Deployment

New
  • Published on Feb 17, 2026
  • 3 minute(s) read
Prev Next

This page provides a high-level overview of deploying PlainID Edge in a Kubernetes environment. It describes the core architecture, main components, and deployment flow. Detailed configuration and operational instructions are provided in the dedicated component articles referenced throughout this page.

Architecture

PlainID Edge extends PlainID Authorization and governance capabilities into your Kubernetes environment. It enables:

  • Runtime authorization enforcement for MCP-based tools and services
  • Discovery of vector databases, MCP services, tools, and metadata
  • RAG enrichment and classification of vectorized data
  • Policy-driven filtering and governance of AI-driven workflows

The deployment is centered around the Core Helm Chart, which installs and orchestrates the primary Edge services as a single, cohesive stack.

Deployment Flow

Below is the PlainID Deployment Flow.

  1. Provision Kubernetes cluster.

  2. Obtain access to PlainID Helm OCI registry and container images.

  3. Prepare a Helm values file:

    • Configure PlainID endpoints and credentials
    • Define Pinecone or MCP sources
    • Configure enrichment and classification settings
    • Provide required secrets

  4. Install the core Helm chart.

  5. Validate:

    • Health endpoints
    • MCP connectivity
    • Discovery execution
    • Enrichment results

Read more below to understand how the core components work in the deployment flow.

Core Components

The core Helm chart deploys the following services. Each component can be enabled or disabled independently via Helm values.

MCP Gateway

The MCP Gateway acts as the Runtime orchestration and enforcement layer. This gateway:

  • Routes requests to one or more backend MCP servers
  • Forwards only explicitly allowed headers
  • Integrates with PlainID Runtime for fine-grained authorization
  • Enforces policy decisions at request time
  • Supports OAuth and secure backend connectivity

The MCP Gateway is the primary enforcement point for tool and resource access.

For configuration details, see: MCP Gateway.

Enrichment Agent

The Enrichment Agent enriches vector store entries with classification metadata. This agent:

  • Invokes an external classification service
  • Writes classification results back to the vector store (like Pinecone)
  • Supports scheduled or on-demand enrichment

Enriched metadata enables fine-grained authorization and governance of vectorized data.

For configuration details, see Enrichment Agent.

Vector DB Classifier Engine

The Vector DB Classifier Engine performs vector ingestion and classification. This engine:

  • Uses machine learning models for classification
  • Generates embeddings (requires OPENAI_API_KEY)
  • Produces candidate metadata filters for governance
  • Supports autoscaling and production-grade deployment patterns

This component typically serves as the classification backend used by the Enrichment Agent.

For configuration details, see Vector DB Engine.

Discovery Agent

The Discovery Agent identifies and reports discoverable assets to the PlainID Cloud platform.

It supports:

  • Pinecone discovery (indexes, namespaces, metadata keys, type inference)
  • PlainID MCP Gateway discovery (services, tools, connectors)
  • Regex-based filtering of namespaces and metadata
  • Scheduled discovery using Cron expressions
  • Secure communication with the PlainID API and orchestrator

Discovery ensures that Authorization Policies can be applied to real, up-to-date assets.

For configuration details, see Discovery Agent.

Deployment Model

Kubernetes-Based Installation

PlainID Edge is deployed using Helm into an existing Kubernetes cluster. The core chart acts as an umbrella chart that:

  • Deploys all required services
  • Manages inter-service connectivity
  • Centralizes Environment Variables and secret configuration
  • Supports global values shared across sub-charts

You may disable any individual component if your architecture requires only a subset of capabilities.

For step-by-step installation instructions, see Core Helm Chart.

Integration with PlainID Cloud

Several Edge components require connectivity to PlainID Cloud services:

  • PlainID Runtime API (authorization decisions)
  • PlainID API (JWT acquisition)
  • PlainID Discovery Orchestrator

Client credentials (clientId / clientSecret) must be provisioned in advance and stored securely using Kubernetes Secrets or Helm secret values.

External Dependencies

Depending on your use case, the deployment may require:

  • Pinecone (or other supported vector databases)
  • OpenAI API key (for embedding generation in the classifier engine)
  • External classification services
  • OAuth providers (optional)

All sensitive values must be managed as Kubernetes Secrets and must not be committed to source control.

Operational Considerations

Scheduling

Both Discovery and Enrichment support Cron-based scheduling using a six-field format, including seconds. Scheduled execution enables periodic metadata discovery and recurring enrichment of vector stores.

Security

The MCP Gateway forwards only explicitly defined headers. Secrets such as API keys and client credentials must be injected securely using Kubernetes mechanisms. JWT validation can be enabled where applicable, and network policies and ingress configuration should align with your organization’s security posture.

Scalability

All components support horizontal scaling through replica configuration or HPA, resource requests and limits, production-grade ingress configuration, and readiness and liveness probes. Scaling strategies should align with workload characteristics such as classification volume, MCP traffic, and discovery scope.

Related articles