a range of PCI DSS compliance requirements. You can find a full list of those requirements in thePCI DSS Requirements document (PDF) on GitHub. This list addresses only the PCI compliance requirements that are supported by the Google Cloud infrastructure as part of the shared responsibility between you and Google. Note that the implementation of any PCI compliance controls is the sole responsibility of the customer and you should conduct your own evaluation of your organization's PCI compliance. For more information about the shared responsibility model, seeExploring container security: the shared responsibility model in GKE on the Google Cloud blog.
What services are supported by the guidance in this blueprint?
For a full list of supported services, see the top of theREADME file in the PCI on GKE repository on GitHub.
Do you accept contributions to the PCI on GKE repository on GitHub?
Yes. You can submit a pull request or fork the repository.
Resources
- PCI DSS compliance on Google Cloud.This guide helps you address concerns unique to Google Kubernetes Engine (GKE)applications when you are implementing customer responsibilities for PCIDSS requirements.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-03-12 UTC.