Every contribution helps! / Chaque contribution compte ! π
π«π· Version FranΓ§aise | π¬π§ English Version
- π«π· Guide Complet (FR)
- π¬π§ Complete Guide (EN)
- ποΈ Architecture
- π Quick Start
- π Documentation
- π‘οΈ Security Features
- π Monitoring
- π€ Contributing
- π License
- π Support
Ce guide complet vous accompagne pas à pas dans l'installation, la sécurisation et l'utilisation d'OpenClaw sur un Mac Studio M3 Ultra. L'architecture proposée utilise Kubernetes (k3s) pour l'isolation maximale, tout en conservant l'accès natif au GPU M3 pour les LLM locaux (Ollama, LM Studio).
- β DΓ©ploiement sΓ©curisΓ© avec isolation rΓ©seau complΓ¨te
- β Utilisation optimale du GPU Apple Silicon (M1/M2/M3)
- β Architecture Zero-Trust avec NetworkPolicies
- β Proxy Squid avec whitelist stricte
- β Monitoring avec Prometheus et Grafana
- β Sauvegardes automatisΓ©es avec stratΓ©gie 3-2-1
- β ConformitΓ© OWASP, CVE, RGPD, WCAG
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MAC STUDIO M3 ULTRA β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β KUBERNETES (k3s) β β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ β β
β β β OpenClaw βββββββΆβ Squid Proxy βββββββΆ Internet β β
β β β :18789 β β :3128 β (whitelist) β β
β β β (IsolΓ©) β β (Whitelist) β β β
β β ββββββββββ¬βββββββββ βββββββββββββββββββ β β
β β β β β
β β β host.docker.internal β β
β β βΌ β β
β βββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββΌβββββββββββ β
β β OLLAMA ββββ GPU Metal (192GB Unified Memory) β
β β :11434 β β
β β (Natif macOS) β ModΓ¨les: Llama 3.1 70B, Qwen, Mistral... β
β ββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Composant | Version Minimum | RecommandΓ© |
|---|---|---|
| macOS | 13.0 (Ventura) | 14.0+ (Sonoma) |
| RAM | 32 GB | 64-192 GB |
| Stockage | 100 GB SSD | 500 GB+ NVMe |
| Docker Desktop | 4.25+ | Dernière version |
| Homebrew | 4.0+ | Dernière version |
git clone https://github.com/EthanThePhoenix38/Openclaw.git && cd Openclaw && ./scripts/install-k3s.sh && ./scripts/setup-ollama.sh && ./scripts/deploy-openclaw.sh && kubectl get pods -n openclawπ Ouvrir le guide interactif (GitBook-style viewer)
| Partie | Chapitres | Description |
|---|---|---|
| Partie 1 | Chapitres 1-5 | Fondations : Introduction, PrΓ©requis, Architecture |
| Partie 2 | Chapitres 6-10 | Kubernetes : Installation k3s, Namespaces, Pods |
| Partie 3 | Chapitres 11-15 | SΓ©curitΓ© : NetworkPolicies, Secrets, Proxy Squid |
| Partie 4 | Chapitres 16-20 | OpΓ©rations : Monitoring, Alertes, Sauvegardes |
| Partie 5 | Chapitres 21-24 | AvancΓ© : HA, Scaling, Troubleshooting |
| Annexes | A-C | Glossaire, Commandes, Ressources |
This comprehensive guide walks you through installing, securing, and using OpenClaw on a Mac Studio M3 Ultra. The proposed architecture uses Kubernetes (k3s) for maximum isolation while maintaining native M3 GPU access for local LLMs (Ollama, LM Studio).
- β Secure deployment with complete network isolation
- β Optimal use of Apple Silicon GPU (M1/M2/M3)
- β Zero-Trust architecture with NetworkPolicies
- β Squid proxy with strict whitelist
- β Monitoring with Prometheus and Grafana
- β Automated backups with 3-2-1 strategy
- β OWASP, CVE, GDPR, WCAG compliance
git clone https://github.com/EthanThePhoenix38/Openclaw.git && cd Openclaw && ./scripts/install-k3s.sh && ./scripts/setup-ollama.sh && ./scripts/deploy-openclaw.sh && kubectl get pods -n openclawπ Open interactive guide (GitBook-style viewer)
| Part | Chapters | Description |
|---|---|---|
| Part 1 | Chapters 1-5 | Foundations: Introduction, Prerequisites, Architecture |
| Part 2 | Chapters 6-10 | Kubernetes: k3s Installation, Namespaces, Pods |
| Part 3 | Chapters 11-15 | Security: NetworkPolicies, Secrets, Squid Proxy |
| Part 4 | Chapters 16-20 | Operations: Monitoring, Alerts, Backups |
| Part 5 | Chapters 21-24 | Advanced: HA, Scaling, Troubleshooting |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LAYER 1: Network Isolation β
β NetworkPolicies (deny-all + whitelist) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 2: Proxy Control β
β Squid Proxy (domain whitelist) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 3: Container Security β
β Non-root, read-only fs, no capabilities β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 4: Secrets Management β
β K8s Secrets, no hardcoded credentials β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 5: Monitoring & Audit β
β Prometheus, Grafana, audit logs β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
clawdbot-secure-k8s/
βββ π docs/
β βββ π fr/ # Documentation franΓ§aise (24 chapitres)
β βββ π en/ # English documentation (24 chapters)
βββ π kubernetes/
β βββ namespace.yaml # Namespace isolΓ©
β βββ deployment.yaml # Deployment sΓ©curisΓ©
β βββ service.yaml # Services ClusterIP
β βββ configmap.yaml # Configurations
β βββ secrets.yaml # Template secrets
β βββ network-policy.yaml # Policies Zero-Trust
βββ π docker/
β βββ Dockerfile # Multi-stage build
β βββ docker-compose.yml # Stack complΓ¨te
β βββ squid.conf # Config proxy
β βββ .env.example # Variables template
βββ π scripts/
β βββ install-k3s.sh # Installation k3s
β βββ deploy-openclaw.sh # DΓ©ploiement K8s
β βββ setup-ollama.sh # Config Ollama
β βββ backup.sh # Sauvegardes 3-2-1
βββ π monitoring/
β βββ prometheus.yml # MΓ©triques
β βββ grafana-dashboard.json # Dashboards
βββ README.md # Ce fichier
βββ CITATION.cff # Citation acadΓ©mique
βββ LICENSE # MIT License
βββ index.html # GitBook viewer
| Feature | Description (FR/EN) |
|---|---|
| Zero-Trust Network | Tout le trafic bloquΓ© par dΓ©faut / All traffic blocked by default |
| Proxy Whitelist | Seuls les domaines approuvΓ©s accessibles / Only approved domains accessible |
| Non-root Containers | Tous les containers en user non-privilΓ©giΓ© / All containers run unprivileged |
| Read-only Filesystem | Systèmes de fichiers en lecture seule / Read-only container filesystems |
| No Capabilities | Toutes les capabilities Linux supprimΓ©es / All Linux capabilities dropped |
| Secret Management | Kubernetes Secrets, jamais en dur / Never hardcoded |
| Audit Logging | Toutes les actions journalisΓ©es / All actions logged |
| Resource Limits | Limites CPU/Memory / CPU/Memory limits prevent exhaustion |
# AccΓ©der Γ Prometheus / Access Prometheus
kubectl port-forward -n monitoring svc/prometheus 9090:9090
# AccΓ©der Γ Grafana / Access Grafana
kubectl port-forward -n monitoring svc/grafana 3000:3000Si vous utilisez ce guide, merci de le citer / If you use this guide, please cite it:
@misc{bernier2026openclaw,
author = {Bernier, Ethan},
title = {OpenClaw Secure K8s Guide},
year = {2026},
publisher = {GitHub},
url = {https://github.com/EthanThePhoenix38/Openclaw}
}Voir CITATION.cff pour plus de dΓ©tails.
Les contributions sont bienvenues ! / Contributions are welcome!
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Ce projet est sous licence MIT - voir le fichier LICENSE pour plus de dΓ©tails.
Ethan Bernier
- π ORCID: 0009-0008-9839-5763
- π GitHub: @EthanThePhoenix38
- π§ Email: ethan.bernier.data@gmail.com
Ce guide est gratuit et open source. Si vous le trouvez utile :
This guide is free and open source. If you find it useful:
| Platform | Link |
|---|---|
| β Ko-fi | ko-fi.com/EthanThePhoenix |
| π³ PayPal | paypal.me/VanessaBernier |
| β GitHub | Star this repo! / Donnez une Γ©toile ! |
Made with β€οΈ by Ethan Bernier
π¦ OpenClaw Secure Kubernetes Deployment - Version 1.0.0 - 2026
