This document discusses Lola's deployment of compliant Kubernetes to meet PCI DSS requirements. Lola stores credit card details on behalf of users but does not directly process payments, requiring Level 1 PCI compliance. It outlines how Lola uses technologies like TLS encryption with Ingress controllers, IAM authentication for Kubernetes, and Prometheus for cluster monitoring to meet requirements for firewalls, encryption, secure systems, and access control. The document advises engaging auditors technically rather than treating Kubernetes as a black box, and leveraging open source tools and communities for pre-built applications to simplify compliance tasks like authentication, monitoring, and logging.

1. Deploying Compliant Kubernetes
Real World Edge Cases

2. Speakers
2
Tim Buntel
VP of Application Security Products
Katie Paugh
Lola DevOps Team Lead

3. Quick Background on Lola
3
Lola.com makes managing corporate
travel easy, fast and agile.
We provide your company with the
visibility and control you need, while
giving your travelers the
amazing experience they want.

4. Lola’s Cloud Environment
ü General IT
ü AWS infrastructure
ü CI/CD pipeline
4
ü Logging
ü Monitoring
MANAGE
GENERAL INFRASTRUCTURE
ü Security/Compliance
ü Kubernetes
PCI INFRASTRUCTURE
PRODNON-
PROD
PRODNON-
PROD

5. Lola’s Need for Compliance
Credit card details
are stored on users’
behalf
5
In-house travel agents
can book on behalf of
users
No direct credit card
processing, but Level 1
PCI DSS Compliant

6. 6
Compliance in a K8S World

7. REQUIREMENT 1
Install and Maintain a firewall
configuration to protect
cardholder data
7

8. REQUIREMENT 4
Encrypt transmission of
cardholder data across
open, public networks
8
§ TLS Encryption via Ingress
Controllers
§ Ingress Controller maps to an AWS
ALB with appropriate
Security Group and
ELBSecurityPolicy
§ Weave as networking layer
– Encryption enabled between
services within our cluster*
* Not a PCI requirement, but an extra layer of security

9. REQUIREMENT 6
Develop and maintain
secure systems and
applications
9
DEV SEC OPS
Vulnerability Alerts
Guidance
Centralized
Visibility & Control
Attack Protection &
Threat Intelligence

10. REQUIREMENT 8
Identify and
authenticate
access to system
components
10
A big challenge for us
§ How are we going to handle user authentication into
our cluster
§ How do we manage Integration with a new system?
§ If our Developers get another account will they know
which credentials they need to use for what?
§ Don’t want developers to have yet another account to remember
§ Etc.
AWS IAM Authenticator for Kubernetes
(formerly heptio-authenticator)
§ Use AWS IAM users to authenticate to the Kubernetes cluster
§ Users assume an IAM Role and each Role is restricted to certain
actions
§ Allows for easy user management
§ Can give CI/CD pipeline access without giving it a username and
password

11. REQUIREMENT 10
Track and monitor
all access to network
resources and
cardholder data
11
CLUSTER
METRICS
SEVERITY 1
ALERT
SEVERITY 2 &
3 ALERTS
INTRUSION
DETECTION
Prometheus

12. Talking to the Auditors
Stick to the technical controls you have in place
– Versioning
– User access controls
Don’t treat Kubernetes like a black box
– “Oh well it just handles things that way because it does”
12

13. What We’ve Learned So Far
USE THE COMMUNITY!
– Slack, forums, GitHub
Search for Pre-built custom applications
– Custom authentication controllers
– Customer resource controllers
– Monitoring
– Logging
13

14. 14

15. Thank You
threatstack.com