Unit 2: Google Workspace & GCP integration

[TeoSlayer]

Scope

Google Workspace domain-restricted join rules and GCP Workload Identity for Kubernetes and Compute Engine.

Deliverables

• OIDC preset for Google (accounts.google.com issuer)
• Domain restriction: only @acme.com tokens accepted (hd claim validation)
• GKE Workload Identity: pod-level identity via projected service account tokens
• Compute Engine service account: metadata server token → OIDC token
• Google Groups → Pilot network mapping (via Directory API or token claims)
• Setup guide: Google Cloud project configuration, Workload Identity setup

Priority: HIGH

[TeoSlayer]

Context: Google Workspace is the second-largest enterprise identity provider. GKE Workload Identity is the standard for Kubernetes on GCP — pods get OIDC tokens from Google's metadata service, no secrets needed. Domain restriction (hd claim) is the simplest enterprise control: only agents authenticated via the company's Google domain can join.