OpenClaw in Kubernetes

Running OpenClaw on Kubernetes requires a dedicated namespace, persistent storage for configuration and workspace data, secure API token injection, and an ingress with extended WebSocket timeout support. This template provides a complete single-replica OpenClaw Kubernetes deployment with all of that preconfigured, including TLS termination via cert-manager and 3600-second WebSocket timeouts for long-lived AI agent connections.

What's Included

Component	Type	Port	Role
Namespace	Namespace	-	Isolates all OpenClaw resources
API Secret	Secret	-	Stores Telegram, Anthropic, and Discord API tokens
Config Storage	PersistentVolumeClaim	-	10Gi volume for OpenClaw configuration data
Workspace Storage	PersistentVolumeClaim	-	20Gi volume for workspace and runtime data
OpenClaw	Deployment	-	Single-replica gateway with liveness and readiness probes
Service	ClusterIP Service	-	Internal network access to the OpenClaw pod
Ingress	NGINX Ingress	443	TLS via cert-manager; 3600s WebSocket timeout

Architecture Overview

OpenClaw runs as a single-replica Deployment inside its own namespace, backed by two PersistentVolumeClaims for configuration (10Gi) and workspace (20Gi) data. API tokens for Telegram, Anthropic, and Discord are stored in a Kubernetes Secret and injected at pod startup. A ClusterIP Service exposes the pod internally, and an NGINX Ingress handles external traffic with cert-manager TLS and a 3600-second proxy timeout to support persistent WebSocket connections.

Prerequisites

Existing Kubernetes cluster with available capacity
NGINX Ingress Controller installed
cert-manager installed and configured for Let's Encrypt
API tokens for Telegram, Anthropic, and/or Discord
A domain name pointed at your cluster's ingress IP
KubeKanvas CLI installed and running on your computer (Optional, if you want to use one-click deployment)

How to Deploy

Click on the button at the top right corner of this page to load the manifest into the editor.
Add your Telegram, Anthropic, and Discord API tokens to the Secret component.
Update the Ingress with your domain name.
Adjust PVC sizes if your storage requirements differ from the defaults (10Gi config, 20Gi workspace).
Deploy the template to your cluster via the Play button in the top right bar. If you prefer to deploy manually, download the YAML and apply it with kubectl.
Wait for all pods to reach Running status. You can monitor progress in the Release Monitor screen.

How to Test

Confirm the OpenClaw pod is running. You can monitor the deployment in the Release Monitor screen. Or you can run kubectl command to find out the status of pods: kubectl get pods -n openclaw.
Check that the TLS certificate has been issued: kubectl describe certificate -n openclaw.
Send a test message via your configured Telegram or Discord integration and verify OpenClaw responds.

Use Cases

Self-hosted AI agent gateway: Running an OpenClaw instance on your own cluster with full control over API token storage and network access.
Multi-platform bot backend: Connecting Telegram and Discord bots to Anthropic AI through a single Kubernetes-managed gateway.
GitOps-managed AI workloads: Managing OpenClaw configuration as Kubernetes manifests within an existing GitOps deployment pipeline.

Summary

This template configures a namespace-isolated OpenClaw deployment on Kubernetes with persistent storage, secret-based API token management, and WebSocket-ready TLS ingress. For a full walkthrough, read Deploying OpenClaw in Kubernetes.

Tags:

OpenClawOpenClaw in Kubernetes

Created by:

Mahmood

2 uses

What's Included

Component	Type	Port	Role
Namespace	Namespace	-	Isolates all OpenClaw resources
API Secret	Secret	-	Stores Telegram, Anthropic, and Discord API tokens
Config Storage	PersistentVolumeClaim	-	10Gi volume for OpenClaw configuration data
Workspace Storage	PersistentVolumeClaim	-	20Gi volume for workspace and runtime data
OpenClaw	Deployment	-	Single-replica gateway with liveness and readiness probes
Service	ClusterIP Service	-	Internal network access to the OpenClaw pod
Ingress	NGINX Ingress	443	TLS via cert-manager; 3600s WebSocket timeout

Architecture Overview

Prerequisites

Existing Kubernetes cluster with available capacity

NGINX Ingress Controller installed

cert-manager installed and configured for Let's Encrypt

API tokens for Telegram, Anthropic, and/or Discord

A domain name pointed at your cluster's ingress IP

KubeKanvas CLI installed and running on your computer (Optional, if you want to use one-click deployment)

How to Deploy

Click on the button at the top right corner of this page to load the manifest into the editor.

Add your Telegram, Anthropic, and Discord API tokens to the Secret component.

Update the Ingress with your domain name.

Adjust PVC sizes if your storage requirements differ from the defaults (10Gi config, 20Gi workspace).

Deploy the template to your cluster via the Play button in the top right bar. If you prefer to deploy manually, download the YAML and apply it with kubectl.

Wait for all pods to reach Running status. You can monitor progress in the Release Monitor screen.

How to Test

Confirm the OpenClaw pod is running. You can monitor the deployment in the Release Monitor screen. Or you can run kubectl command to find out the status of pods: kubectl get pods -n openclaw.

Check that the TLS certificate has been issued: kubectl describe certificate -n openclaw.

Send a test message via your configured Telegram or Discord integration and verify OpenClaw responds.

Use Cases

Self-hosted AI agent gateway: Running an OpenClaw instance on your own cluster with full control over API token storage and network access.

Multi-platform bot backend: Connecting Telegram and Discord bots to Anthropic AI through a single Kubernetes-managed gateway.

GitOps-managed AI workloads: Managing OpenClaw configuration as Kubernetes manifests within an existing GitOps deployment pipeline.