Hosting & Deployment Cloud Platforms

OpenClaw Kubernetes Deployment: Production Scaling Guide

Deploy OpenClaw on Kubernetes with production-grade configuration — Deployments, ConfigMaps, Secrets, Ingress, and horizontal scaling for high-availability agent setups.

TC
T. Chen
DevOps Engineer
2025-02-10 18 min 6.9k views
Updated Mar 2025
Key Takeaways
OpenClaw supports Kubernetes 1.26+ with standard resources — no CRDs required.
Works on EKS, GKE, AKS, and self-managed clusters identically.
Recommended pod resources: 250m CPU / 512Mi RAM request; 1 CPU / 1Gi RAM limit.
Use HPA for horizontal scaling; use Supabase or Redis as shared state backend for multi-replica.
Use cert-manager + nginx-ingress for automatic TLS on webhook endpoints.

Kubernetes makes sense for OpenClaw when you need high availability, auto-scaling, or multi-environment deployments. A single-node Replit or self-hosted setup covers most use cases — but when you need zero-downtime updates, multi-replica redundancy, or GitOps deployment workflows, Kubernetes is the right move.

When Kubernetes Makes Sense

Don't over-engineer early. Kubernetes adds real complexity. It's the right choice when:

  • You need zero-downtime rolling updates for your agent
  • You're running OpenClaw alongside other services in a shared cluster
  • You need HPA-based auto-scaling for burst workloads
  • Your team already manages a Kubernetes cluster and wants GitOps deployment

For a single-agent personal deployment, self-hosted on a VPS is simpler and cheaper. Use Kubernetes when the operational overhead is already being paid for something else in the cluster.

💡
Use the Helm chart for faster setup
The OpenClaw Helm chart handles all of the manifest creation covered in this guide with a single 'helm install' command. Use raw manifests only if you need fine-grained control over every resource. See the Helm chart guide for the one-command path.

Core Manifests

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: openclaw
  namespace: openclaw
spec:
  replicas: 2
  selector:
    matchLabels:
      app: openclaw
  template:
    metadata:
      labels:
        app: openclaw
    spec:
      containers:
      - name: openclaw
        image: openclaw/openclaw:latest
        ports:
        - containerPort: 8080
        resources:
          requests:
            cpu: 250m
            memory: 512Mi
          limits:
            cpu: "1"
            memory: 1Gi
        envFrom:
        - secretRef:
            name: openclaw-secrets
        - configMapRef:
            name: openclaw-config
        volumeMounts:
        - name: config
          mountPath: /config
      volumes:
      - name: config
        configMap:
          name: openclaw-yaml

Secrets & Config

# Create secret for API keys
kubectl create secret generic openclaw-secrets   --from-literal=ANTHROPIC_API_KEY=sk-ant-...   --from-literal=TELEGRAM_BOT_TOKEN=...   -n openclaw

# ConfigMap for non-sensitive config
kubectl create configmap openclaw-config   --from-literal=LOG_LEVEL=info   --from-literal=PORT=8080   -n openclaw
Kubernetes Secrets are base64 encoded, not encrypted
Base64 is not encryption. Anyone with kubectl access and the right RBAC permissions can decode secrets. For production, use External Secrets Operator with AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault to store and rotate secrets securely.

Ingress & TLS

# service.yaml
apiVersion: v1
kind: Service
metadata:
  name: openclaw
  namespace: openclaw
spec:
  selector:
    app: openclaw
  ports:
  - port: 80
    targetPort: 8080

---
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: openclaw
  namespace: openclaw
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/rate-limit: "100"
spec:
  tls:
  - hosts:
    - openclaw.your-domain.com
    secretName: openclaw-tls
  rules:
  - host: openclaw.your-domain.com
    http:
      paths:
      - path: /webhook/
        pathType: Prefix
        backend:
          service:
            name: openclaw
            port:
              number: 80

Scaling & HPA

# hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: openclaw
  namespace: openclaw
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: openclaw
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70

With multiple replicas, ensure your skills use external state storage (Supabase, Redis) rather than in-memory state. In-memory state is per-pod and doesn't survive pod restarts or scale-down events.

Common Mistakes

Not setting resource requests is the number one Kubernetes mistake. Without requests, the scheduler places pods without knowing their real needs — causing node oversubscription and OOM kills under load.

  • Using imagePullPolicy: Always in production — this re-pulls the image on every pod start, adding latency and failing if the registry is unavailable. Use a specific image tag and IfNotPresent.
  • No readiness probe — without a readiness probe, Kubernetes routes traffic to pods before they're ready. Add a readiness probe to the /health endpoint to prevent failed webhook deliveries during startup.
  • Deploying to default namespace — create a dedicated 'openclaw' namespace to isolate resources and make RBAC management cleaner.
  • Not testing rollback — always verify that 'kubectl rollout undo deployment/openclaw' works before you need it in production.

Frequently Asked Questions

What Kubernetes version does OpenClaw require?
OpenClaw supports Kubernetes 1.26+. It uses standard Deployment, Service, ConfigMap, and Secret resources — no CRDs required.

Can I run OpenClaw on managed Kubernetes?
Yes. OpenClaw runs on EKS, GKE, AKS, and self-managed clusters identically — any CNCF-conformant distribution works.

How do I store OpenClaw secrets in Kubernetes?
Use Kubernetes Secrets. For production, use External Secrets Operator with AWS Secrets Manager or HashiCorp Vault for rotation and audit.

Can OpenClaw scale horizontally?
Yes. Use HPA for CPU-based scaling. Multi-replica setups need Redis or Supabase as a shared state backend.

What resource requests should I set?
Recommended: 250m CPU request, 512Mi RAM request, 1 CPU limit, 1Gi RAM limit. Adjust for LLM-heavy skill workloads.

How do I expose OpenClaw webhooks via Ingress?
Deploy nginx-ingress, create an Ingress resource pointing to the OpenClaw Service, and use cert-manager for automatic TLS certificate management.

TC
T. Chen
DevOps Engineer · aiagentsguides.com

T. Chen runs production Kubernetes clusters for AI workloads and covers cloud-native OpenClaw deployments at aiagentsguides.com.

Related Guides

Hosting & Deployment · Cloud Platforms

OpenClaw Helm Chart: Simplified Kubernetes Deployment

Feb 202514 min
Hosting & Deployment · Cloud Platforms

OpenClaw Self-Hosted: Privacy-First Deployment Guide

Feb 202518 min
Hosting & Deployment · Cloud Platforms

Deploy OpenClaw on Vercel: Serverless Edge Deployment

Jan 202514 min
Get the OpenClaw Weekly

New guides, tips, and updates every week. Free forever.