Rancher RBAC Integration with Namespace Filtering
Starting from Portworx Backup 2.10.0, Portworx Backup provides seamless integration between Rancher access control and Portworx Backup RBAC, ensuring that users logging into Portworx Backup via Open LDAP or Ping Identity only see Kubernetes namespaces that are mapped to their Rancher project(s) based on their LDAP/SAML group membership.
This feature addresses the visibility gap between Rancher's access control model and what is exposed in Portworx Backup, preventing unauthorized or unintended data exposure by enforcing namespace-level filtering based on Rancher's RBAC configuration.
Earlier all users logging into Portworx Backup were able to view all available namespaces within connected clusters, regardless of their access controls or group membership defined in Rancher. This used to create a visibility gap that can lead to unauthorized or unintended data exposure.
To bridge this gap, Portworx Backup implements namespace filtering on LDAP group associations defined in Rancher projects, ensuring that users only see namespaces they are explicitly permitted to access according to Rancher's access control configuration.
For example, consider three users, user1, user2, and user3 who are members of pxb-admin group. If pxb-admin group has permission in Rancher for namespaces namespace1 and namespace2, then all users of pxb-admin group will only be able to see namespace1 and namespace2 in Portworx Backup web console. If user1 is also a member of pxb-users group, which is mapped to namespace3 and namespace4 in Rancher, then user1 will be able to see namespace3 and namespace4 as well in Portworx Backup web console.
Prerequisites
- Use cluster
kubeconfigprovided by Rancher management Cluster, if existingkubeconfigis not from Rancher Management Cluster then you need to replace thekubeconfigwith one which Rancher provided. - AuthProvider (LDAP/pingIdentity) group mapping should be setup in Keycloak, for more information on configuration see Open LDAP and Ping Identity guides.
Portworx Backup Access Control Matrix
| Component | Action | Effect on Portworx Backup |
|---|---|---|
| Authorization Provider | User deleted | User can no longer login to Portworx Backup |
| Authorization Provider | User removed from group | User cannot access the namespaces mapped to that group |
| Authorization Provider | User added to group | User gains access to namespaces mapped to that group |
| Authorization Provider | Group deleted | Users lose access to namespaces mapped to that group |
| Authorization Provider | New group added | No access until group is mapped to a user in Portworx Backup |
| Rancher Web Console | Namespace deleted | Namespace automatically removed from Portworx Backup |
| Rancher Web Console | Namespace moved to a different project | Visible in Portworx Backup web console provided the project belongs to the same cluster |
| Rancher Web Console | New namespace created | Not visible in Portworx Backup until mapped to user/group in Rancher |
| Rancher Web Console | Project deleted | Users cannot access the namespaces mapped to that project |
| Rancher Web Console | New project created | Namespaces not visible in Portworx Backup until project mapped to user/group |
What is Supported
- LDAP and Ping Identity SAML are supported as Authorization providers
- Namespaces get filtered based on the Rancher project mapping in the Portworx Backup web console only, API calls are yet to be supported.
Portworx Backup with Rancher Mapping Matrix
Following table compares the behaviour of existing features of Portworx Backup with and without Rancher Mapping:
| Feature | Without Rancher Access Control | With Rancher Access Control |
|---|---|---|
| Cluster Share | Owner and Super Administrators can share the cluster to any user or group. During share, they can share all backups with Restore-Only access. | Owner and Super Administrators can perform cluster share, but cannot share all backups during share. |
| Backup Share | Owner can share backup with any user/group. Super-Admin can share any user's backup. | No user can perform Backup Share. |
| Cluster Backup Share | Owner and Super-Admin can share all backups of a cluster. | No user can share all backups for a cluster. |
| Schedule for Future Namespaces | User/Super-Admin can create a schedule to include future namespaces. | Only Super-Admin can create a schedule to include future namespaces. |
| Schedule with Namespace Label | User/Super-Admin can create a schedule with namespace label. | Only Super-Admin can create a schedule with namespace label. |
Role description
- Owner: User who created the object
- Collaborator: User to whom the object has been shared
- Super-Admin: Super Administrator user
Rancher Project Mapping Backup and Restore Behaviour
- If a user is not using the
kubeconfigfrom the Rancher web console, no namespaces will be visible, and an error will appear. To fix this, use only thekubeconfigfrom the Rancher web console. - If you add cluster using the
kubeconfigtaken from the Rancher web console and if this feature is enabled, then only namespaces within projects that the user is allowed to access based on their user groups and usernames are visible in Portworx Backup. - If a user has taken a manual backup of set of namespaces and later if a namespace (part of the set) is deleted from Rancher, the backup of that namespace exists in Portworx Backup and the user can restore the backup.
- If a user already has a running backup schedule that was created without using the
kubeconfigfrom the Rancher web console, the schedule continues to run. - A user can schedule backups of all namespaces for which he has access, and the system continues to back up all of them—even if access to one namespace is revoked after a few backups have already occurred. For example, if a user who has access to five namespaces initiates a scheduled backup for all five, and an admin later revokes access to one of them, the next scheduled backup still includes all five namespaces.
- A non-SuperAdmin user cannot restore a backup to a different cluster because project mapping is not allowed for non-SuperAdmin users. If a non-SuperAdmin user tries to restore to a different cluster, the destination project dropdown is disabled. For more information, refer to the Project Mapping in Rancher Cluster topic.
How to Enable this Feature
Portworx backup provides two options to enable this feature for your Non-airgapped and Air-gapped install and upgrades through Portworx Central Spec Generator.
This feature is tested following versions of Rancher and Kubernetes:
- Rancher :2.11, 2.12
- Kubernetes: v1.32.x
To enable namespace filtering based on Rancher access control, configure the usePlatformRbac parameter during installation or upgrade:
Option 1: Using Helm Command
Add the following flag to your Helm install or upgrade command:
--set pxbackup.usePlatformRbac=true
Option 2: Using values.yaml File
Set the following parameter in your values.yaml file:
pxbackup:
usePlatformRbac: true
For detailed installation and upgrade procedures, refer to: