Kubernetes Deployment

Deploy Open WebUI on Kubernetes using kubectl, Kustomize, or Helm charts for production-ready, scalable deployments.

Prerequisites

Kubernetes cluster (1.19+)
kubectl configured to communicate with your cluster
Persistent volume provisioner (for data persistence)
Optional: Helm 3.x for Helm-based deployment

Quick Start with Kubectl

Basic Deployment

Create a deployment manifest open-webui-deployment.yaml:

open-webui-deployment.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: open-webui
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: open-webui-pvc
  namespace: open-webui
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: open-webui
  namespace: open-webui
spec:
  replicas: 1
  selector:
    matchLabels:
      app: open-webui
  template:
    metadata:
      labels:
        app: open-webui
    spec:
      containers:
      - name: open-webui
        image: ghcr.io/open-webui/open-webui:main
        ports:
        - containerPort: 8080
          name: http
        env:
        - name: OLLAMA_BASE_URL
          value: "http://ollama:11434"
        - name: WEBUI_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: open-webui-secret
              key: secret-key
        volumeMounts:
        - name: data
          mountPath: /app/backend/data
        resources:
          requests:
            memory: "512Mi"
            cpu: "500m"
          limits:
            memory: "2Gi"
            cpu: "2000m"
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 5
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: open-webui-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: open-webui
  namespace: open-webui
spec:
  type: ClusterIP
  selector:
    app: open-webui
  ports:
  - port: 80
    targetPort: 8080
    name: http
---
apiVersion: v1
kind: Secret
metadata:
  name: open-webui-secret
  namespace: open-webui
type: Opaque
stringData:
  secret-key: "your-secret-key-here"

Deploy:

kubectl apply -f open-webui-deployment.yaml

Expose with Ingress

Create an Ingress resource:

ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: open-webui
  namespace: open-webui
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
  ingressClassName: nginx
  rules:
  - host: open-webui.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: open-webui
            port:
              number: 80
  tls:
  - hosts:
    - open-webui.example.com
    secretName: open-webui-tls

Apply:

kubectl apply -f ingress.yaml

Deploying with Ollama

Combined Deployment

Deploy both Open WebUI and Ollama in the same namespace:

ollama-deployment.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ollama-pvc
  namespace: open-webui
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 50Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ollama
  namespace: open-webui
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ollama
  template:
    metadata:
      labels:
        app: ollama
    spec:
      containers:
      - name: ollama
        image: ollama/ollama:latest
        ports:
        - containerPort: 11434
          name: http
        volumeMounts:
        - name: ollama-data
          mountPath: /root/.ollama
        resources:
          requests:
            memory: "4Gi"
            cpu: "2000m"
          limits:
            memory: "16Gi"
            cpu: "8000m"
      volumes:
      - name: ollama-data
        persistentVolumeClaim:
          claimName: ollama-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: ollama
  namespace: open-webui
spec:
  type: ClusterIP
  selector:
    app: ollama
  ports:
  - port: 11434
    targetPort: 11434
    name: http

Apply:

kubectl apply -f ollama-deployment.yaml

GPU Support

For GPU support, add node selectors and resource limits:

spec:
  template:
    spec:
      nodeSelector:
        nvidia.com/gpu: "true"
      containers:
      - name: ollama
        resources:
          limits:
            nvidia.com/gpu: 1

Horizontal Scaling

For multi-replica deployments, configure Redis for session management:

Deploy Redis

redis-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
  namespace: open-webui
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:7-alpine
        ports:
        - containerPort: 6379
        resources:
          requests:
            memory: "256Mi"
            cpu: "250m"
          limits:
            memory: "512Mi"
            cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
  name: redis
  namespace: open-webui
spec:
  type: ClusterIP
  selector:
    app: redis
  ports:
  - port: 6379
    targetPort: 6379

Configure Open WebUI for Redis

Update the Open WebUI deployment with Redis configuration:

env:
- name: REDIS_URL
  value: "redis://redis:6379"
- name: WEBSOCKET_MANAGER
  value: "redis"
- name: WEBSOCKET_REDIS_URL
  value: "redis://redis:6379"

Scale Replicas

kubectl scale deployment/open-webui -n open-webui --replicas=3

Database Configuration

PostgreSQL Backend

For production deployments, use PostgreSQL instead of SQLite:

postgres-deployment.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: postgres-pvc
  namespace: open-webui
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres
  namespace: open-webui
spec:
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
      - name: postgres
        image: postgres:16-alpine
        env:
        - name: POSTGRES_DB
          value: "openwebui"
        - name: POSTGRES_USER
          value: "openwebui"
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: postgres-secret
              key: password
        ports:
        - containerPort: 5432
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql/data
      volumes:
      - name: postgres-data
        persistentVolumeClaim:
          claimName: postgres-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: postgres
  namespace: open-webui
spec:
  type: ClusterIP
  selector:
    app: postgres
  ports:
  - port: 5432
    targetPort: 5432
---
apiVersion: v1
kind: Secret
metadata:
  name: postgres-secret
  namespace: open-webui
type: Opaque
stringData:
  password: "your-secure-password"

Update Open WebUI deployment:

env:
- name: DATABASE_URL
  value: "postgresql://openwebui:your-secure-password@postgres:5432/openwebui"

ConfigMap for Environment Variables

Manage environment variables with ConfigMaps:

configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: open-webui-config
  namespace: open-webui
data:
  OLLAMA_BASE_URL: "http://ollama:11434"
  OPENAI_API_BASE_URL: ""
  WEBUI_NAME: "Open WebUI"
  ENV: "prod"
  ENABLE_SIGNUP: "true"
  DEFAULT_USER_ROLE: "pending"

Reference in deployment:

envFrom:
- configMapRef:
    name: open-webui-config

Monitoring and Observability

Prometheus Metrics

Enable OpenTelemetry metrics:

env:
- name: ENABLE_OTEL
  value: "true"
- name: ENABLE_OTEL_METRICS
  value: "true"
- name: OTEL_EXPORTER_OTLP_ENDPOINT
  value: "http://otel-collector:4317"
- name: OTEL_SERVICE_NAME
  value: "open-webui"

Using Helm (Community Charts)

While there isn’t an official Helm chart, you can create your own or use community charts. Basic Helm values structure:

values.yaml

image:
  repository: ghcr.io/open-webui/open-webui
  tag: main
  pullPolicy: IfNotPresent

replicaCount: 1

service:
  type: ClusterIP
  port: 80

ingress:
  enabled: true
  className: nginx
  hosts:
    - host: open-webui.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: open-webui-tls
      hosts:
        - open-webui.example.com

persistence:
  enabled: true
  size: 10Gi
  storageClass: ""

env:
  OLLAMA_BASE_URL: "http://ollama:11434"
  WEBUI_NAME: "Open WebUI"

resources:
  requests:
    memory: 512Mi
    cpu: 500m
  limits:
    memory: 2Gi
    cpu: 2000m

redis:
  enabled: false
  url: ""

postgresql:
  enabled: false
  url: ""

Security Best Practices

Use Secrets

Store sensitive data in Kubernetes Secrets, not ConfigMaps:

kubectl create secret generic open-webui-secret \
  --from-literal=secret-key=$(openssl rand -base64 32) \
  --from-literal=openai-api-key=your-key \
  -n open-webui

Network Policies

Restrict network access between pods:

networkpolicy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: open-webui-policy
  namespace: open-webui
spec:
  podSelector:
    matchLabels:
      app: open-webui
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: ollama
    ports:
    - protocol: TCP
      port: 11434

Pod Security Standards

Apply pod security standards:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000
  seccompProfile:
    type: RuntimeDefault
containers:
- name: open-webui
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: false

Troubleshooting

Check Pod Status

kubectl get pods -n open-webui
kubectl describe pod <pod-name> -n open-webui

View Logs

kubectl logs -f deployment/open-webui -n open-webui

Check PVC Status

kubectl get pvc -n open-webui

Shell into Container

kubectl exec -it deployment/open-webui -n open-webui -- /bin/bash

Next Steps

Environment Variables

Configure Open WebUI settings

Updating

Update your Kubernetes deployment

Docker Deployment

Alternative Docker deployment

Reverse Proxy

Configure ingress and reverse proxy

​Prerequisites

​Quick Start with Kubectl

​Basic Deployment

​Expose with Ingress

​Deploying with Ollama

​Combined Deployment

​GPU Support

​Horizontal Scaling

​Database Configuration

​PostgreSQL Backend

​ConfigMap for Environment Variables

​Monitoring and Observability

​Prometheus Metrics

​Using Helm (Community Charts)

​Security Best Practices

​Troubleshooting

​Check Pod Status

​View Logs

​Check PVC Status

​Shell into Container

​Next Steps