A comprehensive guide to building a hybrid cloud platform that connects on-premises Kubernetes clusters to Google Cloud Platform without long-lived service account keys. The approach uses Workload Identity Federation with OIDC to give on-prem pods short-lived, auditable GCP credentials. Key components include: configuring a GCP Workload Identity Pool and OIDC provider via Terraform, using CEL conditions for fine-grained namespace-level access control, and automating credential injection into pods with a Kyverno ClusterPolicy. The result lets on-prem workloads call GCP services like Vertex AI, Secret Manager, and Cloud Storage by simply adding a label to their deployment — no keys to manage or rotate.
Table of contents
Table of ContentsPrerequisitesWhy Hybrid Cloud MattersThe Economics of Hybrid: GPUs Changed EverythingWhy Service Account Keys Fail at ScaleHow the Accidental Air Gap HappensHow Workload Identity Federation Bridges the GapHow Kubernetes Identity WorksHow to Prepare Google Cloud Platform resourcesHow to Use CEL for Fine-Grained Access ControlHow to Inject Credentials Automatically with KyvernoHow to Grant IAM Permissions to Federated IdentitiesHow to Verify the SetupHow to Connect On-Prem Apps to Cloud GPUsHow to Scale GPU Access with CEL ConditionsThe Security Properties ComparedThe Complete Infrastructure as Code LayoutHow to Run a Proof of Concept with vClusterCommon Issues and How to Solve ThemConclusionSort: