Install PX-Backup on-premises

You can install PX-Backup on any Kubernetes cluster using Helm charts, as long as you meet the pre-requisites. This can be one of your application clusters or a dedicated cluster. Since it is a multi-cluster backup solution, you need not install PX-Backup on every cluster that you back-up. Instead, other clusters are added through the PX-Backup user interface.


  • A Kubernetes cluster consisting of the following:

    • 3 worker nodes
    • 4 CPU cores
    • 8GB of memory
    • A minimum of 1 disk with 100 GB, ideally 2 disks on each node with at least 100 GB each
    • Kubernetes versions 1.22.x and below
    • If you wish to use Portworx for the PX-Backup installation and your Kubernetes cluster does not have Portworx installed, verify that you have at least 50GB of available disk space on the /root file system.
    • If you are using an external OIDC provider, you must use certificates signed by a trusted certificate authority.
    • Helm
  • If you want to install PX-Backup on OpenShift using the restricted SCC, then you must add the service accounts used by PX-Backup to the restricted SCC. Execute the following oc adm policy add-scc-to-user commands, replacing <YOUR_NAMESPACE> with your namespace:

    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:default
    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:pxcentral-apiserver
    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:px-keycloak-account
    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:px-backup-account
NOTE: PX-Backup does not support the PX-Security feature in Portworx.

Prerequisites to install PX-Backup on Tanzu

Tanzu Kubernetes Grid (TKG) administrators can create deployments, StatefulSets, and DaemonSet (privileged pods) in the kube-system and default namespace, but cannot create in other namespaces. For example, PX-Backup deployment in the central namespace fails, because Tanzu Kubernetes clusters include the default PodSecurityPolicy.

Before you deploy PX-Backup, for example in the central namespace, you need to create a rolebinding for privileged and restricted workload deployment using the following commands:

kubectl create ns central
kubectl create rolebinding rolebinding-default-privileged-sa-ns_default --namespace=central --clusterrole=psp:vmware-system-privileged --group=system:serviceaccounts

Prepare air-gapped environments

If your cluster is internet-connected, skip this section. If your cluster is air-gapped, you must pull the following Docker images to either your docker registry, or your server:

  • portworx/kopiaexecutor:1.1.0

To pull the above Docker images and push them to an internal registry:

  1. Download the air-gapped bootstrap PX-Backup install script.

    curl -o -L ""

    You can also download the install script for a specific release by specifying a version query. For example:

    curl -o -L ""
  2. Pull the container images using the script.

    ./ pull
  3. Push the images to a local registry server, accessible by the air-gapped nodes. Replace <repo> with your registry location.

    ./ push <repo>

Add Kopia executor image path reference in config map

Before installing any PX-Backup 2.1.x versions, update the following parameters in the kdmp-config config map present in the kube-system namespace:

KDMP_KOPIAEXECUTOR_IMAGE: <local repository where the Kopia image exists>

KDMP_KOPIAEXECUTOR_IMAGE_SECRET: <secret to access the Kopia image, if any>
NOTE: The kdmp-config ConfigMap is available only on the application cluster, where the Stork is installed. This ConfigMap is available only from the Stork version 2.8.x version.

If you have your own custom registry, you must edit the px-backup-config ConfigMap to specify the registry path along with the following image secret:

KDMP_KOPIAEXECUTOR_IMAGE_SECRET: <secret to access the Kopia image, if any>

Perform the following steps after editing the ConfigMap:

  1. Delete the following jobs from the namespace where PX-Backup is installed:

    • full-maintenance-repo-xxx
    • quick-maintenance-repo-xxx
  2. Restart the px-backup pod.

Install PX-Backup

  1. If you are installing PX-Backup alone – without Portworx Enterprise – skip this step. If you want to install PX-Backup with Portworx Enterprise , you must first install Portworx, then create the following storage class on your Kubernetes cluster:

    kind: StorageClass
        name: portworx-sc
        repl: "3"
  2. Generate the install spec through the PX-Backup spec generator.

    If you are using Portworx for the PX-Backup installation, select the Use storage class checkbox under the Configuration section of the Spec Details tab of the spec generator and enter the name of the storageclass you created in step 1 above.

  3. Using Helm, add the Portworx Enterprise repo to your cluster and update it:

    helm repo add <repo-name> && helm repo update
  4. Install PX-Backup using either the helm set command or the values.yml file provided in the output of the Complete tab of the spec generator.

    You can find more information about the PX-Backup Helm chart in the reference article.

Configure external OIDC endpoints

If you enabled an external OIDC during the PX-Backup installation, you must manually configure the redirect URI in your OIDC provider.

Refer to the Set up login redirects section of the Portworx Enterprise documentation for instructions.

Last edited: Thursday, Sep 1, 2022