diff --git a/openclaw/deployment-openclaw.yaml b/openclaw/deployment-openclaw.yaml
index 0a3295d..7728c7f 100644
--- a/openclaw/deployment-openclaw.yaml
+++ b/openclaw/deployment-openclaw.yaml
@@ -19,6 +19,34 @@ spec:
       securityContext:
         runAsUser: 1000
         fsGroup: 1000
+      initContainers:
+      - name: setup-kubectl
+        image: bitnami/kubectl:latest
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          cp $(which kubectl) /opt/kube/kubectl
+          chmod +x /opt/kube/kubectl
+          cat > /opt/kube/kubectl-ro << 'SCRIPT'
+          #!/bin/sh
+          DENIED="delete apply patch edit exec scale rollout drain cordon uncordon taint replace create annotate label"
+          if [ "$#" -eq 0 ]; then exec /opt/kube/kubectl "$@"; fi
+          SUBCMD="$1"
+          for d in $DENIED; do
+            if [ "$SUBCMD" = "$d" ]; then
+              echo "ERROR: \"$SUBCMD\" no permitido en modo solo lectura." >&2; exit 1
+            fi
+          done
+          exec /opt/kube/kubectl "$@"
+          SCRIPT
+          chmod +x /opt/kube/kubectl-ro
+        volumeMounts:
+        - name: kube-tools
+          mountPath: /opt/kube
+        securityContext:
+          runAsUser: 0
       containers:
       - name: openclaw
         image: ghcr.io/openclaw/openclaw:2026.4.22
@@ -38,7 +66,11 @@ spec:
         volumeMounts:
         - name: data
           mountPath: /home/node/.openclaw
+        - name: kube-tools
+          mountPath: /opt/kube
       volumes:
       - name: data
         persistentVolumeClaim:
           claimName: openclaw-pvc
+      - name: kube-tools
+        emptyDir: {}