apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: '35' meta.helm.sh/release-name: openclaw meta.helm.sh/release-namespace: openclaw labels: app.kubernetes.io/instance: openclaw app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openclaw app.kubernetes.io/version: 2026.3.2 helm.sh/chart: openclaw-0.1.13 name: openclaw namespace: openclaw spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 5 selector: matchLabels: app.kubernetes.io/instance: openclaw app.kubernetes.io/name: openclaw strategy: type: Recreate template: metadata: annotations: checksum/config: e1ce3c573c77508ddc719f952751bd9f0b6c3a40ec31cc09ae750af4a5772ed2 checksum/secret: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b kubectl.kubernetes.io/restartedAt: '2026-03-26T10:35:24.412Z' labels: app.kubernetes.io/instance: openclaw app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: openclaw app.kubernetes.io/version: 2026.3.2 helm.sh/chart: openclaw-0.1.13 spec: containers: - command: - node - dist/index.js - gateway - --bind - lan - --port - '18789' env: - name: HOME value: /home/openclaw - name: TZ value: UTC envFrom: - secretRef: name: openclaw-secrets image: ghcr.io/openclaw/openclaw:2026.3.2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: port: gateway timeoutSeconds: 5 name: openclaw ports: - containerPort: 18789 name: gateway protocol: TCP - containerPort: 18793 name: canvas protocol: TCP readinessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 tcpSocket: port: gateway timeoutSeconds: 5 resources: limits: cpu: 800m memory: 2Gi requests: cpu: 300m memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault startupProbe: failureThreshold: 72 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 tcpSocket: port: gateway timeoutSeconds: 5 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /home/openclaw/.openclaw name: data - command: - chromium-browser - --headless - --disable-gpu - --disable-software-rasterizer - --disable-dev-shm-usage - --no-sandbox - --remote-debugging-address=0.0.0.0 - --remote-debugging-port=9222 image: zenika/alpine-chrome:124 imagePullPolicy: IfNotPresent name: chromium ports: - containerPort: 9222 name: cdp protocol: TCP resources: limits: cpu: '1' memory: 1Gi requests: cpu: 100m memory: 256Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /dev/shm name: dshm dnsPolicy: ClusterFirst initContainers: - command: - /bin/sh - -c - "mkdir -p /home/openclaw/.openclaw\nif [ \"overwrite\" = \"merge\" ] &&\ \ [ -f /home/openclaw/.openclaw/openclaw.json ]; then\n # Merge: existing\ \ config as base, helm config overwrites\n node -e \"\n const fs = require('fs');\n\ \ const existing = JSON.parse(fs.readFileSync('/home/openclaw/.openclaw/openclaw.json',\ \ 'utf8'));\n const helm = JSON.parse(fs.readFileSync('/config/openclaw.json',\ \ 'utf8'));\n const deepMerge = (target, source) => {\n for (const\ \ key of Object.keys(source)) {\n if (source[key] && typeof source[key]\ \ === 'object' && !Array.isArray(source[key])) {\n target[key]\ \ = target[key] || {};\n deepMerge(target[key], source[key]);\n\ \ } else {\n target[key] = source[key];\n }\n \ \ }\n return target;\n };\n const merged = deepMerge(existing,\ \ helm);\n fs.writeFileSync('/home/openclaw/.openclaw/openclaw.json',\ \ JSON.stringify(merged, null, 2));\n \"\nelse\n cp /config/openclaw.json\ \ /home/openclaw/.openclaw/openclaw.json\nfi\nchown -R 1000:1000 /home/openclaw/.openclaw\n" image: ghcr.io/openclaw/openclaw:2026.3.2 imagePullPolicy: IfNotPresent name: init-config resources: {} securityContext: runAsNonRoot: false runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /home/openclaw/.openclaw name: data - mountPath: /config name: config readOnly: true restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault serviceAccount: openclaw serviceAccountName: openclaw terminationGracePeriodSeconds: 30 volumes: - configMap: defaultMode: 420 name: openclaw name: config - name: data persistentVolumeClaim: claimName: openclaw - emptyDir: medium: Memory sizeLimit: 1Gi name: dshm