Powered by Portainer Business

The enterprise landing pad for apps your business teams build with AI

Portainer-Run lets non-developers deploy their AI-generated apps onto the Kubernetes your organization already runs, attached to your internal systems, governed by Portainer Business. The builder ships. IT keeps control.

Request a briefing
Portainer-Run dashboard showing governed environments and workload health
One governed surface across every environment
Built on Portainer Business · Trusted by 500,000+ users across Fortune 2000 enterprises, government agencies, and regulated industries

The problem

Your people are already building. The apps have nowhere to land.

The number of people in your organization who can produce working software has gone vertical. Finance leads, ops managers, analysts, and designers are building real applications with AI. The moment one of those apps needs something inside your network (an internal database, an on-prem API, a system behind the firewall) it hits a wall.

Cloud SaaS hosting cannot reach inside the corporate network. The choices today are to open internal infrastructure to an outside provider, or to drop the app into a ticket queue where it waits and gets abandoned. The volume is only increasing.

How it lands

Your app, live in minutes. No tickets, no drama.

01

Upload your files

Drag in the folder or zip your AI tool gave you. A single HTML page, or a Node or React project, as is.

02

Click deploy

Choose where it runs from the options IT set up for you. No git, no commands, no waiting on another team.

03

Done, it's live

Your app is running on the company's infrastructure. Share the link and move on.

Two ways in. The steps above are the Run interface. Prefer to stay in your AI tool? Portainer-Run also exposes an MCP server, so you can deploy straight from Claude Code or any MCP-capable assistant, no UI at all. Either way runs the same governed pipeline underneath.

Market landscape

The only platform in the open gap

The field splits two ways: platforms that lock your apps into vendor infrastructure, and tools built for developers. Portainer-Run is the only option built for the non-technical business builder that runs on your own infrastructure, governed by controls your platform team already operates.

Positioning quadrant for Portainer-Run against the named competitive field A two-by-two positioning map. Vertical axis: built for developers at bottom, built for the non-technical business builder at top. Horizontal axis: vendor-controlled and locked in on the left, your own infrastructure and portable on the right. Portainer-Run sits alone in the top-right open gap. The open gap Vendor-controlled, locked in Your own infrastructure, portable For business builders For developers AWS App Studio Salesforce Agentforce Vibes ServiceNow Build Agent Microsoft Rayfin Lovable Bolt Replit Retool Northflank Dokploy Coolify CapRover Qovery Backstage Port Humanitec Portainer-Run

Under the covers

Run on top of Portainer Business, on your Kubernetes anywhere.

When a builder clicks deploy, this is what happens underneath. Portainer-Run generates the Kubernetes deployment manifest, commits it and the source files to your sanctioned Git repo, then triggers a GitOps deployment in Portainer Business. Your scanning runs on the repo. Portainer Business, the operator control plane, reconciles that deployment from Git into the cluster and namespace you designate, with access bound by your Portainer RBAC. Your Kubernetes runs wherever it lives. Updates take the same path: a change to a running app is committed back to Git and reconciled from there, so the live state always matches the repo and any deployment is fully repeatable.

Self-service layer

Portainer-Run

Builders deploy their AI-built apps with zero need to know anything about Docker, Kubernetes, or even that their app runs in a container. Portainer-Run handles all the complexity under the covers.

Operator control plane

Portainer Business

Reconciles the GitOps deployment Run triggers and applies it to your cluster. Access is governed by RBAC.

Runs anywhere

Your Kubernetes

Cloud, on-prem, edge, air-gapped. Deployments scoped to the clusters and namespaces you designate.

Control, set once

The builder gets self-service. You get governance.

Regulated · distributed · air-gapped environments

Portainer Business, the operator control plane already trusted across Fortune 2000 enterprises, government agencies, and regulated industries, runs underneath. Portainer-Run commits each artifact to your sanctioned Git repo, which becomes the system of record, and your existing scanning and policy controls apply there before anything runs. The builder connects through Portainer with a personal access token, never a kubeconfig or direct cluster access, and everything they can do is bound by your Portainer RBAC role.

Portainer Business reconciles each deployment from Git, so you can roll back to a previous version in one click and every change is captured. Deployments are scoped by environment and namespace, so who can deploy where stays under your control. The cluster API stays off the network perimeter, and your platform team sets the rules once rather than clearing tickets one at a time.

Ready to see it run on your infrastructure?

We will walk you through a live deployment on a governed Kubernetes environment and show you exactly what it takes to stand it up in yours.

Request a briefing

Security and control

Built with the CISO in mind

Introducing vibe-coded apps into the enterprise raises fair questions. Run is designed to answer them up front, so your security team signs off rather than blocks the work.

Direct answer

Do business users get access to our clusters?

No. They connect through Portainer with a personal access token, bound entirely by your Portainer RBAC role. They never receive a kubeconfig or direct cluster access.

Direct answer

Does our data leave our environment?

No. Apps run on your own clusters and your own infrastructure, including on-prem and air-gapped. Portainer-Run is the control plane that places them there, not a hosting service.

Direct answer

Does this work in regulated or air-gapped environments?

Yes. Portainer Business runs in regulated, distributed, and air-gapped environments. The cluster API stays off the network perimeter throughout.

Direct answer

Is there an audit trail, and can we roll back?

Yes. Every deployment is committed to your Git repo, giving you a full version history. You can roll back to any previous version in one click from Portainer Business.

Access and authorization

Do business users get access to our clusters?

No. They connect through Portainer with a personal access token, and everything they can do is bound by your Portainer RBAC role. They never get a kubeconfig or direct cluster access. Portainer is the gateway, and it deploys on their behalf.

Who can deploy where?

Deployments are scoped by environment and namespace, and access is governed by Portainer Business RBAC, so a builder can only deploy into the space you have granted.

Can a security or platform lead see every app that has been deployed?

Yes. An administrator sees every app deployed through Run in one place, regardless of who deployed it, and each app's manifest and source also live in your Git repo. The only way in is the governed pipeline, so the inventory is complete by construction and there is no shadow deployment to find after the fact.

Who owns each app, and is there a record of who deployed it?

Every deployment is made under the Portainer identity that triggered it, so you know who deployed what, and the app and its history live in your Git repo. Nothing reaches the cluster anonymously.

Code integrity and supply chain

How do we stop unsafe code from being deployed in the first place?

Every artifact commits to your sanctioned repo, where your scanning and secret detection run, and the cluster's admission controllers reject anything that does not meet policy before it starts. The gate is yours.

We have a lot of builders. Do we vet each app's controls one by one?

No. IT configures a shared Git target once, with your code scanning and policy enforcement on it, and every app deployed against that target inherits those controls automatically. You set the gate a single time and it applies to every builder who uses the target, with no per-app trust decision.

How are the git credentials handled?

The token for the source repo is stored as a Kubernetes Secret and injected into the clone step by reference, so it never appears in the deployment spec or on any command line.

How does the app get from Git onto the cluster?

Portainer Business reconciles the manifest from your repo as a GitOps stack and polls for changes on a set interval. Before the container starts, three init containers run in sequence: the first clones the committed source from Git into a persistent volume, the second installs dependencies with the package manager for the detected runtime (npm, pip, and so on) inside the runtime image, and the third writes a .env file from the values entered at deploy. There is no image build and no registry in the path.

Runtime control

Where do these apps actually run?

Only in the clusters and namespaces IT designates. You define the deployment space, and nothing lands outside it.

Once an app is running, what can it reach?

Only what you allow. Apps deploy into dedicated namespaces which you can pre-configure with network policies, and even zero-trust networking.

How do we cap what an app can consume?

Apps deploy into namespaces you control, where you set resource limits and quotas, so a runaway app is bounded by the same Kubernetes controls you already use.

How do we monitor a running app and shut it down if needed?

You see each app's status and logs in Portainer and can stop or roll one back at once. Because these are ordinary Kubernetes workloads, your existing runtime monitoring applies to them too.

Can someone change a running app without going through Git?

Updates take the same path as the first deploy. The change is committed to Git and Portainer Business reconciles it from there, so the running state always tracks the repo. That removes out-of-band drift and means every deployment, first or hundredth, is fully repeatable.

Operations and lifecycle

What happens when the builder who made an app leaves?

The app does not depend on them. It is standard source in Git running as a standard Kubernetes deployment, owned by the platform rather than the person. Deploy access is governed by Portainer RBAC, so a leaver or role change is handled by your normal identity process, and the running apps are unaffected and can be reassigned.

How do we retire apps and stop sprawl?

Every app is visible in one place and defined in Git, so retiring one is deliberate: remove it and its manifest leaves the repo and the workload leaves the cluster. You always hold the full inventory, so nothing becomes an untracked zombie.

These are AI-generated apps. How do we support and maintain them?

Each one is standard source and a standard Kubernetes deployment, versioned in your Git repo and running on a platform your team already operates. There is no proprietary runtime to learn. You review, update, roll back, and hand off a Run app the same way you would any other Git-backed workload.

Data and compliance

Does our data leave our environment?

No. Apps run on your own clusters, on your own infrastructure, including on-prem and air-gapped. The app and its data stay inside your environment. Run is the control plane that places them there, not a hosting service that takes your data elsewhere.

Does this work in regulated or air-gapped environments?

Yes. Portainer Business runs in regulated, distributed, and air-gapped environments, and the cluster API stays off the network perimeter.

Is there an audit trail, and can we roll back?

Yes. Every deployment is committed to your Git repo, so you have a full version history, and you can roll back to a previous version in one click.

Request a briefing

See it run on infrastructure you already operate.

We will show you Portainer-Run deploying a real AI-generated app onto a governed Kubernetes environment, and what it takes to stand it up in yours.

Live demo on a real Kubernetes environment
No obligation · a specialist will reach out to schedule
Built on Portainer Business, trusted by 500,000+ users