<p>Security hardening for running OpenClaw on a K3s cluster. Six layers
of defense-in-depth applied to the deployment.</p>
<h2 id="security-layers">Security Layers</h2>
<ol>
<li><strong>Network Policies</strong>: restrict ingress/egress to required endpoints only</li>
<li><strong>RBAC</strong>: minimal service account permissions</li>
<li><strong>Seccomp profiles</strong>: syscall filtering</li>
<li><strong>Read-only root filesystem</strong>: tmpfs for writable paths only</li>
<li><strong>Resource limits</strong>: CPU and memory caps to prevent resource exhaustion</li>
<li><strong>Pod Security Standards</strong>: restricted PSS profile</li>
</ol>
<h2 id="challenges">Challenges</h2>
<ul>
<li>K3s uses Traefik by default, which complicates network policy enforcement</li>
<li>Seccomp profiles need to be deployed to each node</li>
<li>Read-only filesystem requires identifying all writable paths upfront</li>
</ul>
<h2 id="related-blog-posts">Related Blog Posts</h2>
<ul>
<li><a href="/openclaw-k8s.html">Trying to Secure OpenClaw using Kubernetes</a>:
full implementation walkthrough</li>
</ul>


Six-layer security hardening for OpenClaw on K3s: network policies, RBAC, seccomp, read-only filesystem, resource limits, and pod security standards.

Kyle Pericak

"It works in my environment"

OpenClaw Kubernetes Security

Security Layers

Challenges