Veto/docs

GCP GKE BYOC install

Install Veto BYOC on Google Kubernetes Engine.

helm install veto-operator oci://ghcr.io/plawio/charts/veto-operator --namespace veto-operator-system --create-namespace --set vetoCluster.create=true --set vetoCluster.storage.driver=sqlite --set networkPolicy.kubeApiCIDR=<your-gke-control-plane-cidr>

Run the operator in your GKE project with your own Workload Identity, firewall, and Artifact Registry/GHCR pull policy. Plaw does not impersonate GCP service accounts, does not require roles/iam.serviceAccountTokenCreator, and does not access your project.

Cloud Veto continues to use Convex in the Plaw plane. BYOC/self-hosted installs use the configured customer-plane storage driver and do not require Convex.

The only default cross-boundary BYOC payload is the license heartbeat with six counters/versions fields. Customer policy content, decisions, tool arguments, Slack content, prompts, env vars, and secrets stay in your plane.

AWS EKS BYOC install

Install Veto BYOC on AWS EKS without Plaw account access.

Azure AKS BYOC install

Install Veto BYOC on Azure Kubernetes Service.

On this page

No Headings
Edit this pageFeedback