Kif Tiskjera OpenClaw fuq Kubernetes

Ricerkaturi tas-sigurta sabu aktar minn 135,000 istanza ta’ OpenClaw miftuha berah fuq l-internet. Hafna minnhom kienu vulnerabbli ghall-esekuzzjoni ta’ kodici remot. Il-krizi tas-sigurta ta’ OpenClaw hija reali: CVEs kriticci, hilitajiet malizzjuzi, u problema fundamentali ta’ kif il-maggjoranza tal-iskjeramenti jimmexsju l-awtentikazzjoni. Li thaddem OpenClaw fuq VPS b’docker run huwa facli. Li thaddmu b’mod sigur hija problema differenti.

Kubernetes isolvi dik il-problema. Tikseb izolament tan-network, limiti tar-rizorsi, restarts awtomatizzati, u defaults tas-sigurta li kieku jiehduk sighat biex tikkonfigura bl-idejn. U bl-OpenClaw Kubernetes Operator, tikseb dan kollu minn fajl YAML wiehed.

Din il-gwida tehodok minn xejn sa agent ta’ OpenClaw lest ghall-produzzjoni fuq Kubernetes. Kull blokka YAML hija lesta biex tikkopja u wahhalha.

Ghaliex operator

Li thaddem OpenClaw fuq Kubernetes huwa aktar minn Deployment u Service. Ghandek bzonn izolament tan-network, gestjoni tas-sigrieti, hzin persistenti, monitoragg tas-sahha, rollouts tal-konfigurazzjoni, u opsjonalment awtomazzjoni tal-browser. Li tqabbad dan kollu b’mod korrett bl-idejn huwa tedjuz u soggett ghall-izbalji.

Kubernetes operator jikkodifika dawn il-htigijiet f’rizors personalizzat wiehed. Tiddikjara x’trid, u l-operator kontinwament jirrikoncilja dan fis-sett korrett ta’ oggetti Kubernetes. Dan jaghtik:

• Sigurta b’default. Kull agent jahdem bhala UID 1000, il-kapacitajiet kollha ta’ Linux imnehhija, seccomp attivat, filesystem tar-root read-only, u NetworkPolicy default-deny li tippermetti biss DNS u HTTPS egress. Bla hardening manwali mehtieg.
• Auto-updates b’rollback. L-operator jiccekja r-registru OCI ghall-verzjonijiet godda, jaghmel backup tal-workspace, jirrolja l-update, u awtomatikament jirrolja lura jekk il-pod il-gdid jfalli l-health checks.
• Rollouts tal-konfigurazzjoni. Ibdel is-spec.config.raw tieghek u l-operator jiskopri li l-content hash inbidel, u jiskatta update rolling. L-istess ghall-rotazzjoni tas-sigrieti.
• Backup u restore. Backup awtomatiku tal-workspace fuq storage kompatibbli ma’ S3 meta tithasssar istanza. Restore f’istanza gdida minn kwalunkwe snapshot.
• Awtentikazzjoni tal-gateway. Jiggenera awtomatikament token tal-gateway ghal kull istanza. Bla pairing manwali, bla mDNS (li ma jahdimx f’Kubernetes xorta wahda).
• Detezzjoni tad-drift. Kull 5 minuti, l-operator jiccekja li kull rizors immexxi jaqbel mal-istat mixtieq. Jekk xi hadd manwalment jeditja NetworkPolicy jew ihasssar PDB, jigi rrikoniljat lura.

Prerrekwiziti

Ghandek bzonn:

• Cluster ta’ Kubernetes (1.28+). Kwalunkwe distribuzzjoni konformi tahdem: EKS, GKE, AKS, k3s, jew cluster Kind lokali ghall-ittestjar.
• kubectl ikkonfigurat biex jitkellem mal-cluster tieghek.
• helm v3 installat.
• API key ghall-fornitur AI tieghek (Anthropic, OpenAI, jew kwalunkwe endpoint kompatibbli ma’ OpenAI).

Pass 1: Installa l-operator

L-operator jigi bhala OCI Helm chart. Kmand wiehed jinstallah:

helm install openclaw-operator \
  oci://ghcr.io/openclaw-rocks/charts/openclaw-operator \
  --namespace openclaw-operator-system \
  --create-namespace

Ivverifika li qed jahdem:

kubectl get pods -n openclaw-operator-system

Ghandek tara l-pod tal-operator fl-istat Running. L-operator jinstalla wkoll validating webhook li jipprevjeni konfigurazzjonijiet mhux siguri (bhal li thaddem bhala root).

Pass 2: Ohlok is-Secret tal-API key tieghek

Ahzen l-API key tal-fornitur AI tieghek f’Secret ta’ Kubernetes. L-operator jinjettaha fil-kontenitur tal-agent:

kubectl create namespace openclaw

kubectl create secret generic openclaw-api-keys \
  --namespace openclaw \
  --from-literal=ANTHROPIC_API_KEY=sk-ant-your-key-here

Ghal OpenAI jew fornituri ohrajn, uza l-isem tal-varjabbli ambjentali xieraq (OPENAI_API_KEY, OPENROUTER_API_KEY, ecc.). Tista’ tinkludi fornituri multipli fl-istess Secret.

Tip: Ghall-produzzjoni, ikkunsidra li tuza External Secrets Operator biex tissinkironizza c-cwievet minn AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, jew Azure Key Vault. Id-dokumentazzjoni tal-operator ghandha ezempji dettaljati.

Pass 3: Iskjera l-ewwel agent tieghek

Ohlok fajl bl-isem my-agent.yaml:

apiVersion: openclaw.rocks/v1alpha1
kind: OpenClawInstance
metadata:
  name: my-agent
  namespace: openclaw
spec:
  envFrom:
    - secretRef:
        name: openclaw-api-keys
  config:
    raw:
      agents:
        defaults:
          model:
            primary: "anthropic/claude-sonnet-4-20250514"
  storage:
    persistence:
      enabled: true
      size: 10Gi

Applika:

kubectl apply -f my-agent.yaml

Dik ir-rizorsa wahda tohlok StatefulSet, Service, ServiceAccount, Role, RoleBinding, ConfigMap, PVC, PDB, NetworkPolicy, u Secret tat-token tal-gateway. L-operator jirrikoncilja kollox.

Pass 4: Ivverifika li qed jahdem

Segwi l-istanza titla’:

kubectl get openclawinstances -n openclaw -w

NAME       PHASE        READY   AGE
my-agent   Provisioning False   10s
my-agent   Running      True    45s

Meta l-fazi turi Running u Ready hija True, l-agent tieghek huwa live. Iccekja l-logs:

kubectl logs -n openclaw statefulset/my-agent -f

Biex tinteragixxi mal-agent tieghek, aghmlu port-forward tal-gateway:

kubectl port-forward -n openclaw svc/my-agent 18789:18789

Imbaghad iftah http://localhost:18789 fil-browser tieghek.

Pass 5: Ikkonnettja kanal

OpenClaw jsostni Telegram, Discord, WhatsApp, Signal, u kanali ohrajn ta’ messaggjar. Kull kanal huwa kkonfigurat permezz ta’ varjabbli ambjentali. Zid it-token relevanti mas-Secret tieghek:

kubectl create secret generic openclaw-channel-keys \
  --namespace openclaw \
  --from-literal=TELEGRAM_BOT_TOKEN=your-bot-token-here

Imbaghad irreferi ghalih fl-istanza tieghek:

spec:
  envFrom:
    - secretRef:
        name: openclaw-api-keys
    - secretRef:
        name: openclaw-channel-keys

OpenClaw jiskopri t-token awtomatikament u jattiva l-kanal. Bla konfigurazzjoni addizzjonali mehtiega.

---

Dan ikopri l-bazikajiet. L-agent tieghek qed jahdem, huwa sigur u accessibbli. Il-bqija ta’ din il-gwida tkopri features opsjonali li tista’ tattiva meta tkun lest.

Awtomazzjoni tal-browser

spec:
  chromium:
    enabled: true
    resources:
      requests:
        cpu: 500m
        memory: 1Gi
      limits:
        cpu: 1000m
        memory: 2Gi

L-operator awtomatikament jinjetta varjabbli ambjentali CHROMIUM_URL fil-kontenitur principali. Is-sidecar jahdem bhala UID 1001 b’filesystem tar-root read-only u l-kuntest tas-sigurta tieghu stess.

Hilitajiet u dipendenzì tar-runtime

spec:
  skills:
    - "@anthropic/mcp-server-fetch"
    - "@anthropic/mcp-server-filesystem"
  runtimeDeps:
    pnpm: true
    python: true

Auto-updates

spec:
  autoUpdate:
    enabled: true
    checkInterval: "12h"
    backupBeforeUpdate: true
    rollbackOnFailure: true
    healthCheckTimeout: "10m"

Hardening ghall-produzzjoni

Monitoragg b’Prometheus

spec:
  observability:
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
        interval: "30s"

Skeduling fuq nodes ddedikati

spec:
  availability:
    nodeSelector:
      openclaw.rocks/nodepool: openclaw
    tolerations:
      - key: openclaw.rocks/dedicated
        value: openclaw
        effect: NoSchedule

Regoli personalizzati tal-egress

spec:
  security:
    networkPolicy:
      additionalEgress:
        - to:
            - ipBlock:
                cidr: 10.0.0.0/8
          ports:
            - port: 5432
              protocol: TCP

Identita tal-fornitur tal-cloud

spec:
  security:
    rbac:
      serviceAccountAnnotations:
        eks.amazonaws.com/role-arn: "arn:aws:iam::123456789:role/openclaw"

Proxies korporattivi u CAs privati

spec:
  security:
    caBundle:
      configMapName: corporate-ca-bundle
      key: ca-bundle.crt

GitOps

Il-CRD OpenClawInstance huwa fajl YAML normali. Ahzen il-manifesti tal-agents tieghek f’repo git u halli lil-ArgoCD jew Flux jissinkironizzawhom mal-cluster tieghek. Bla kubectl apply minn laptops, bla drift tal-konfigurazzjoni, audit trail shih.

Backup u restore

apiVersion: openclaw.rocks/v1alpha1
kind: OpenClawInstance
metadata:
  name: my-agent-restored
  namespace: openclaw
spec:
  restoreFrom: "s3://bucket/path/to/backup.tar.gz"
  envFrom:
    - secretRef:
        name: openclaw-api-keys
  storage:
    persistence:
      enabled: true
      size: 10Gi

Inferenza lokali b’Ollama

spec:
  ollama:
    enabled: true
    models:
      - "llama3.2"
      - "nomic-embed-text"
    gpu: 1
    resources:
      requests:
        cpu: "2"
        memory: 4Gi
      limits:
        cpu: "4"
        memory: 8Gi
    storage:
      sizeLimit: 30Gi

Integrazzjoni Tailscale

spec:
  tailscale:
    enabled: true
    mode: serve
    authKeySecretRef:
      name: tailscale-authkey
    hostname: my-agent

L-ezempju komplet

apiVersion: openclaw.rocks/v1alpha1
kind: OpenClawInstance
metadata:
  name: production-agent
  namespace: openclaw
spec:
  envFrom:
    - secretRef:
        name: openclaw-api-keys

  config:
    mergeMode: merge
    raw:
      agents:
        defaults:
          model:
            primary: "anthropic/claude-sonnet-4-20250514"

  skills:
    - "@anthropic/mcp-server-fetch"

  runtimeDeps:
    pnpm: true

  chromium:
    enabled: true
    resources:
      requests:
        cpu: 500m
        memory: 1Gi
      limits:
        cpu: 1000m
        memory: 2Gi

  ollama:
    enabled: true
    models: ["llama3.2"]
    gpu: 1
    resources:
      requests:
        cpu: "2"
        memory: 4Gi

  tailscale:
    enabled: true
    mode: serve
    authKeySecretRef:
      name: tailscale-authkey
    authSSO: true

  resources:
    requests:
      cpu: 500m
      memory: 1Gi
    limits:
      cpu: 2000m
      memory: 4Gi

  storage:
    persistence:
      enabled: true
      size: 10Gi

  autoUpdate:
    enabled: true
    checkInterval: "24h"
    backupBeforeUpdate: true
    rollbackOnFailure: true

  observability:
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true

  availability:
    nodeSelector:
      openclaw.rocks/nodepool: openclaw
    tolerations:
      - key: openclaw.rocks/dedicated
        value: openclaw
        effect: NoSchedule

X’tikseb mill-ewwel

Minghajr ma tmiss setting wahda tas-sigurta, kull agent skjerat mill-operator jigi b’: esekuzzjoni mhux root (UID 1000), filesystem tar-root read-only, il-kapacitajiet kollha ta’ Linux imnehhija, profil Seccomp RuntimeDefault, NetworkPolicy default-deny (DNS + HTTPS egress biss), ServiceAccount ghal kull istanza minghajr auto-mounting tat-token, PodDisruptionBudget, probes tal-liveness/readiness/startup, token tal-awtentikazzjoni tal-gateway generati awtomatikament, u rikoncilijazzjoni tad-drift ta’ 5 minuti.

Il-passi li jmiss

• Ara r-referenza shiha tal-API ghal kull qasam CRD
• Aqra l-gwidi ta’ skjerament ghal EKS, GKE, AKS u Kind
• Issettja ktajjen ta’ fallback tal-mudelli minn diversi fornituri AI
• Ikkonfigura External Secrets ghal Vault, AWS, GCP jew Azure

Jekk issib problemi jew ghandek feedback, iftah issue fuq GitHub. PRs huma milqugha wkoll.

Jekk ma tridx topera Kubernetes int stess, OpenClaw.rocks jimmexxi dan kollu ghalik. Aghzel pjan, ikkonnettja kanal, u l-agent tieghek huwa live fi sekondi.