docs/install/kubernetes.md
A minimal starting point for running OpenClaw on Kubernetes, not a production-ready deployment. It covers the core resources and is meant to be adapted to your environment.
OpenClaw is a single container with some config files. The interesting customization is in agent content (Markdown files, skills, config overrides), not infrastructure templating. Kustomize handles overlays without the overhead of a Helm chart. Layer a Helm chart on top of these manifests if your deployment grows more complex.
kubectl connected to your cluster# Replace with your provider: ANTHROPIC, GEMINI, OPENAI, or OPENROUTER
export <PROVIDER>_API_KEY="..."
./scripts/k8s/deploy.sh
kubectl port-forward svc/openclaw 18789:18789 -n openclaw
open http://localhost:18789
deploy.sh creates token auth by default. Retrieve the generated gateway token for the Control UI:
kubectl get secret openclaw-secrets -n openclaw -o jsonpath='{.data.OPENCLAW_GATEWAY_TOKEN}' | base64 -d
For local debugging, ./scripts/k8s/deploy.sh --show-token prints the token after deploy.
If you do not have a cluster, create one locally with Kind:
./scripts/k8s/create-kind.sh # auto-detects docker or podman
./scripts/k8s/create-kind.sh --delete # tear down
Then deploy as usual with ./scripts/k8s/deploy.sh.
Option A: API key in environment (one step)
# Replace with your provider: ANTHROPIC, GEMINI, OPENAI, or OPENROUTER
export <PROVIDER>_API_KEY="..."
./scripts/k8s/deploy.sh
The script creates a Kubernetes Secret with the API key and an auto-generated gateway token, then deploys. If the Secret already exists, it preserves the current gateway token and any provider keys not being changed.
Option B: create the secret separately
export <PROVIDER>_API_KEY="..."
./scripts/k8s/deploy.sh --create-secret
./scripts/k8s/deploy.sh
Add --show-token to either command to print the token to stdout for local testing.
kubectl port-forward svc/openclaw 18789:18789 -n openclaw
open http://localhost:18789
Namespace: openclaw (configurable via OPENCLAW_NAMESPACE)
├── Deployment/openclaw # Single pod, init container + gateway
├── Service/openclaw # ClusterIP on port 18789
├── PersistentVolumeClaim # 10Gi for agent state and config
├── ConfigMap/openclaw-config # openclaw.json + AGENTS.md
└── Secret/openclaw-secrets # Gateway token + API keys
Edit the AGENTS.md in scripts/k8s/manifests/configmap.yaml and redeploy:
./scripts/k8s/deploy.sh
Edit openclaw.json in scripts/k8s/manifests/configmap.yaml. See Gateway configuration for the full reference.
Re-run with additional keys exported:
export ANTHROPIC_API_KEY="..."
export OPENAI_API_KEY="..."
./scripts/k8s/deploy.sh --create-secret
./scripts/k8s/deploy.sh
Existing provider keys stay in the Secret unless you overwrite them.
Or patch the Secret directly:
kubectl patch secret openclaw-secrets -n openclaw \
-p '{"stringData":{"<PROVIDER>_API_KEY":"..."}}'
kubectl rollout restart deployment/openclaw -n openclaw
OPENCLAW_NAMESPACE=my-namespace ./scripts/k8s/deploy.sh
Edit the image field in scripts/k8s/manifests/deployment.yaml:
image: ghcr.io/openclaw/openclaw:slim # primary; official Docker Hub mirror: openclaw/openclaw
The default manifests bind the gateway to loopback inside the pod. That works with kubectl port-forward, but not with a Kubernetes Service or Ingress path that needs to reach the pod IP directly.
To expose the gateway through an Ingress or load balancer:
scripts/k8s/manifests/configmap.yaml from loopback to a non-loopback bind that matches your deployment model../scripts/k8s/deploy.sh
This applies all manifests and restarts the pod to pick up any config or secret changes.
./scripts/k8s/deploy.sh --delete
This deletes the namespace and all resources in it, including the PVC.
kubectl port-forward.readOnlyRootFilesystem, drop: ALL capabilities, non-root user (UID 1000).kubectl port-forward to http://127.0.0.1:18789.scripts/k8s/
├── deploy.sh # Creates namespace + secret, deploys via kustomize
├── create-kind.sh # Local Kind cluster (auto-detects docker/podman)
└── manifests/
├── kustomization.yaml # Kustomize base
├── configmap.yaml # openclaw.json + AGENTS.md
├── deployment.yaml # Pod spec with security hardening
├── pvc.yaml # 10Gi persistent storage
└── service.yaml # ClusterIP on 18789