How to Implement Zero Trust Security for OpenClaw

# Configure OIDC authentication (openclaw-config.yaml):
auth:
  provider: oidc
  issuer: https://accounts.google.com
  client_id: ${OIDC_CLIENT_ID}
  client_secret: ${OIDC_CLIENT_SECRET}
  scopes:
    - openid
    - email
    - profile
  rbac:
    admin_group: openclaw-admins@company.com
    user_group: openclaw-users@company.com

# Define RBAC policies (rbac-policy.yaml):
roles:
  viewer:
    permissions:
      - read:skills
      - read:logs
  developer:
    permissions:
      - read:skills
      - write:skills
      - execute:safe_tools  # read_file, search, analyze
  admin:
    permissions:
      - "*"  # All permissions
    conditions:
      - require_mfa: true

# Map users to roles:
user_roles:
  - email: "alice@company.com"
    role: admin
  - email: "bob@company.com"
    role: developer

# Kubernetes NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: openclaw-isolation
spec:
  podSelector:
    matchLabels:
      app: openclaw
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
      - podSelector:
          matchLabels:
            app: gateway  # Only gateway can access
      ports:
        - protocol: TCP
          port: 8080
  egress:
    - to:
      - podSelector:
          matchLabels:
            app: database
      ports:
        - protocol: TCP
          port: 5432

# Generate service certificates with cert-manager:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: openclaw-service
spec:
  secretName: openclaw-tls
  issuer:
    name: internal-ca
  dnsNames:
    - openclaw.default.svc.cluster.local
  usages:
    - server auth
    - client auth

# Configure mTLS in service mesh (Istio):
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: STRICT

# Configure continuous auth with BeyondCorp-style checks:
authentication:
  session_timeout: 8h
  require_reauth_for:
    - sensitive_operations
    - after_idle: 30m
  device_trust:
    require_managed_device: true
    require_disk_encryption: true
    require_os_version: ">=10.15"  # macOS example
    require_endpoint_protection: true

# Configure centralized logging:
logging:
  destination: elasticsearch
  endpoint: https://logs.company.com:9200
  index: openclaw-audit
  log_events:
    - authentication_attempts
    - authorization_decisions
    - tool_executions
    - data_access
    - configuration_changes
  include_metadata:
    - user_id
    - source_ip
    - device_id
    - session_id
    - request_id

# Kubernetes ServiceAccount with minimal permissions:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: openclaw-worker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: openclaw-worker-role
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list"]  # Read-only
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]  # No list to prevent enumeration
    resourceNames: ["openclaw-secrets"]  # Explicit secret name

# Example Falco rules for access anomalies:
- rule: Access from Unusual Location
  condition: >
    openclaw_auth and
    user.location not in (known_office_ips) and
    user.role = admin
  output: "Admin access from unusual location"
  priority: WARNING

- rule: Privilege Escalation Attempt
  condition: >
    openclaw_request and
    user.role = viewer and
    requested_permission in (write, delete, admin)
  output: "Privilege escalation attempt detected"
  priority: CRITICAL