2. 2
WePay has been using Kubernetes via
Google Container Engine since 1.0 (July 2015)
Payments company with PCI data
Just embarking on the Monolith ->
Microservices path
Three iterations of deployment
1. Manual docker
2. Ansible + docker: 1 container per VM
3. Kubernetes
WePay: About Us
3. 3
Need for intra-cluster TLS
Separation of responsibility: keep SSL out of
the app
Solution: Use an NGINX “sidecar” in each
pod to terminate TLS
In-house root CA for kubernetes DNS domain
NGINX “sidecar” acts as the load balancer’s
backend for the service
WePay: Our Experiences
4. 4
Reduce PCI scope
Keep the number of machines the auditors inspect
as small as possible
Solution: Dedicated K8s PCI cluster(s)
Need cluster-to-cluster configuration discovery
Hard-coding inter-service endpoints in
configuration
WePay: Our Experiences
5. 5
Manage Secrets Securely
GKE is not covered by Google’s PCI umbrella (yet)
Solution: Hashicorp Vault
Encryption as a service through authenticated
API calls
Secrets are vended as needed
WePay: Our Experiences