Rancher RBAC Integration with Namespace Filtering
API and CLI automation is not supported with Rancher RBAC integration. Namespace filtering is enforced through the Portworx Backup web console only. API calls, CLI commands, and GitOps automation (such as Argo CD or Flux) bypass the Rancher RBAC namespace filtering entirely. Do not rely on this feature for access control enforcement in automated or non-UI workflows.
Starting from Portworx Backup 2.10.0, Portworx Backup provides seamless integration between Rancher access control and Portworx Backup RBAC, ensuring that users logging into Portworx Backup via Open LDAP or Ping Identity only see Kubernetes namespaces that are mapped to their Rancher project(s) based on their LDAP/SAML group membership.
This feature addresses the visibility gap between Rancher's access control model and what is exposed in Portworx Backup, preventing unauthorized or unintended data exposure by enforcing namespace-level filtering based on Rancher's RBAC configuration.
Previously, all users logging into Portworx Backup could view all available namespaces within connected clusters, regardless of their access controls or group membership defined in Rancher. This created a visibility gap that could lead to unauthorized or unintended data exposure.
To bridge this gap, Portworx Backup implements namespace filtering on LDAP group associations defined in Rancher projects, ensuring that users only see namespaces they are explicitly permitted to access according to Rancher's access control configuration.
For example, consider three users, user1, user2, and user3 who are members of pxb-admin group. If pxb-admin group has permission in Rancher for namespaces namespace1 and namespace2, then all users of pxb-admin group will only be able to see namespace1 and namespace2 in Portworx Backup web console. If user1 is also a member of pxb-users group, which is mapped to namespace3 and namespace4 in Rancher, then user1 will be able to see namespace3 and namespace4 as well in Portworx Backup web console.
Prerequisites
- Use the cluster
kubeconfigprovided by the Rancher management cluster. If the existingkubeconfigis not from the Rancher management cluster, replace it with the one Rancher provided. - AuthProvider (LDAP/Ping Identity) group mapping must be set up in Keycloak. For more information on configuration, see Open LDAP and Ping Identity.
Portworx Backup access control matrix
| Component | Action | Effect on Portworx Backup |
|---|---|---|
| Authorization Provider | User deleted | User can no longer login to Portworx Backup |
| Authorization Provider | User removed from group | User cannot access the namespaces mapped to that group |
| Authorization Provider | User added to group | User gains access to namespaces mapped to that group |
| Authorization Provider | Group deleted | Users lose access to namespaces mapped to that group |
| Authorization Provider | New group added | No access until group is mapped to a user in Portworx Backup |
| Rancher Web Console | Namespace deleted | Namespace automatically removed from Portworx Backup |
| Rancher Web Console | Namespace moved to a different project | Visible in Portworx Backup web console only if the user’s group is mapped to the new project in Rancher. If the user’s group is not mapped, the namespace is no longer visible. |
| Rancher Web Console | New namespace created | Not visible in Portworx Backup until mapped to user/group in Rancher |
| Rancher Web Console | Project deleted | Users cannot access the namespaces mapped to that project |
| Rancher Web Console | New project created | Namespaces not visible in Portworx Backup until project mapped to user/group |
What is supported
- LDAP and Ping Identity SAML are supported as Authorization providers
- Namespaces get filtered based on the Rancher project mapping in the Portworx Backup web console only. API, CLI, and GitOps-based access bypass this filtering — see the warning at the top of this article.
Portworx Backup with Rancher mapping matrix
The following table compares the behavior of existing features of Portworx Backup with and without Rancher mapping:
| Feature | Without Rancher Access Control | With Rancher Access Control |
|---|---|---|
| Cluster Share | Owner and Super Administrators can share the cluster to any user or group. During share, they can share all backups with Restore-Only access. | Owner and Super Administrators can perform cluster share, but cannot share all backups during share. |
| Backup Share | Owner can share backup with any user/group. Super-Admin can share any user's backup. | No user can perform Backup Share. |
| Cluster Backup Share | Owner and Super-Admin can share all backups of a cluster. | No user can share all backups for a cluster. |
| Schedule for Future Namespaces | User/Super-Admin can create a schedule to include future namespaces. | Only Super-Admin can create a schedule to include future namespaces. |
| Schedule with Namespace Label | User/Super-Admin can create a schedule with namespace label. | Only Super-Admin can create a schedule with namespace label. |
Role description
- Owner: User who created the object
- Collaborator: User to whom the object has been shared
- Super-Admin: Super Administrator user
Rancher project mapping backup and restore behavior
- If a user is not using the
kubeconfigfrom the Rancher web console, no namespaces will be visible, and an error will appear. To fix this, use only thekubeconfigfrom the Rancher web console. - If you add cluster using the
kubeconfigtaken from the Rancher web console and if this feature is enabled, then only namespaces within projects that the user is allowed to access based on their user groups and usernames are visible in Portworx Backup. - If a user has taken a manual backup of set of namespaces and later if a namespace (part of the set) is deleted from Rancher, the backup of that namespace exists in Portworx Backup and the user can restore the backup.
- If a user already has a running backup schedule that was created without using the
kubeconfigfrom the Rancher web console, the schedule continues to run. - A non-SuperAdmin user cannot restore a backup to a different cluster because project mapping is not allowed for non-SuperAdmin users. If a non-SuperAdmin user tries to restore to a different cluster, the destination project dropdown is disabled. For more information, see the Project Mapping in Rancher Cluster topic.
Revoking a user's Rancher access does not stop existing scheduled backups. If a user has a running backup schedule and their access to a namespace is later revoked, the schedule continues to capture data from that namespace. For example, if a user with access to five namespaces creates a scheduled backup for all five, and an admin later revokes access to one of them, the next scheduled backup still includes all five namespaces.
How to enable this feature
Portworx Backup provides two options to enable this feature for your non-airgapped and air-gapped installs and upgrades through Portworx Central Spec Generator.
This feature is tested with the following versions of Rancher and Kubernetes:
- Rancher: 2.11, 2.12
- Kubernetes: v1.32.x
For the latest supported versions, see the requirements page.
To enable namespace filtering based on Rancher access control, configure the usePlatformRbac parameter during installation or upgrade:
Option 1: using Helm command
Add the following flag to your Helm install or upgrade command:
--set pxbackup.usePlatformRbac=true
Option 2: using values.yaml file
Set the following parameter in your values.yaml file:
pxbackup:
usePlatformRbac: true
For detailed installation and upgrade procedures, see: