Getting started

KubeClaw deploys OpenClaw to Kubernetes using a single Helm chart. Published as an OCI artifact at ghcr.io/imerica/kubeclaw.

Prerequisites

• Kubernetes 1.25+
• Helm 3.12+
• A ReadWriteOnce-capable StorageClass (cluster default used if unset)
• A Tailscale auth key if tailscale.ssh is enabled (enabled by default)
• Gateway API CRDs if using gatewayAPI with a BYO controller (the bundled Envoy Gateway installs them automatically)

Install

Recommended install:

curl -fsSL https://kubeclaw.ai/install.sh | bash

Manual OCI install:

helm install kubeclaw oci://ghcr.io/imerica/kubeclaw \
  --version 0.1.0 \
  --namespace kubeclaw \
  --create-namespace \
  --set secret.data.OPENCLAW_GATEWAY_TOKEN=change-me

If you keep default chart toggles enabled, also set:

• tailscale.ssh.authKey (or tailscale.ssh.authKeySecretName)
• litellm.masterkey (must start with sk-)

Wait for the rollout:

kubectl -n kubeclaw rollout status statefulset/kubeclaw

Get an authenticated dashboard URL:

kubectl -n kubeclaw exec statefulset/kubeclaw -- \
  node dist/index.js dashboard --no-open | grep "Dashboard URL:"

Port-forward to access the Control UI:

kubectl -n kubeclaw port-forward svc/kubeclaw 18789:18789

What ships by default

The chart enables a full production stack out of the box:

• Gateway StatefulSet with durable PVC-backed storage at /home/node/.openclaw
• QMD Hybrid Search for local-first memory retrieval combining BM25 full-text, vector similarity, and MMR reranking
• Chromium Deployment for browser automation via CDP on port 9222 (cluster-internal)
• LiteLLM Proxy for per-agent virtual keys, budget caps, model routing, and semantic caching
• Wide Events Observability via ClickHouse, HyperDX, and OpenTelemetry collectors (node + cluster)
• Egress DNS Filtering via Blocky with threat blocklists, country TLD blocking, and query logging
• Gateway API Routing with a bundled Envoy Gateway controller and path-based HTTPRoutes
• Tailscale Integration for tailnet exposure and SSH access into the pod
• NetworkPolicy for traffic lockdown
• Diagnostics CronJob running openclaw doctor hourly
• Health probes (startup, liveness, readiness)
• GitOps-friendly config with declarative openclaw.json merge or overwrite via initContainer
• Digest-pinned images to prevent tag drift

Next steps

• Installation for step-by-step install, upgrade, and troubleshooting
• Configuration for the full Helm values reference