From 792b53dee7ea3be39387e1ff1a680d31e1017aaa Mon Sep 17 00:00:00 2001
From: chemavx <chemavx@git.chemavx.xyz>
Date: Fri, 24 Apr 2026 14:33:17 +0000
Subject: [PATCH] =?UTF-8?q?openclaw:=20a=C3=B1ade=20kubectl-ro=20via=20ini?=
 =?UTF-8?q?tContainer=20setup-kubectl?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- initContainer bitnami/kubectl copia kubectl y crea wrapper kubectl-ro en emptyDir /opt/kube
- kubectl-ro deniega verbos destructivos (delete/apply/patch/edit/exec/scale/rollout/drain/...)
- Main container monta /opt/kube; SA token automontado para in-cluster auth
- Sin kubeconfig manual: kubectl detecta KUBERNETES_SERVICE_HOST/PORT automáticamente

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 openclaw/deployment-openclaw.yaml | 32 +++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/openclaw/deployment-openclaw.yaml b/openclaw/deployment-openclaw.yaml
index 0a3295d..7728c7f 100644
--- a/openclaw/deployment-openclaw.yaml
+++ b/openclaw/deployment-openclaw.yaml
@@ -19,6 +19,34 @@ spec:
       securityContext:
         runAsUser: 1000
         fsGroup: 1000
+      initContainers:
+      - name: setup-kubectl
+        image: bitnami/kubectl:latest
+        imagePullPolicy: IfNotPresent
+        command:
+        - sh
+        - -c
+        - |
+          cp $(which kubectl) /opt/kube/kubectl
+          chmod +x /opt/kube/kubectl
+          cat > /opt/kube/kubectl-ro << 'SCRIPT'
+          #!/bin/sh
+          DENIED="delete apply patch edit exec scale rollout drain cordon uncordon taint replace create annotate label"
+          if [ "$#" -eq 0 ]; then exec /opt/kube/kubectl "$@"; fi
+          SUBCMD="$1"
+          for d in $DENIED; do
+            if [ "$SUBCMD" = "$d" ]; then
+              echo "ERROR: \"$SUBCMD\" no permitido en modo solo lectura." >&2; exit 1
+            fi
+          done
+          exec /opt/kube/kubectl "$@"
+          SCRIPT
+          chmod +x /opt/kube/kubectl-ro
+        volumeMounts:
+        - name: kube-tools
+          mountPath: /opt/kube
+        securityContext:
+          runAsUser: 0
       containers:
       - name: openclaw
         image: ghcr.io/openclaw/openclaw:2026.4.22
@@ -38,7 +66,11 @@ spec:
         volumeMounts:
         - name: data
           mountPath: /home/node/.openclaw
+        - name: kube-tools
+          mountPath: /opt/kube
       volumes:
       - name: data
         persistentVolumeClaim:
           claimName: openclaw-pvc
+      - name: kube-tools
+        emptyDir: {}