Veto/docs

Kubernetes BYOC install

Install Veto in a customer-owned Kubernetes cluster.

helm install veto-operator oci://ghcr.io/plawio/charts/veto-operator --namespace veto-operator-system --create-namespace --set vetoCluster.create=true --set vetoCluster.storage.driver=sqlite

This installs the Veto operator, CRDs, the self-hosted PDP, and the read-only dashboard into your customer plane. For the foundation profile, SELF_HOSTED=true and STORAGE_DRIVER=sqlite do not require Convex or Postgres.

Trust boundary

Veto BYOC is customer-initiated outbound HTTPS only. Plaw does not receive customer policy content, decision rows, tool-call arguments, agent IDs, end-user IDs, Slack content, compiled NL prompts, env vars, or secrets.

Allowed cross-boundary payloads are limited to:

  1. License heartbeat counters: instance_uuid, license_id, decision_count_30d, sdk_version, operator_version, timestamp.
  2. Optional anonymous telemetry when VetoCluster.spec.telemetry.enabled=true.
  3. Image and chart pulls from GHCR initiated by your cluster.

There is no Plaw cross-account IAM, no assume-role into customer AWS accounts, and no GCP or Azure impersonation from plaw.io.

Framework Examples

Use Veto with OpenAI, Anthropic, Vercel AI SDK, MCP tools, and Python.

AWS EKS BYOC install

Install Veto BYOC on AWS EKS without Plaw account access.

On this page

Trust boundary
Edit this pageFeedback