Kind<\/a>:<\/p>\n“`bash theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}
\n.\/scripts\/k8s\/create-kind.sh # auto-detects docker or podman
\n.\/scripts\/k8s\/create-kind.sh –delete # tear down<\/p>\n
\nThen deploy as usual with `.\/scripts\/k8s\/deploy.sh`.\n\n## Step by step\n\n### 1) Deploy\n\n**Option A** — API key in environment (one step):\n\n```bash theme={\"theme\":{\"light\":\"min-light\",\"dark\":\"min-dark\"}}\n# Replace with your provider: ANTHROPIC, GEMINI, OPENAI, or OPENROUTER\nexport <PROVIDER>_API_KEY=\"...\"\n.\/scripts\/k8s\/deploy.sh\n<\/code><\/pre>\nThe script creates a Kubernetes Secret with the API key and an auto-generated gateway token, then deploys. If the Secret already exists, it preserves the current gateway token and any provider keys not being changed.<\/p>\n
Option B<\/strong> — create the secret separately:<\/p>\n“`bash theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}
\nexport _API_KEY=”…”
\n.\/scripts\/k8s\/deploy.sh –create-secret
\n.\/scripts\/k8s\/deploy.sh<\/p>\n
\nUse `--show-token` with either command if you want the token printed to stdout for local testing.\n\n### 2) Access the gateway\n\n```bash theme={\"theme\":{\"light\":\"min-light\",\"dark\":\"min-dark\"}}\nkubectl port-forward svc\/openclaw 18789:18789 -n openclaw\nopen http:\/\/localhost:18789\n<\/code><\/pre>\nWhat gets deployed<\/h2>\nNamespace: openclaw (configurable via OPENCLAW_NAMESPACE)\n├── Deployment\/openclaw # Single pod, init container + gateway\n├── Service\/openclaw # ClusterIP on port 18789\n├── PersistentVolumeClaim # 10Gi for agent state and config\n├── ConfigMap\/openclaw-config # openclaw.json + AGENTS.md\n└── Secret\/openclaw-secrets # Gateway token + API keys\n<\/code><\/pre>\nCustomization<\/h2>\nAgent instructions<\/h3>\n
Edit the AGENTS.md<\/code> in scripts\/k8s\/manifests\/configmap.yaml<\/code> and redeploy:<\/p>\n“`bash theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}
\n.\/scripts\/k8s\/deploy.sh<\/p>\n
\n### Gateway config\n\nEdit `openclaw.json` in `scripts\/k8s\/manifests\/configmap.yaml`. See [Gateway configuration](\/gateway\/configuration) for the full reference.\n\n### Add providers\n\nRe-run with additional keys exported:\n\n```bash theme={\"theme\":{\"light\":\"min-light\",\"dark\":\"min-dark\"}}\nexport ANTHROPIC_API_KEY=\"...\"\nexport OPENAI_API_KEY=\"...\"\n.\/scripts\/k8s\/deploy.sh --create-secret\n.\/scripts\/k8s\/deploy.sh\n<\/code><\/pre>\nExisting provider keys stay in the Secret unless you overwrite them.<\/p>\n
Or patch the Secret directly:<\/p>\n
“`bash theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}
\nkubectl patch secret openclaw-secrets -n openclaw
\n -p ‘{“stringData”:{“_API_KEY”:”…”}}’
\nkubectl rollout restart deployment\/openclaw -n openclaw<\/p>\n
\n### Custom namespace\n\n```bash theme={\"theme\":{\"light\":\"min-light\",\"dark\":\"min-dark\"}}\nOPENCLAW_NAMESPACE=my-namespace .\/scripts\/k8s\/deploy.sh\n<\/code><\/pre>\nCustom image<\/h3>\n
Edit the image<\/code> field in scripts\/k8s\/manifests\/deployment.yaml<\/code>:<\/p>\n“`yaml theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}
\nimage: ghcr.io\/openclaw\/openclaw:latest # or pin to a specific version from https:\/\/github.com\/openclaw\/openclaw\/releases<\/p>\n
\n### Expose beyond port-forward\n\nThe default manifests bind the gateway to loopback inside the pod. That works with `kubectl port-forward`, but it does not work with a Kubernetes `Service` or Ingress path that needs to reach the pod IP.\n\nIf you want to expose the gateway through an Ingress or load balancer:\n\n* Change the gateway bind in `scripts\/k8s\/manifests\/configmap.yaml` from `loopback` to a non-loopback bind that matches your deployment model\n* Keep gateway auth enabled and use a proper TLS-terminated entrypoint\n* Configure the Control UI for remote access using the supported web security model (for example HTTPS\/Tailscale Serve and explicit allowed origins when needed)\n\n## Re-deploy\n\n```bash theme={\"theme\":{\"light\":\"min-light\",\"dark\":\"min-dark\"}}\n.\/scripts\/k8s\/deploy.sh\n<\/code><\/pre>\nThis applies all manifests and restarts the pod to pick up any config or secret changes.<\/p>\n
Teardown<\/h2>\n
“`bash theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}
\n.\/scripts\/k8s\/deploy.sh –delete<\/p>\n
\nThis deletes the namespace and all resources in it, including the PVC.\n\n## Architecture notes\n\n* The gateway binds to loopback inside the pod by default, so the included setup is for `kubectl port-forward`\n* No cluster-scoped resources — everything lives in a single namespace\n* Security: `readOnlyRootFilesystem`, `drop: ALL` capabilities, non-root user (UID 1000)\n* The default config keeps the Control UI on the safer local-access path: loopback bind plus `kubectl port-forward` to `http:\/\/127.0.0.1:18789`\n* If you move beyond localhost access, use the supported remote model: HTTPS\/Tailscale plus the appropriate gateway bind and Control UI origin settings\n* Secrets are generated in a temp directory and applied directly to the cluster — no secret material is written to the repo checkout\n\n## File structure\n\n<\/code><\/pre>\nscripts\/k8s\/
\n├── deploy.sh # Creates namespace + secret, deploys via kustomize
\n├── create-kind.sh # Local Kind cluster (auto-detects docker\/podman)
\n└── manifests\/
\n ├── kustomization.yaml # Kustomize base
\n ├── configmap.yaml # openclaw.json + AGENTS.md
\n ├── deployment.yaml # Pod spec with security hardening
\n ├── pvc.yaml # 10Gi persistent storage
\n └── service.yaml # ClusterIP on 18789
\n“`<\/p>\n","protected":false},"excerpt":{"rendered":"
Kubernetes OpenClaw on Kubernetes A minimal starting po […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-617","post","type-post","status-publish","format-standard","hentry","category-docs"],"_links":{"self":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/comments?post=617"}],"version-history":[{"count":3,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/617\/revisions"}],"predecessor-version":[{"id":771,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/617\/revisions\/771"}],"wp:attachment":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/media?parent=617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/categories?post=617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/tags?post=617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}