Deploying Confidential Containers and OpenClaw Instances
- Deploy cc-operator-controller-manager.
wget https://raw.gitcode.com/openeuler/virtCCA_sdk/raw/master/kata-v3.15.0/conf/cc-operator.yaml kubectl apply -f cc-operator.yaml
- Deploy CcRuntime.
- Obtain the YAML configuration file for the virtCCA CcRuntime deployment.
wget https://raw.gitcode.com/openeuler/virtCCA_sdk/raw/master/kata-v3.15.0/conf/virtcca-kata-deploy.yaml
- Modify the label in the YAML configuration file.
You can check the matchLabels field using the kubectl get nodes --show-labels command, and then update the matchLabels field to match the corresponding label. For example, in the following figure, node-role.kubernetes.io/worker represents the key and worker represents the value. Ensure the key-value pairs under the matchLabels field are consistent with this format.

The payloadImage field specifies the path to the kata-deploy image. You can retain the default image: swr.cn-north-4.myhuaweicloud.com/kunpeng-ai/virtcca-kata-deploy:latest.

- Change the image pull mode to host pull.
sed -i '/- name: kata-qemu-virtcca/{n;s/pulltype: .*/pulltype: ""/;n;s/snapshotter: .*/snapshotter: ""/}' virtcca-kata-deploy.yaml - Start the deployment.
kubectl apply -f virtcca-kata-deploy.yaml
After successful creation, the confidential-containers-system namespace includes one cc-operator-controller Pod and two DaemonSet-managed Pods.
kubectl get pod -n confidential-containers-system -owide

If the deployment of confidential-container-operator fails, and the critical error in the operator Pod logs shows "Get "https://x.x.x.x:443/api/v1": dial tcp x.x.x.x:443: i/o timeout", follow this troubleshooting workflow:
- Verify the status of the components and iptables. Since the network component is a DaemonSet, verify which iptables backend variant is currently used by the system as the default.
kubectl -n kube-system get ds -o wide
- Explicitly configure Calico to use the nft backend.
kubectl -n kube-system set env daemonset/calico-node FELIX_IPTABLESBACKEND=NFT kubectl -n kube-system rollout status daemonset/calico-node --timeout=180s
- Clear residual rules from the legacy tables. Set the default policy of the legacy filter table to ACCEPT and verify the legacy cleanup status.
- Rebuild the cc-operator Pod and verify its recovery.
kubectl delete pod -n confidential-containers-system -l control-plane=controller-manager kubectl -n confidential-containers-system wait --for=condition=Ready pod -l control-plane=controller-manager --timeout=180s kubectl -n confidential-containers-system get pod -o wide
- Verify the status of the components and iptables. Since the network component is a DaemonSet, verify which iptables backend variant is currently used by the system as the default.
- Obtain the YAML configuration file for the virtCCA CcRuntime deployment.
- Verify that the RuntimeClass corresponding to virtCCA has been registered in the Kubernetes cluster.
kubectl get runtimeclass

- Modify the /opt/kata/share/defaults/kata-containers/configuration-qemu-virtcca.toml configuration file. Change the shared filesystem protocol to virtio-fs, change the default number of vCPUs to 2, and change the default memory size to 3072M. You can dynamically adjust these settings based on your actual requirements. It is advised to increase the memory size to 4096M or above.
sed -i 's/shared_fs = "none"/shared_fs = "virtio-fs"/; s/default_vcpus = 1/default_vcpus = 2/; s/default_memory = 2048/default_memory = 4096/' /opt/kata/share/defaults/kata-containers/configuration-qemu-virtcca.toml

- Restart containerd.
systemctl restart containerd
- Currently, building OpenClaw applications via container templates is supported. Native confidential container images for OpenClaw are still under construction.
- Create the openclaw.yaml file.
vi ./openclaw.yaml
- Press i to enter insert mode and input the contents into the created YAML file based on the OpenClaw configuration file.
- Similarly, based on openFuyao's deployment guide and openclaw-configmap.yaml, input the model-related configurations from openclaw.json into the corresponding sections of the file.
vi ./openclaw.yaml
- Create the one-click deployment script quick-start-single.sh.
vi ./quick-start-single.sh
- Deploy the ConfigMap.
./quick-start-single.sh COMPONENT=openclaw-configmap \ OPENCLAW_LLM_BASE_URL=<LLM_Base_URL> \ OPENCLAW_LLM_API_KEY=<LLM_API_Key> \ OPENCLAW_LLM_MODEL=<model_name> \ OPENCLAW_GATEWAY_TOKEN=<any_non_empty_value> \ OPENVIKING_ROOT_API_KEY=<any_non_empty_value>
- Deploy the OpenClaw instance.
./quick-start-single.sh COMPONENT=openclaw \ OPENCLAW_LLM_BASE_URL=<LLM_Base_URL> \ OPENCLAW_LLM_API_KEY=<LLM_API_Key> \ OPENCLAW_LLM_MODEL=<model_name> \ OPENCLAW_GATEWAY_TOKEN=<any_non_empty_value> \ OPENVIKING_ROOT_API_KEY=<any_non_empty_value>
- The following configurations are currently enabled on the OpenClaw gateway for deployment and joint debugging scenarios.
"allowInsecureAuth": true, "dangerouslyDisableDeviceAuth": true
The current configuration lowers the authentication security of the gateway to allow direct access to the control Web UI within the container platform. If more stringent device authentication is required for a production environment, ensure these options are disabled in openclaw-configmap.yaml and adjust your network access methods accordingly.
- For manual deployment or multi-instance deployment, see the OpenClaw openFuyao Integration Guide and its corresponding script code.
- By default, the OpenClaw working directory is mapped via a persistent bind mount to the host's /home/openclaw-data directory. This path can be customized using the OPENCLAW_DATA_ROOT_DIR parameter in the deployment script.
- Create the openclaw.yaml file.
- Access the OpenClaw Web UI at http://<cluster_node_ip>:30000 and verify the deployment.
