Kubernetes Skill for OpenClaw

OpenClaw Kubernetes Skill Overview

The Kubernetes skill connects OpenClaw to your Kubernetes clusters via kubectl and a suite of cluster management utilities. Once installed, your OpenClaw agent can deploy applications, troubleshoot pod failures, scale workloads, generate manifests, and perform security audits — all through plain English commands.

Kubernetes is the industry standard for container orchestration, but its CLI surface area is vast. The OpenClaw Kubernetes skill eliminates the need to memorize hundreds of kubectl subcommands and flags. Instead of context-switching between terminal windows and documentation, you describe what you need and the agent handles the rest.

Typical workflow:

1. Ask OpenClaw to check the health of your production cluster.
2. The agent runs kubectl get nodes, kubectl top pods, and health-check scripts under the hood.
3. Results are returned in a readable summary with actionable recommendations — no context-switching required.

This skill supports Kubernetes 1.31+, OpenShift 4.17+, and managed services including Amazon EKS, Azure AKS, and Google GKE. It pairs naturally with the Docker Essentials skill for a complete container workflow.

Prerequisites for Kubernetes Skill

Before installing the Kubernetes skill, make sure you have:

• OpenClaw installed and running (v1.0+)
• kubectl installed (v1.20+) — installation guide
• A valid kubeconfig file pointing to at least one cluster
• clawhub CLI installed for skill management

Verify your setup:

# Check OpenClaw version
openclaw --version

# Check kubectl version
kubectl version --client

# Verify cluster connectivity
kubectl cluster-info

# List available contexts
kubectl config get-contexts

If kubectl cluster-info returns an error, ensure your kubeconfig is correctly configured. For managed clusters, use the provider's CLI to generate credentials (e.g., aws eks update-kubeconfig, az aks get-credentials, or gcloud container clusters get-credentials).

How to Install the Kubernetes Skill

Install the Kubernetes skill with a single command:

npx clawhub@latest install kubernetes

To verify the installation:

clawhub list

You should see kubernetes in the list of installed skills. The skill bundles helper scripts for cluster health checks, security audits, node maintenance, and manifest generation.

Kubernetes Skill Configuration

The Kubernetes skill relies on your existing kubeconfig for authentication. No additional API keys or tokens are needed — if kubectl works on your machine, the skill works too.

Kubeconfig Setup

The skill reads the default kubeconfig at ~/.kube/config. To use a different file or manage multiple clusters:

# Set a custom kubeconfig path
export KUBECONFIG=/path/to/your/kubeconfig

# Merge multiple kubeconfig files
export KUBECONFIG=~/.kube/config:~/.kube/staging-config

# Switch between contexts
kubectl config use-context production-cluster

Namespace Scoping

For safety, we recommend scoping the skill to specific namespaces rather than granting cluster-wide access:

# Set a default namespace for the current context
kubectl config set-context --current --namespace=my-app

# Verify the active namespace
kubectl config view --minify --output 'jsonpath={..namespace}'

Important: Never grant the skill cluster-admin privileges in production. Use RBAC roles scoped to the namespaces and resources you actually need. Review the Security & Best Practices section below.

Kubernetes Skill Usage Examples

1. Diagnose Pod Crashes

You: "Why are the pods in the payments namespace crashing?"

The agent runs kubectl get pods -n payments, identifies pods in CrashLoopBackOff, retrieves logs with kubectl logs, and checks events with kubectl describe pod. It returns a diagnosis like "OOMKilled — the container exceeded its 256Mi memory limit. Recommend increasing to 512Mi."

2. Scale a Deployment

You: "Scale the API deployment to 5 replicas in staging."

The agent executes kubectl scale deployment api --replicas=5 -n staging, monitors the rollout with kubectl rollout status, and confirms when all 5 pods are running and healthy.

3. Generate a Production Manifest

You: "Create a deployment manifest for a Node.js app with 3 replicas, 256Mi memory limit, health checks, and a ClusterIP service."

The agent uses the built-in manifest generator to produce a complete YAML file with security defaults — non-root user, read-only filesystem, resource limits, liveness and readiness probes, and a matching Service definition.

4. Run a Security Audit

You: "Audit the default namespace for security issues."

The agent runs the bundled security audit script, checking for containers running as root, missing resource limits, overly permissive RBAC bindings, and pods without Pod Security Standards labels. Results are returned as a prioritized list of findings with remediation steps.

5. Perform a Rolling Update

You: "Update the web deployment to image v2.3.1 and watch the rollout."

The agent runs kubectl set image deployment/web web=myregistry/web:v2.3.1, then monitors kubectl rollout status in real time. If the rollout stalls or pods fail health checks, it alerts you and suggests kubectl rollout undo to revert.

Security & Best Practices

Kubernetes operations can affect running production workloads. Follow these guidelines to stay safe:

• Use RBAC with least privilege. Create dedicated ServiceAccounts with only the permissions needed. Avoid cluster-admin for day-to-day operations. The Kubernetes RBAC documentation covers role creation in detail.
• Scope to namespaces. Set a default namespace in your kubeconfig context so the skill cannot accidentally modify resources in other namespaces.
• Review before applying. OpenClaw prompts for confirmation before destructive operations like deleting pods, scaling to zero, or draining nodes. Always review the proposed changes.
• Use dry-run mode. For manifest generation and apply operations, the skill supports --dry-run=client to preview changes without affecting the cluster.
• Rotate credentials regularly. If using service account tokens, set expiration policies. For managed clusters, rely on short-lived cloud provider credentials.
• Enable audit logging. Configure Kubernetes audit logging to track all API calls made through the skill. Review the Safety Checklist for general OpenClaw security guidance.

Troubleshooting Common Errors

"error: You must be logged in to the server (Unauthorized)"

Your kubeconfig credentials have expired or are invalid.

# For AWS EKS
aws eks update-kubeconfig --name my-cluster --region us-east-1

# For Azure AKS
az aks get-credentials --resource-group myRG --name my-cluster

# For Google GKE
gcloud container clusters get-credentials my-cluster --zone us-central1-a

"error: the server doesn't have a resource type 'deployments'"

The API server may be unreachable, or your RBAC permissions are insufficient.

1. Run kubectl cluster-info to verify connectivity.
2. Check that your role has get, list, and watch permissions on the apps/v1 API group.
3. Ask your cluster admin to review your RoleBinding.

"pod has unbound immediate PersistentVolumeClaims"

The pod requires a PersistentVolume that does not exist or is not yet provisioned.

1. Run kubectl get pvc -n <namespace> to check the claim status.
2. Verify the StorageClass exists: kubectl get storageclass.
3. For cloud providers, ensure the CSI driver is installed and the storage quota is not exceeded.