基于 Kubernetes 构建安全、稳定、可长期运维的 OpenClaw 生产实例
作者:程序员老杨
更新日期:2026 年 3 月 15 日
适用对象:云原生工程师、AI 运维团队、企业 DevOps
一、为什么选择 Kubernetes 部署 OpenClaw?
OpenClaw 作为“本地 AI 数字员工”,其生产价值体现在7×24 小时可靠运行、多渠道协同、状态持久化与灾备恢复。相比单机 Docker Compose,Kubernetes 提供:
- ✅ 高可用:Pod 自动重启、节点故障迁移
- ✅ 资源隔离:CPU/内存限制、QoS 保障
- ✅ 声明式配置:GitOps 友好,版本可控
- ✅ 扩展性:未来可横向扩展多智能体实例
- ✅ 可观测性:无缝集成 Prometheus、Loki、Jaeger
💡 前提:本文假设您已拥有一个的 Kubernetes 集群(推荐 v1.30–v1.32),并使用 Containerd 作为容器运行时。
二、核心设计原则
三、准备工作
1. 镜像准备
拉取最新稳定版 OpenClaw 镜像,并推送到私有镜像仓库(如 Harbor、阿里云 ACR):
# 拉取国内加速镜像
docker pull docker.1ms.run/alpine/openclaw:v2026.3.8
# 标记并推送至私有仓库(示例)
docker tag docker.1ms.run/alpine/openclaw:v2026.3.8 your-registry.example.com/ai/openclaw:v2026.3.8
docker push your-registry.example.com/ai/openclaw:v2026.3.8
🔒 安全建议:生产环境禁止直接拉取公网镜像,应使用私有仓库镜像扫描 + 签名验证。
2. 创建命名空间
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: openclaw-prod
kubectl apply -f namespace.yaml四、核心资源配置清单
1. Secret:存储访问令牌
# secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: openclaw-secret
namespace: openclaw-prod
type: Opaque
data:
# 使用 base64 编码(注意:不是加密!)
OPENCLAW_TOKEN: <REPLACE_WITH_BASE64_ENCODED_TOKEN>
---
apiVersion: v1
kind: Secret
metadata:
name: openclaw-tls
namespace: openclaw-prod
type: kubernetes.io/tls
data:
tls.crt: <BASE64_OF_FULLCHAIN_PEM>
tls.key: <BASE64_OF_PRIVKEY_PEM>
生成令牌:
echo -n "$(openssl rand -hex 32)" | base64
# 输出用于替换 <REPLACE_WITH_BASE64_ENCODED_TOKEN>
2. PersistentVolumeClaim(PVC)
# pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: openclaw-pvc
namespace: openclaw-prod
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
storageClassName: standard # 根据集群实际 StorageClass 调整
3. Deployment:主服务
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: openclaw-gateway
namespace: openclaw-prod
spec:
replicas: 1
selector:
matchLabels:
app: openclaw-gateway
template:
metadata:
labels:
app: openclaw-gateway
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: gateway
image: your-registry.example.com/ai/openclaw:v2026.3.8
imagePullPolicy: IfNotPresent
ports:
- containerPort: 18789
name: http
env:
- name: NODE_ENV
value: "production"
- name: OPENCLAW_TOKEN
valueFrom:
secretKeyRef:
name: openclaw-secret
key: OPENCLAW_TOKEN
volumeMounts:
- name: data
mountPath: /home/node
- name: config
mountPath: /home/node/config
readOnly: true
resources:
requests:
memory: "1Gi"
cpu: "1"
limits:
memory: "2Gi"
cpu: "2"
livenessProbe:
httpGet:
path: /health
port: 18789
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 18789
initialDelaySeconds: 30
periodSeconds: 10
volumes:
- name: data
persistentVolumeClaim:
claimName: openclaw-pvc
- name: config
emptyDir: {}
restartPolicy: Always
4. Service 与 Ingress
# service-ingress.yaml
apiVersion: v1
kind: Service
metadata:
name: openclaw-service
namespace: openclaw-prod
spec:
selector:
app: openclaw-gateway
ports:
- protocol: TCP
port: 80
targetPort: 18789
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openclaw-ingress
namespace: openclaw-prod
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
spec:
tls:
- hosts:
- openclaw.example.com
secretName: openclaw-tls
rules:
- host: openclaw.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openclaw-service
port:
number: 80五、自动化备份:CronJob 定期快照
利用 OpenClaw v2026.3.8 的 backup 命令实现每日自动备份:
# cronjob-backup.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: openclaw-daily-backup
namespace: openclaw-prod
spec:
schedule: "0 2 * * *" # 每天凌晨 2 点
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
containers:
- name: backup
image: your-registry.example.com/ai/openclaw:v2026.3.8
command:
- /bin/sh
- -c
- |
set -e
BACKUP_NAME="daily-$(date +%Y%m%d)"
openclaw backup create --name "$BACKUP_NAME"
echo "Backup $BACKUP_NAME created successfully."
volumeMounts:
- name: data
mountPath: /home/node
volumes:
- name: data
persistentVolumeClaim:
claimName: openclaw-pvc
📌 备份位置:备份文件默认存于
/home/node/.openclaw/backups/,可通过 sidecar 容器同步至 S3/OSS。
六、安全加固措施
1. NetworkPolicy(限制出入流量)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: openclaw-netpol
namespace: openclaw-prod
spec:
podSelector:
matchLabels:
app: openclaw-gateway
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx # 仅允许 Ingress Controller 访问
ports:
- protocol: TCP
port: 18789
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 # 或根据实际需求限制出站(如仅允许 API 端点)
2. PodSecurity Admission(启用 restricted 策略)
确保命名空间启用 restricted 级别:
apiVersion: v1
kind: Namespace
metadata:
name: openclaw-prod
labels:
pod-security.kubernetes.io/enforce: restricted七、部署与验证
# 应用所有配置
kubectl apply -f namespace.yaml
kubectl apply -f secret.yaml
kubectl apply -f pvc.yaml
kubectl apply -f deployment.yaml
kubectl apply -f service-ingress.yaml
kubectl apply -f cronjob-backup.yaml
# 初始化渠道(首次运行)
kubectl exec -n openclaw-prod deploy/openclaw-gateway -- onboard
# 查看状态
kubectl get pods -n openclaw-prod
kubectl logs -n openclaw-prod -l app=openclaw-gateway -f
访问 https://openclaw.example.com,输入令牌即可进入 Dashboard。
八、升级与维护
升级流程:
- 构建新版本镜像并推送到私有仓库
- 更新
deployment.yaml中的image字段 - 执行
kubectl apply -f deployment.yaml - Kubernetes 将滚动更新 Pod,旧 PVC 数据自动挂载
灾难恢复:
# 进入 Pod 执行恢复
kubectl exec -it -n openclaw-prod <POD_NAME> -- openclaw backup list
kubectl exec -n openclaw-prod <POD_NAME> -- openclaw backup restore --name daily-20260314九、总结
通过本方案,您在 Kubernetes 上构建了一个符合云原生最佳实践的 OpenClaw 生产实例,具备:
- 持久化:用户记忆、技能、配置安全存储于 PVC
- 安全:非 root、NetworkPolicy、Secret 管理
- 可观测:探针 + 日志集成
- 可维护:GitOps 部署、CronJob 自动备份、滚动升级
- 可扩展:未来可拆分为 Gateway + Sandbox + Skill 微服务架构
最终目标:让您的“数字员工”在云原生环境中安心工作,永不丢失。
浙公网安备 33010602011771号