对于 GKE 中的 PCI DSS 认证,问题在于 ASV 扫描。 Google 是否已扫描负载均衡器,或者客户是否负责扫描 GKE 中托管的自己的网站?是否有 PCI 合规性认证的 GCP 范围内的域列表?
寻求有关 ASV 扫描合规性的扩展指南。
这是一种共同责任模型。 Google 确实扫描了它的负载平衡基础设施结构,但您仍然负责扫描您的实际端点。
例如,这是来自共同责任矩阵中的要求 11.4.2:
客户负责
... all
external penetration testing of
in-scope system components,
comprising their cardholder data
environment.
(Note: External vulnerability scans
should only include the
customer-managed endpoints, and
not GCP-managed endpoints as they
are tested as part of GCP PCI DSS
compliance)
Google 负责
... conducting
external penetration testing on
systems and infrastructure underlying
GCP. Google is also responsible for
scanning of Google managed API
endpoints and Cloud Load Balancer IP
addresses.