Runner

Execute in your cloud, orchestrate from ours

SaaS platforms want your cloud credentials. On-prem tools require you to manage everything. You shouldn't have to choose between convenience and security.

Planton Runner: A single binary that runs in your cloud. Planton orchestrates. Runner executes. Your credentials never leave your account.

planton runner install

# Register and install Runner
$ planton runner install --channel my-channel
 
✓ Runner binary downloaded (v1.4.2)
✓ Secure identity provisioned
✓ API key provisioned and stored
✓ Connected to control plane (outbound only)
 
Runner is live. No inbound ports opened.

1

Binary

0

Inbound Ports

< 5 ms

Tunnel Overhead

3

Deploy Modes

How Runner works

A single binary that bridges your cloud and Planton's control plane — without exposing your credentials or opening inbound ports.

Planton Control Plane (SaaS)

API Server
Workflow Engine
Console UI
Orchestration
Encrypted Tunnel · Outbound Only

Runner (Your Cloud)

Cloud Ops
IaC Executor
Provider APIs
Your Resources

CloudOps Mode

Real-time cloud operations proxied through Runner. kubectl, cloud APIs, cluster inspection — all with IAM-scoped access.

IaC Execution Mode

Stack jobs execute on Runner using Pulumi or Terraform. Your cloud provider's native IAM authenticates Runner to your resources.

Built for security-conscious teams

From cryptographic identity to deployment options — Runner gives you SaaS convenience with self-hosted security.

CloudOps

Real-time cloud operations through the Planton console. kubectl, cloud provider APIs, cluster inspection.

AWS
GCP
Azure
Kubernetes

IaC Execution

Stack jobs execute on Runner using Pulumi or Terraform. Native IAM authenticates Runner to your resources. No long-lived credentials.

⏳ Resolving IAM via IRSA...
✓ Assumed role: planton-runner
⏳ Previewing changes...
✓ 1 resource to update.
✓ Update complete in 3m 12s.

Security Model

Cryptographic identity for every Runner. SHA-256 hashed API keys. Anti-impersonation validation.

Crypto ID
SHA-256
Least Privilege
Anti-Spoof

Deployment Options

Kubernetes DaemonSet, standalone binary, or Docker. Install in minutes.

K8s

Binary

Docker

Watch IaC execution in real time

Stack jobs stream live from Runner to your console. Preview, apply, and track every change with full audit trail.

planton stack-job watch

$ planton stack-job watch sjb-runner-7f3a
 
▶ Stack Job: sjb-runner-7f3a
Runner: runner-prod-us-east-1
Operation: update
Resource: prod-rds (AwsRdsInstance)
 
⏳ Resolving IAM credentials via IRSA...
✓ Assumed role: arn:aws:iam::123:role/planton-runner
⏳ Previewing changes...
~ aws:rds:Instance (update)
+ instanceClass: "db.r6g.xlarge"
 
✓ Preview complete. 1 resource to update.
⏳ Applying changes...
✓ Update complete in 3m 12s.
✓ Progress streamed in real time.

Resumable Execution

Jobs pick up where they left off. Automatic retries with reliable execution guarantees.

JIT Secrets

Secrets fetched at execution time, never stored on disk. Resolved via your cloud provider's IAM.

Preflight Checks

Credentials, state backend, and provider connectivity validated before execution begins.

Secure Tunnel

Outbound-only connection from Runner to control plane. ~1–5ms overhead. Automatic reconnection. Built-in monitoring.

Browser / CLI

User request

Planton API

Route to Runner

Gateway

Identity verified

Encrypted Tunnel

Outbound only

Runner

Your cloud

kubectl / Cloud API

Executed locally

Self-hosted execution

Install Runner in minutes

One binary. Outbound-only. Your credentials never leave your cloud. Register in the console and run the install command.

Connect with us:

Product

InfraHubServiceHubRunnerSecurityAgent FleetCLI

Explore

All ProductSolutionsTour

Open Source

OpenMCFInfra Charts

GET STARTED

Sign UpPricingBook a Demo

Resources

DocumentationTutorialsBlogChangelog
StatusPrivacyTerms

©2026 Planton Cloud Inc. All Rights Reserved.