KubeClawKubeClaw

Default-deny outbound via Blocky. Explicit allow/deny lists, threat blocklists, country TLD blocking, and full query logging.

Policy templates are included so you can lock down ingress and egress flows with a least-privilege baseline.

Each release is validated against a candidate image. Chart defaults ship with exact tag + digest. No silent drift.

Expose the gateway onto your tailnet without public ingress. SSH into the pod from any enrolled device.

Single-hostname path-based routing via HTTPRoutes. Optional bundled Envoy Gateway controller or bring your own.

Logs, metrics, traces, and K8s events unified in ClickHouse via OpenTelemetry. Search with HyperDX. One backend, not four.

Periodic health checks run openclaw doctor and surface drift early, before outages become incidents.

Scheduled S3 backups via rclone CronJob, pre-delete hooks on helm uninstall, and documented restore from CSI snapshots, tarballs, or S3.

Declare your desired openclaw.json. The chart handles merge or overwrite via initContainer. Reconcile, don't imperative.

Durable storage at /home/node/.openclaw. No ephemeral surprises, no data loss on pod restarts.

Local-first memory backend combining BM25 full-text, vector similarity, and MMR reranking. Auto-indexes agent knowledge via scheduled CronJobs.

Per-agent virtual keys, budget caps, model fallback routing, and semantic caching. One endpoint for every LLM provider.

Composable skill bundles pulled from playbooks, clawhub, or npm registries and installed at deploy time.

PVC-backed markdown vault mounted at /vaults/obsidian, pre-wired for task and knowledge workflows.

Standalone Chromium deployment with CDP on port 9222. Browser automation without host dependencies.