KubeClaw

KubeClaw provides a robust, opinionated deployment of OpenClaw on Kubernetes, ensuring secure defaults, predictable upgrades, and transparent operations through a single Helm install. Key features include: • Secure defaults for core services • Predictable, version-controlled upgrades • Comprehensive observability with Wide Events • Integrated egress DNS filtering • Optimized Gateway API routing This platform transforms OpenClaw into a production-ready system by providing essential guardrails and audited components. It includes durable storage with StatefulSet and PVC, ensuring no data loss across pod restarts. Observability is unified through ClickHouse and OpenTelemetry, offering a single backend for logs, metrics, traces, and Kubernetes events, simplifying search and analysis with HyperDX. Egress DNS filtering is enforced via Blocky, default-denying outbound traffic and allowing explicit allow/deny lists, threat blocklists, and full query logging, enhancing network security. KubeClaw also integrates a LiteLLM Proxy for managing various language models, offering per-agent virtual keys, budget caps, model fallback, and semantic caching. Gateway API routing provides single-hostname, path-based routing, with an optional bundled Envoy Gateway controller. For secure internal access, Tailscale integration exposes the gateway onto your tailnet without public ingress and enables SSH access into pods from enrolled devices. A Chromium sidecar deployment offers browser automation capabilities without host dependencies. All configurations are GitOps-friendly, allowing declaration of desired `openclaw.json` states for reconciliation. Built for engineering teams and organizations requiring reliable deployment of OpenClaw, KubeClaw is ideal for those focused on operational stability, security, and clear visibility into their containerized applications. It supports use cases from advanced data processing to managing external service consumption, making complex deployments straightforward and maintainable.