Self-Host an OpenClaw WhatsApp AI Assistant on Kubernetes
Deploy OpenClaw on Kubernetes to run a personal WhatsApp AI assistant with QR code pairing, persistent sessions, media support, and allow-list security.
π‘ Quick Answer: Deploy OpenClaw on Kubernetes, then
kubectl exec -it deploy/openclaw -- openclaw channels loginto scan a QR code with WhatsApp. After pairing, OpenClaw bridges your WhatsApp messages to an AI agent. UseallowFromto restrict which numbers can interact with the bot.Key concept: OpenClaw uses the WhatsApp Web multi-device protocol β your phone doesnβt need to stay online. The session persists in a PVC.
Gotcha: WhatsApp pairing is interactive (QR code scan). You must use
kubectl exec -itfor the initial setup. After that, itβs hands-off.
The Problem
- WhatsApp has no official bot API for personal accounts
- Maintaining a persistent WhatsApp Web session requires careful state management
- You want an AI assistant in WhatsApp without sharing your data with third-party services
The Solution
OpenClaw connects to WhatsApp via the multi-device protocol, persists the session in a Kubernetes PVC, and routes messages to your AI agent.
Architecture Overview
flowchart LR
subgraph phone["π± WhatsApp"]
QR["QR Pairing<br/>(one-time)"]
MSG["Messages"]
end
subgraph k8s["βΈοΈ Kubernetes"]
GW["OpenClaw Pod"]
PVC["PVC<br/>WhatsApp Session<br/>+ History"]
end
subgraph ai["π€ AI"]
LLM["Claude / GPT"]
end
QR -->|"kubectl exec"| GW
MSG <--> GW
GW --> PVC
GW <--> LLMStep 1: Deploy
# openclaw-whatsapp.yaml
apiVersion: v1
kind: Secret
metadata:
name: openclaw-wa-secrets
namespace: openclaw
type: Opaque
stringData:
ANTHROPIC_API_KEY: "sk-ant-your-key"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: openclaw-wa-config
namespace: openclaw
data:
openclaw.json: |
{
"gateway": { "port": 18789 },
"channels": {
"whatsapp": {
"enabled": true,
"allowFrom": ["+15555550123", "+15555550456"]
}
}
}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: openclaw-wa-state
namespace: openclaw
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: openclaw-whatsapp
namespace: openclaw
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: openclaw-whatsapp
template:
metadata:
labels:
app: openclaw-whatsapp
spec:
containers:
- name: openclaw
image: node:22-slim
command: ["sh", "-c", "npm i -g openclaw@latest && openclaw gateway"]
ports: [{containerPort: 18789}]
envFrom:
- secretRef:
name: openclaw-wa-secrets
volumeMounts:
- name: state
mountPath: /home/node/.openclaw
- name: config
mountPath: /home/node/.openclaw/openclaw.json
subPath: openclaw.json
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: "1"
memory: 1Gi
volumes:
- name: state
persistentVolumeClaim:
claimName: openclaw-wa-state
- name: config
configMap:
name: openclaw-wa-configStep 2: Pair WhatsApp
# Interactive pairing β displays QR code in terminal
kubectl exec -it -n openclaw deploy/openclaw-whatsapp -- openclaw channels login
# Scan the QR code with WhatsApp on your phone:
# WhatsApp β Settings β Linked Devices β Link a Device
# Verify connection
kubectl exec -n openclaw deploy/openclaw-whatsapp -- openclaw statusStep 3: Security β Allow List
{
"channels": {
"whatsapp": {
"allowFrom": ["+15555550123"],
"groups": {
"*": {
"requireMention": true,
"mentionPatterns": ["@ai", "@bot"]
}
}
}
}
}Common Issues
Issue 1: Session expires after pod restart
# Verify PVC is properly mounted
kubectl exec -n openclaw deploy/openclaw-whatsapp -- ls -la /home/node/.openclaw/
# If session files are missing, the PVC mount may be incorrect
# Re-pair if needed:
kubectl exec -it -n openclaw deploy/openclaw-whatsapp -- openclaw channels loginIssue 2: WhatsApp disconnects after a few days
# WhatsApp may disconnect linked devices after ~14 days of inactivity
# OpenClaw auto-reconnects, but if pairing is lost:
kubectl exec -it -n openclaw deploy/openclaw-whatsapp -- openclaw channels login
# Prevent disconnection by ensuring the pod stays running
# Set appropriate liveness/readiness probesBest Practices
- Always use allowFrom β Without it, anyone who messages you gets AI responses
- Use Recreate strategy β Only one WhatsApp Web session is allowed per number
- Backup the PVC β WhatsApp session data is irreplaceable without re-pairing
- Set group mention rules β Prevent bot from responding in every group chat
- Use a dedicated number β Consider a separate SIM/number for the AI assistant
Key Takeaways
- QR pairing is one-time β After initial
kubectl execsetup, sessions persist in PVC - Multi-device protocol means your phone can be offline
- allowFrom is essential for security β restricts who can interact with the AI
- Recreate strategy prevents dual-session conflicts
- Media support works out of the box β send images, voice notes, documents
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.