For PCI DSS certification in GKE, the question is on ASV scans. Does Google already scan the load balancers or is the client responsible for scanning their own sites hosted in the GKE? Is there a list of domains that were in the GCP scope for their PCI compliance certification?
Looking for expanded guidance on ASV scans for compliance.
It is a shared responsibility model. Google does scan it's load balancing infra structure, but you are still responsible for scanning your actual endpoints.
For example, this is from requirement 11.4.2 in the shared responsibility matrix:
Customers are responsible for
Google is responsible for