OpenClaw Multi-Model Provider Setup on Kubernetes
Configure OpenClaw with multiple AI providers on Kubernetes. Anthropic, OpenAI, Gemini, OpenRouter with fallback chains and cost control.
π‘ Quick Answer: Store API keys for multiple providers (Anthropic, OpenAI, Gemini, OpenRouter) in a Kubernetes Secret, set a
defaultModelinopenclaw.json, and use/modelor per-session overrides to switch between providers. OpenRouter gives access to 100+ models through a single API key.
The Problem
Different AI tasks benefit from different models β Claude for complex reasoning, GPT-4o for fast responses, Gemini for long-context analysis, and open-source models via OpenRouter for cost-sensitive workloads. Managing multiple provider API keys, configuring fallbacks, and controlling costs across a Kubernetes deployment requires careful secret management and configuration.
The Solution
Step 1: Create Multi-Provider Secret
kubectl create secret generic openclaw-secrets \
-n openclaw \
--from-literal=OPENCLAW_GATEWAY_TOKEN="$(openssl rand -hex 32)" \
--from-literal=ANTHROPIC_API_KEY="sk-ant-api03-..." \
--from-literal=OPENAI_API_KEY="sk-proj-..." \
--from-literal=GEMINI_API_KEY="AIza..." \
--from-literal=OPENROUTER_API_KEY="sk-or-v1-..."Step 2: Configure Model Routing
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: openclaw-config
namespace: openclaw
data:
openclaw.json: |
{
"gateway": {
"bind": "loopback",
"port": 18789,
"auth": true
},
"defaultModel": "anthropic/claude-sonnet-4-20250514",
"models": {
"allowlist": [
"anthropic/claude-sonnet-4-20250514",
"anthropic/claude-opus-4",
"openai/gpt-4o",
"openai/o1",
"gemini/gemini-2.5-pro",
"openrouter/google/gemini-2.5-flash",
"openrouter/meta-llama/llama-3.3-70b-instruct",
"openrouter/deepseek/deepseek-chat-v3-0324"
]
}
}Step 3: Mount All Secrets as Environment Variables
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: openclaw
namespace: openclaw
spec:
template:
spec:
containers:
- name: openclaw
image: ghcr.io/openclaw/openclaw:latest
envFrom:
- secretRef:
name: openclaw-secrets
volumeMounts:
- name: config
mountPath: /home/node/.openclaw/openclaw.json
subPath: openclaw.json
- name: data
mountPath: /home/node/.openclawModel Selection Patterns
Per-session override β switch model for current conversation:
/model anthropic/claude-opus-4Cost-tiered approach:
| Use Case | Model | Cost/1M tokens |
|---|---|---|
| Quick Q&A | openrouter/google/gemini-2.5-flash | ~$0.10 |
| Code review | anthropic/claude-sonnet-4-20250514 | ~$3.00 |
| Complex reasoning | anthropic/claude-opus-4 | ~$15.00 |
| Long context (1M+) | gemini/gemini-2.5-pro | ~$1.25 |
OpenRouter as universal fallback:
OpenRouter proxies to 100+ models with a single API key. Useful for:
- Trying models before committing to direct API keys
- Accessing models without individual provider accounts
- Automatic fallback when primary providers have outages
graph TD
A[OpenClaw Agent] -->|Default| B[Claude Sonnet 4]
A -->|/model override| C[GPT-4o]
A -->|Long context| D[Gemini 2.5 Pro]
A -->|Cost-sensitive| E[OpenRouter]
E --> F[Llama 3.3 70B]
E --> G[DeepSeek V3]
E --> H[Gemini Flash]
B -->|Anthropic down?| ECommon Issues
βModel not foundβ Error
The model string must match exactly. Check available models:
# In OpenClaw session
/models
# Or via CLI
kubectl exec -n openclaw deploy/openclaw -- openclaw modelsAPI Key Not Picked Up After Secret Update
Kubernetes doesnβt auto-restart pods when secrets change:
kubectl rollout restart deployment/openclaw -n openclawRate Limiting from Provider
Spread traffic across providers or use OpenRouterβs automatic routing:
{
"defaultModel": "openrouter/anthropic/claude-sonnet-4-20250514"
}OpenRouter handles rate limiting and retries across multiple provider endpoints.
Cost Runaway
Monitor usage via /status in sessions. Set hard limits in OpenRouter dashboard:
- Monthly budget caps
- Per-request cost limits
- Model-level spending alerts
Best Practices
- Use allowlists β restrict which models agents can access to prevent surprise costs
- Default to mid-tier β Claude Sonnet or GPT-4o balances quality and cost
- OpenRouter for experimentation β test models before adding direct API keys
- Rotate API keys β use External Secrets Operator to auto-rotate from a vault
- Monitor per-session β use
/statusto track token usage and model distribution - Separate keys per environment β dev uses cheap models, production uses premium
Key Takeaways
- Store multiple provider API keys in a single Kubernetes Secret
- Set
defaultModelinopenclaw.jsonand use allowlists to control access - Use
/modelfor per-session overrides when different tasks need different models - OpenRouter provides access to 100+ models through one API key with automatic fallbacks
- Always restart pods after secret updates β Kubernetes doesnβt auto-reload them
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Build and deploy AI agents with OpenClaw β hands-on course with real-world projects.
Start Learning βAutomate Kubernetes node configuration and cluster bootstrapping with Ansible.
Start Learning βCourses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.