Building AI agents isexciting, but deploying them securely to production shouldn't becomplicated. In this tutorial, you will learn how GitLab's native Google Cloud integration makes it straightforward to deploy AI agents to Google Kubernetes Engine (GKE) — with built-in scanning and zero service account keys.Why choose GKE to deploy your AI agents?GKE provides enterprise-grade orchestration that connects seamlessly with GitLab CI/CD pipelines through OIDC authentication. Your development team can deploy AI agents while maintaining complete visibility, compliance, and control over your cloud infrastructure. This guide uses Google's Agent Development Kit (ADK) to build the app, so you can expect increased seamlessness as this is deployed using GitLab.Three key advantages to this approach:Full infrastructure control - Your data, your rules, your environment. You maintain complete control over where your AI agents run and how they're configured.Native GitLab integration - No complex workarounds. Your existing pipelines work right out of the box thanks to GitLab's native integration with Google Cloud.Production-grade scaling - GKE automatically handles the heavy lifting of scaling and internal orchestration as your AI workloads grow.The key point is that GitLab with GKE provides the enterprise reliability your AI deployments demand without sacrificing the developer experience your teams expect.PrerequisitesBefore you start, make sure you have these APIs enabled:GKE APIArtifact Registry APIVertex AI APIAlso make sure you have:GitLab project createdGKE cluster provisionedArtifact Registry repository createdThe deployment process1. Set up IAM and permissions on GitLabNavigate to your GitLab integrations to configure Google Cloud authentication (IAM).Go to Settings > Integrations and configure the Google Cloud integration. If you're using a group-level integration, notice that default settings are already inherited by projects. This means you configure once at the group level, and all projects benefit and inherit this setting.To set this up from scratch, provide:Project IDProject NumberWorkload Identity Pool IDProvider IDOnce configured, GitLab provides a script to run in Google Cloud Console, via Cloud Shell. The outcome of running this script is a Workload Identity Federation pool with the necessary service principal to enable the proper access.2. Configure Artifact Registry integrationStill in GitLab's integration settings, configure Artifact Management:Click Artifact Management.Select Google Artifact Registry.Provide:Project IDRepository Name (created beforehand)Repository LocationGitLab provides another script to run in Google Cloud Console.Important: Before proceeding, add these extra roles to the Workload Identity Federation pool:Service Account UserKubernetes DeveloperKubernetes Cluster ViewerThese permissions allow GitLab to deploy to GKE in subsequent steps.3. Create the CI/CD pipelineNow for the key part — creating the CI/CD pipeline for deployment.Head to Build > Pipeline Editor and define your pipeline with four stages:Build - Docker creates the container image.Test - GitLab Auto DevOps provides built-in security scans to ensure there are no vulnerabilities.Upload - Uses GitLab's built-in CI/CD component to push to Google Artifact Registry.Deploy - Uses Kubernetes configuration to deploy to GKE.Here's the complete .gitlab-ci.yml:default: tags: [ saas-linux-2xlarge-amd64 ]stages: - build - test - upload - deployvariables: GITLAB_IMAGE: $CI_REGISTRY_IMAGE/main:$CI_COMMIT_SHORT_SHA AR_IMAGE: $GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_LOCATION-docker.pkg.dev/$GOOGLE_ARTIFACT_REGISTRY_PROJECT_ID/$GOOGLE_ARTIFACT_REGISTRY_REPOSITORY_NAME/main:$CI_COMMIT_SHORT_SHA GCP_PROJECT_ID: "your-project-id" GKE_CLUSTER: "your-cluster" GKE_REGION: "us-central1" KSA_NAME: "ai-agent-ksa"build: image: docker:24.0.5 stage: build services: - docker:24.0.5-dind before_script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY script: - docker build -t $GITLAB_IMAGE . - docker push $GITLAB_IMAGEinclude: - template: Jobs/Dependency-Scanning.gitlab-ci.yml - template: Jobs/Container-Scanning.gitlab-ci.yml - template: Jobs/Secret-Detection.gitlab-ci.yml - component: gitlab.com/google-gitlab-components/artifact-registry/upload-artifact-registry@main inputs: stage: upload source: $GITLAB_IMAGE target: $AR_IMAGEdeploy: stage: deploy image: google/cloud-sdk:slim identity: google_cloud before_script: - apt-get update && apt-get install -y kubectl google-cloud-sdk-gke-gcloud-auth-plugin - gcloud container clusters get-credentials $GKE_CLUSTER --region $GKE_REGION --project $GCP_PROJECT_ID script: - | kubectl apply -f -