What's New in Portworx Backup
What's new in 3.0.0?
Version 3.0.0 – Released on June 01, 2026
Features
Federated Mode Support
Portworx Backup now introduces Federated mode (also referred to as Managed Service Provider mode or Workload Identity mode), a secret-less, decentralized deployment model designed for large-scale and service provider environments. In this mode, the cloud credentials are never stored on the Portworx Backup server. Instead, each application cluster authenticates directly to the backup location using Workload Identity, and Stork handles all backup operations locally. Federated mode requires Stork 26.3.0 or later on each application cluster.
Portworx Backup 3.0.0 supports two modes of operation: Federated mode for Managed Service Providers and large-scale environments, and Classic mode for existing users and non-MSP deployments. You can choose the mode that fits your environment during installation or upgrade. For more information, see Install Portworx Backup in Federated Mode.
Federated Command & Control
In Federated mode, the Portworx Backup server sends instructions to application clusters but does not directly access backup locations or cloud credentials. Stork on each cluster performs all backup and restore tasks autonomously using Workload Identity. Azure Workload Identity for Stork is configured through the StorageCluster (STC) custom resource via the Portworx Operator. For setup instructions, see Install Portworx Backup in Federated Mode. This eliminates the need to deploy a separate Portworx Backup instance per cluster and removes the requirement to manage cloud credentials centrally.
Secret-less Authentication with Workload Identity
Portworx Backup Federated mode uses Azure Managed Identity as the Workload Identity mechanism, enabling secret-less authentication for backup operations on Azure. Instead of storing explicit cloud credentials such as access keys, Workload Identity binds a cloud identity to the Stork service account on each shoot cluster, enabling token-based authentication directly with Azure Blob Storage. Cloud credentials are never stored centrally on the Portworx Backup server. Azure Workload Identity for Stork is configured through the StorageCluster (STC) custom resource via the Portworx Operator. For setup instructions, see Install Portworx Backup in Federated Mode.
Gardener Integration on Azure
Portworx Backup Federated mode supports backup of workloads running on Garden Linux–based Kubernetes shoot clusters managed by Gardener on Azure. Garden Linux is a Debian-based Linux distribution used as the host operating system in Gardener-managed clusters. Portworx Backup connects to the Gardener API server to generate kubeconfigs for shoot cluster access and manage cluster registration without manual configuration. Portworx Backup 3.0.0 supports Gardener-managed Kubernetes clusters running version 1.30.x and later.
Backup Sync Using Stork
In Federated mode, backup sync is handled locally by Stork on each application cluster using Workload Identity. The initial sync runs when the sync option is enabled and a cluster is assigned to the backup location; subsequent syncs must be triggered manually. For more information, see Synchronize backups from a backup location.
Automatic Shoot Cluster Discovery
Portworx Backup Federated mode integrates with the Gardener API to automatically discover and onboard shoot clusters without requiring manual kubeconfig import or registration. You can also configure Portworx Backup to run periodic discovery cycles that detect new and deleted clusters and update the cluster inventory automatically, eliminating the need for manual onboarding as the Gardener shoot cluster fleet changes.
Automatic Gardener Kubeconfig Token Refresh
Portworx Backup automatically refreshes kubeconfig tokens generated by the Gardener API for shoot clusters. Because Gardener-issued kubeconfigs are valid only for a limited time, expired tokens can interrupt connectivity and backup operations.
To prevent this, Portworx Backup periodically renews the tokens before they expire, ensuring uninterrupted access to onboarded Gardener shoot clusters without requiring manual kubeconfig updates.
Cluster Connectivity Validation with Backup Location
In Federated mode, backup location connectivity is validated locally by Stork on each application cluster using Azure Managed Identity (Workload Identity), rather than centrally by the Portworx Backup server. For more information, see Validate cluster connectivity to a backup location.
Telemetry Support
Portworx Backup introduces integration with Pure1, a cloud-based management and support platform provided by Everpure. When enabled, Portworx Backup automatically registers with Pure1, then periodically uploads system health metrics, operational logs, and UUIDs of all onboarded application clusters to Pure1, enabling Everpure support teams to proactively monitor cluster health and assist with diagnostics. Telemetry is disabled by default and must be explicitly enabled. It can be enabled or disabled at any time by patching the px-backup-telemetry-config ConfigMap, without requiring a Helm upgrade.
Enhancements
Backup Deletion Status Metrics
Portworx Backup improves backup lifecycle observability by retaining Prometheus metrics after a backup is deleted. Previously, when a backup was deleted, either manually or through a retention policy, its Prometheus metrics were removed immediately, leaving no audit trail for monitoring or compliance workflows.
Starting with this release, backup information metrics such as pxbackup_backup_object_info are retained with status="Deleted" for the duration of the TTL window configured through the pxbackup.backupInfoMetricsBackfillHours Helm parameter. For a complete list of affected metrics, see Backup Information Metrics.
The original terminal status of the backup (for example, Success, Failed, or PartialSuccess) is preserved in the previous_status label, providing a complete audit trail of the backup lifecycle in Prometheus.
Deleted metrics expire automatically after the configured TTL window without additional storage or memory overhead.
Persistent UI Preferences
Portworx Backup now retains user interface preferences across pages and sessions, reducing the need to repeatedly apply the same selections while navigating the web console.
NS/VM tab preference
When you switch between the Namespace (NS) and Virtual Machine (VM) tabs on pages such as Applications, Backups, Restores, Schedules, and Dashboard, your selection is automatically applied across supported pages. The preference is retained across logins.
If no preference is available (for example, during first login or after clearing browser storage), the UI defaults to the NS tab.
Time bracket preference
The selected time bracket for backup and restore filters is now preserved while navigating across:
- Overview tab activity timeline
- Backups tab
- Restores tab
- All Backups page
- Both NS and VM subtabs
The selected time bracket remains available throughout the session and resets to the default value of Last 24 hours after logout.
What's new in 2.11.0?
Version 2.11.0 – Released on March 18, 2026
Features
Structured Kubernetes Resource Layout for Backups
Starting with Portworx Backup 2.11.0, backup resources are organized using a structured layout to improve scalability and reliability in large Kubernetes and VM environments.
This layout reduces memory consumption during backup operations, improves reliability during network interruptions, and enables support for partial backups and selective resource restores.
During upgrade, Portworx Backup also performs a one-time cleanup of stale backup artifacts that may have accumulated during mixed-version upgrades of Stork and earlier Portworx Backup releases.
Restore Specific Namespaces or Resources from a Namespace Backup
Portworx Backup now enables more granular restore operations from namespace backups. You can selectively restore specific namespaces or individual resources within a namespace, rather than performing a full restore.
This enhancement provides greater flexibility and control when restoring to the same or a different cluster, supports configurable source-to-destination mapping (namespaces, storage classes, and Rancher projects), and includes defined concurrency limits to optimize restore performance. The feature also supports large namespace backups with improved metadata handling for resource-level restores.
File and Folder Restore for Virtual Machines
Portworx Backup now supports restoring specific files or folders from a VM backup directly to the same VM. This capability enables granular recovery without performing a full VM restore.
The feature supports configurable restore paths (original or alternate location), partition-aware restores, and is compatible with supported Linux distributions, file systems, and SELinux modes. Restore operations are processed sequentially (one file/folder restore at a time) to ensure stability and consistency.
Volume Resource-Only (VRO) Policy configuration from Portworx Backup web console
Enhanced the Volume Resource-Only (VRO) policy to support configuration from the Portworx Backup web console. The VRO policy allows backing up only Kubernetes volume resource specifications (PVCs and PVs) without including the underlying volume data.
Editable Label Selectors for Backup Schedules
Portworx Backup now allows you to edit namespace and VM label selectors on both existing and new backup schedules using the UI, CLI, API, or Ansible. This enhancement enables dynamic adjustment of backup scope without requiring schedule recreation.
Enhancements
Portworx Backup now supports restoring an individual VM (including all associated VM resources) using either Default Restore (no mapping required) or Custom Restore (with namespace, StorageClass, and Rancher project mapping). It also supports file/folder restore from VM backups with configurable restore paths.
Portworx Backup web console Cloud Settings page is enhanced to provide a more streamlined and intuitive configuration experience for Cloud Accounts and Backup Locations. There are no functional changes to existing workflows.
Update Resource Filters for Existing Backup Schedules
Portworx Backup now enables you to modify resource label filters for existing backup schedules. Previously, you could configure resource filters only when creating a backup schedule and could not change them afterward.
With this enhancement, you can add resource label filters to schedules that were created without them, update existing filters to control which resources are included in future backups, or remove filters altogether to include all resources in the namespace.
These updates apply to subsequent scheduled backups and allow you to adjust backup scope without recreating the schedule.
Version 2.10.1 – Released on Dec 15, 2025
Features
Edit label selectors on backup schedules
Portworx Backup now allows you to modify label selectors on existing backup schedules without recreating them. Any backup schedule with resource, namespace, or VM label selectors can now be altered to change the associated resource, namespace, or VM label selectors, without the need to delete and recreate.
Enhanced Prometheus metrics for backup operations
Portworx Backup now provides comprehensive operational metrics via its metrics endpoint for consumption by external monitoring tools. These metrics expose detailed information regarding backup, enabling better observability and troubleshooting on external monitoring systems.
Version 2.10.0 – Released on Nov 24, 2025
Features
Integration with SUSE Rancher project-based access control
Portworx Backup now provides seamless integration with SUSE Rancher's project-based access control. Portworx Backup users can now view and access Kubernetes Namespaces mapped to their Rancher project(s) based on their LDAP/SAML group membership obtained via popular providers like OpenLDAP or Ping Identity. This feature extends your access control from SUSE Rancher into Portworx Backup, preventing unauthorized or unintended data exposure by enforcing Namespace-level filtering based on Rancher's Projects configuration.
Portworx Backup introduces flexible Namespace management capabilities that allow scheduled backups to gracefully handle missing Namespaces, alongside the ability to edit backup schedules to remove or add Namespaces. The system proceeds to perform a backup with the available Namespaces and marks the backup as Partial Success if some of the specified Namespaces are missing. This feature improves backup resilience when Namespace availability changes and provides greater usability by allowing users to remove or append Namespaces to the schedule.
Password customization for internal databases
Portworx Backup now provides an easier mechanism based on Kubernetes Secrets to provide and rotate credentials for its internal databases. You can also enable optional encryption of the internal database and specify encryption keys via a Kubernetes Secret, making Portworx Backup's security and protection capabilities more usable.
mTLS support for Portworx Backup
Portworx Backup can now run with mTLS when deployed into a customer‑managed service mesh, enabling encrypted, mutually authenticated traffic across Portworx Backup microservices. This adds Helm managed integration for Istio and Linkerd, allowing UI access with HTTPS protocol aligning with enterprise security policies thus preventing unauthorized access and man-in-the-middle attacks.
Batch alerting for backup schedules
Portworx Backup adds batch alerting for schedule operations, aggregating failures from pause, resume, and delete actions across multiple schedules into a single consolidated alert. Each alert lists the affected schedule objects with per-object error reasons captured during each update cycle, so you can quickly pinpoint what failed and why. Alerts are grouped and continuously updated to reflect the current state — new failures are added and resolved items are removed — reducing email noise while preserving real-time visibility.
Capture notes for backup schedule changes
Portworx Backup now lets you add a note when suspending, resuming, or editing schedules, including during bulk actions where a single note applies to all selected schedules. The latest note is shown when viewing schedule details, so you can understand why the backup schedule status was altered.
Portworx Backup now extends its existing functionality for sharing backup, by allowing the sharer to specify which backup can be used for restore only or with full access rights by user or group with access to Backup Location and its Cloud Credential.
Backup and Restore FADA Volumes
The FADA volumes backup and restore feature has graduated from early access to general availability. It allows Portworx Backup to support FADA volume types effectively by using native Portworx snapshots (PXD-based) for both block and file system PersistentVolumeClaim (PVC) modes.
Enhancements
Enhanced SSL/TLS Certificate Management for Ansible Module
The Portworx Backup Ansible collection now provides comprehensive SSL/TLS certificate management with support for custom CA certificates, mutual TLS authentication, and flexible certificate validation options. This enterprise-ready feature enables unified SSL configuration through inventory variables that automatically get applied across all modules, eliminating the need for per-module certificate setup while supporting self-signed certificates, private certificate authorities, and corporate PKI deployments for enhanced security in production environments.
Optional UUID for backup resources
Portworx Backup now supports optional UUID parameters across all interfaces (REST API, gRPC API, Ansible collection, and CLI), allowing users to reference backup resources using either human-readable names or UUIDs. This enhancement simplifies resource management by enabling users to work with user-defined names instead of complex UUID strings, while still maintaining UUID support for programmatic integrations that require guaranteed unique identifiers. The flexible approach improves user experience and scriptability while preserving backward compatibility with existing UUID-based workflows.
Generic backup repositories now leaner
Scheduled backup now uses split backup repositories for generic backups, creating smaller schedule-bound repositories per PVC. A new full backup is started in the new repository only when the incremental threshold is reached, keeping repositories small and stable and reducing maintenance time on large datasets. Portworx Backup also employs improved cleanup mechanisms, ensuring zero-size snapshots are removed and stale folders are periodically pruned, preserving active data and improving space reclamation in your backup locations. This enhancement is compatible with Portworx Backup 2.9.x or later and Stork 25.2.x or later. In such environments, schedules are migrated on Portworx Backup upgrade to enable the new capabilities, while existing backups continue to work in their current layout.
A few issues are also resolved. For more information, see Release Notes.
Version 2.9.1 – Released on August 26, 2025
A few issues are resolved. For more information, see Release Notes.
Version 2.9.0 – Released on July 08, 2025
Features
-
Retry backups at VM level: you can now retry only failed VMs in VM backups without reprocessing successful ones, reducing load on the backup server. This feature helps maintain efficient backup operations, provides granular control on VM backups and ensures better adherence to RPO targets.
-
Portworx Backup deployment on proxy-enabled clusters: you can deploy Portworx Backup in proxy-enabled Kubernetes cluster environments across all supported platforms, except IKS. It supports proxy configuration with Helm values or Kubernetes Secrets passed as Helm parameters during Portworx Backup installation or upgrade.
-
Bulk schedule operations: you can now suspend, resume, or delete multiple backup schedules in bulk, simplifying backup management across large environments. In addition, you can filter schedules by their names, schedule policies, or a combination of both to precisely target the desired schedules.
-
Back up volume resources: you can now back up only the Kubernetes PersistentVolume (PV) and PersistentVolumeClaim (PVC) specifications without including the actual volume data. This optimizes backup jobs by reducing data footprint, improving performance, and avoiding redundancy when the volume data is protected through other mechanisms like external snapshots or NFS backups.
Enhancements
- Enhanced web console:
- The Portworx Backup web console is enhanced with detailed insights, offering clearer status indicators and granular VM backup information for effective monitoring and management.
- Web console features a new, intuitive left navigation pane designed for easier access to key functions and a smoother user experience.
- You can sort a few columns in the Backup, Restore, and All Backups pages in ascending or descending order by clicking the arrows at the end or beginning of the column name. When the data is not sorted, the page always displays the latest record first.
Fixes
Version 2.8.4 – Released on April 14, 2025
Features
-
Advanced filtering: Portworx Backup allows you to filter VMs and namespaces based on the labels assigned to them and their associated resources. This helps you narrow down the list of virtual machines (VMs) and namespaces for backup operations. You can enter specific namespace or VM labels to view only the resources that match those criteria. This is especially useful in large environments where you need to focus on a subset of resources. By filtering based on labels, you can streamline management, improve performance, and reduce the risk of backing up unnecessary data. The feature enhances precision and efficiency in your backup workflows.
-
Partial success of VM backups: The Partial Success for VM Backup feature improves backup reliability by executing
PreExecandPostExecrules on a per-VM basis, instead of applying them to all VMs at once. This granular handling ensures that if one VM fails during execution rule processing, only that VM is marked as failed, and the backup continues with the remaining VMs. Volume failures are now tracked and reported per VM, enabling accurate success/failure status and reducing unnecessary backup failures.
Enhancements
-
Backup Retry: you can now re-initiate a backup job if some volumes have failed in your multi-VM or multi-namespace backups. If your VM or namespace backup has partially succeeded or completely failed, you can re-initiate the backup job with the Retry option.
-
VMs with static IPs: Portworx Backup has introduced two new annotations to provide enhanced control over static IPs and MAC addresses of VMs:
px-backup/skip-vm-start: stops the VM until users start the VM manually after restore with this annotation, giving them the opportunity to configure a new static IP and avoid conflicts.px-backup/skip-mac-masking: this annotation allows users to retain the original MAC address, which is beneficial for preserving network identity.
Fixes
Version 2.8.3 – Released on Feb 12, 2025
Features
-
Health Check: the health check feature enhances pre-installation and upgrade validations, including Kubernetes version checks, storage class validation, and blocking unsupported upgrade paths. It simplifies debugging with detailed reports, user-friendly error messages, and Helm enhancements to ensure smoother deployments. In addition, health check enhances user experience in installation and upgrade scenarios.
-
Parallel Backup Schedule: this feature ensures that scheduled backups occur at every scheduled interval, even if the previous backup is still in progress. Subsequent backups can start as long as all Portworx volume snapshots are complete and the user has opted for parallel backup schedules.
Enhancements
-
Email Alerts with SMTP TLS: this enhancement improves email security by enabling encrypted connections using
STARTTLSand custom certificates. With this improvement, users can ensure compliance with organizational security standards by uploading their own certificates, including CA certificates. It supports secure communication over commonly used SMTP ports (25, 465, and 587) and ensures robust encryption for email validation and transmission. -
KubeVirt enhancements: Portworx Backup now enables you to back up and restore
VirtualMachineInstancetype,VirtualMachinePreferenceandNetworkAttachmentDefinitionKubeVirt VM resources in your VM backup environment. -
Argo CD Mode of Deployment: you can now install Portworx Backup with Argo CD in simple steps by setting few parameters during deployment. This enhancement brings a GitOps-driven approach to manage data protection and ensures that backup policies, schedules, and configurations are applied consistently across environments.
Fixes
Version 2.8.2 – Released on January 24, 2024
Fix
Version 2.8.1 – Released on Dec 13, 2024
Enhancements
-
Azure Kubelogin: Portworx Backup now supports Azure kubelogin, enabling secure, token-based authentication for AKS clusters via Azure AD.
-
Ansible Collection: the Portworx Backup Ansible collection automates Portworx Backup tasks like scheduling, credential setup, and cluster management.
-
Backup API: Portworx Backup adds API enhancements for resource type retrieval and exclusion in backups and schedules.
Fixes
Version 2.8.0 – Released on Nov 22, 2024
New Features
-
Share Clusters: you can now securely share and manage clusters for seamless collaboration and data protection.
-
Super Administrator: a new role in Portworx Backup to enable centralized control for unified management of clusters, users, RBAC, and non-RBAC Portworx Backup resources.
Enhancements
-
Concurrent Deletion of Backups: accelerate backup delete management with parallel deletion, optimizing efficiency and effective handling of dependencies.
-
Azure Proxy Parameters: streamline Azure proxy configurations with Portworx Backup's new inclusion and exclusion parameters, offering precise control over service-specific and proxy settings.
Fixes
Portworx Backup is a Kubernetes backup solution that allows you to back up and restore applications and their data across multiple clusters.