apiVersion: apps/v1
kind: Deployment
metadata:
  name: openclaw
  namespace: openclaw
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openclaw
  template:
    metadata:
      labels:
        app: openclaw
    spec:
      nodeSelector:
        kubernetes.io/hostname: chemavx-k8
      serviceAccountName: openclaw-agent
      securityContext:
        runAsUser: 1000
        fsGroup: 1000
      initContainers:
      - name: setup-kubectl
        image: bitnami/kubectl:latest
        imagePullPolicy: IfNotPresent
        command:
        - sh
        - -c
        - |
          cp $(which kubectl) /opt/kube/kubectl
          chmod +x /opt/kube/kubectl
          cat > /opt/kube/kubectl-ro << 'SCRIPT'
          #!/bin/sh
          DENIED="delete apply patch edit exec scale rollout drain cordon uncordon taint replace create annotate label"
          if [ "$#" -eq 0 ]; then exec /opt/kube/kubectl "$@"; fi
          SUBCMD="$1"
          for d in $DENIED; do
            if [ "$SUBCMD" = "$d" ]; then
              echo "ERROR: \"$SUBCMD\" no permitido en modo solo lectura." >&2; exit 1
            fi
          done
          exec /opt/kube/kubectl "$@"
          SCRIPT
          chmod +x /opt/kube/kubectl-ro
        volumeMounts:
        - name: kube-tools
          mountPath: /opt/kube
        securityContext:
          runAsUser: 0
      containers:
      - name: openclaw
        image: ghcr.io/openclaw/openclaw:2026.4.22
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 18789
        env:
        - name: NODE_OPTIONS
          value: --max-old-space-size=1536
        resources:
          requests:
            cpu: 100m
            memory: 512Mi
          limits:
            cpu: "1"
            memory: 2Gi
        volumeMounts:
        - name: data
          mountPath: /home/node/.openclaw
        - name: kube-tools
          mountPath: /opt/kube
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: openclaw-pvc
      - name: kube-tools
        emptyDir: {}