Platform Overview
PEMOS runs anywhere — serverless containers, Kubernetes, or local Docker. No vendor lock-in. Same images on every platform.
Core Components
- Gangway — Web portal (Dashboard, Chat, Nava, Wiki, Governance, Tetraban)
- OpenClaw Runtime — Agent execution engine (workspaces, memory, tools)
- Agent Containers — One per agent (scale-to-zero on serverless)
- Secret Store — Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, or K8s secrets
- Persistent Storage — File Share, EFS, Cloud Storage, or local encrypted disk
Deployment Models
- Serverless — Azure ACA, AWS Fargate, GCP Cloud Run (recommended)
- Kubernetes — AKS, EKS, GKE, k3s, bare metal
- Local — Docker Compose with optional encrypted disk
- Hybrid — K8s for critical agents + serverless for burst
- Flux GitOps compatible on all K8s deployments
- Same OCI images, same configs, any platform
Multi-Cloud Architecture
┌────────────────────────────────────────────────────────────────┐
│ PEMOS Fleet │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────┐ │
│ │ SERVERLESS │ │ KUBERNETES │ │ LOCAL │ │
│ │ │ │ │ │ │ │
│ │ Azure ACA │ │ AKS │ │ Docker │ │
│ │ AWS Fargate │ │ EKS │ │ Compose │ │
│ │ GCP Cloud Run │ │ GKE / k3s │ │ + LUKS │ │
│ │ │ │ │ │ │ │
│ │ Scale-to-zero ✅ │ │ Always-on │ │ Always-on │ │
│ │ ~$22/mo (10 ag.) │ │ ~$121+/mo │ │ $0/mo │ │
│ │ No cluster mgmt │ │ Full control │ │ Full control│ │
│ └──────────────────┘ └──────────────────┘ └──────────────┘ │
│ │
│ ┌────────────────────────────────────────────────────────────┐│
│ │ Shared Abstractions ││
│ │ Same OCI images · Same configs · Same security model ││
│ │ Same agent identities · Same portal UI ││
│ └────────────────────────────────────────────────────────────┘│
└────────────────────────────────────────────────────────────────┘
Serverless Architecture (ACA Example)
┌──────────────────────────────────────────────────────────┐
│ ACA Environment (Consumption Plan) │
│ │
│ Portal (min:1) ── Dashboard API (min:1) │
│ │ │ │
│ └────────┬───────────┘ │
│ │ │
│ ┌─────────────▼───────────────────────────────────────┐ │
│ │ Agent Pool │ │
│ │ Captain (min:1) Officer (min:0) Bosun (min:0) │ │
│ │ Helmsman (min:0) Signals (min:0) Watchkeeper(0) │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ Azure Key Vault ── File Share ── Table Storage │
└──────────────────────────────────────────────────────────┘
Wake-on-demand: User clicks agent → HTTP request → ACA cold starts
container (5-8s) → Agent boots → WebSocket → User interacts →
5 min idle → Scale back to 0 replicas ($0)
Kubernetes Architecture
┌──────────────────────────────────────────────────────────┐
│ Kubernetes Cluster (3+ nodes) │
│ │
│ Namespace: pemos │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Portal │ │Dashboard │ │ Agents │ │ Guardian │ │
│ │ nginx │ │ API │ │ OpenClaw │ │ PII vault│ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ NetworkPolicy: default-deny-ingress │
│ PodSecurityStandard: restricted │
│ CSI Secrets Store ── PVC ── Flux CD │
└──────────────────────────────────────────────────────────┘
Local Architecture
┌──────────────────────────────────────────────────────────┐
│ Host Machine (Linux / WSL2 / macOS) │
│ │
│ Docker Compose: │
│ Portal :8080 ── Dashboard API :3001 ── Agent(s) │
│ │
│ ═══════ Encrypted Disk (LUKS2 / APFS) ════════════════ │
│ /pemos/data ── /pemos/secrets ── /pemos/config │
│ ══════════════════════════════════════════════════════ │
│ │
│ Key: Azure KV / SOPS-age / TPM │
│ Destroy key = all data permanently unrecoverable │
└──────────────────────────────────────────────────────────┘
Security Model
Zero-trust by default on every deployment model.
Isolation
- Serverless: Environment-level isolation, internal-only agent ingress
- Kubernetes: Namespace isolation + NetworkPolicy (default-deny)
- Local: Docker network isolation + encrypted disk
Secrets
- Serverless: Managed Key Vault / Secrets Manager
- Kubernetes: CSI Secrets Store or K8s secrets (encrypted at rest)
- Local: Encrypted disk + SOPS-age or Azure KV
Identity
- OIDC for user auth (Entra ID, Okta, Keycloak)
- Workload Identity for cloud services
- Managed Identity where available
- Non-root containers, read-only rootfs
When to Use What
| Scenario | Deployment | Why |
|---|---|---|
| Personal / dev | Docker Compose | Free, fast, no cloud needed |
| Cheapest cloud | Serverless (ACA/Run/Fargate) | Scale-to-zero, ~$22/mo for 10 agents |
| Enterprise, bursty | Serverless | 75% cheaper than K8s for idle agents |
| Compliance-heavy | Kubernetes | Full NetworkPolicy, admission control |
| Air-gapped | Local + encrypted disk | Zero cloud dependency |
| Multi-cloud | Mix serverless + K8s | Best of both worlds |
Observability
Prometheus-format metrics, structured JSON logs, and pre-configured alerts work on all deployment models.
- Serverless: Azure Monitor / CloudWatch / Cloud Logging
- Kubernetes: Prometheus + Grafana (dashboards included in Helm chart)
- Local: Docker logs, optional Loki/Grafana
Master Control — Enterprise Pattern
Master Control extends PEMOS with dedicated principals and crews. Works on any deployment model — serverless (recommended) or Kubernetes.
Security Principal (CISO’s Bridge)
Officer 🎖️, Watchkeeper 🔭, Quartermaster 📋 — compliance, threat detection, audit.
Solutions Principal (CTO’s Bridge)
Captain ⚓, Bosun 🔧, Helmsman 🧭, Botwright 🤖 — engineering, ops, deployment.
Master Control managed service → pemos.ca/master-control