Install PX-Backup on-premises

You can install PX-Backup on any Kubernetes cluster using Helm charts, as long as you meet the pre-requisites. This can be one of your application clusters or a dedicated cluster. Since it is a multi-cluster backup solution, you need not install PX-Backup on every cluster that you back-up. Instead, other clusters are added through the PX-Backup user interface.


  • A Kubernetes cluster consisting of the following:

    • 3 worker nodes
    • 4 CPU cores
    • 8 GB of memory
    • Kubernetes versions 1.22.x and below
    • PX-Backup creates PVCs using the provided storage class to store its metadata. It requires minimum 300 GB of PVC storage. Plan your cluster’s storage capacity accordingly.
    • Ensure that there is at least 50 GB of free space on the /root file system nodes where Portworx will be installed. For more information, refer to Portworx Installation Prerequisites.
    • If you are using an external OIDC provider, you must use certificates signed by a trusted certificate authority.
    • Helm
  • If you want to install PX-Backup on OpenShift using the restricted SCC, then you must add the service accounts used by PX-Backup to the restricted SCC. Execute the following oc adm policy add-scc-to-user commands, replacing <YOUR_NAMESPACE> with your namespace:

    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:default
    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:pxcentral-apiserver
    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:px-keycloak-account
    oc adm policy add-scc-to-user restricted system:serviceaccount:<YOUR_NAMESPACE>:px-backup-account

Prerequisites to install PX-Backup on Tanzu

Tanzu Kubernetes Grid (TKG) administrators can create deployments, StatefulSets, and DaemonSet (privileged pods) in the kube-system and default namespace, but cannot create in other namespaces. For example, PX-Backup deployment in the central namespace fails, because Tanzu Kubernetes clusters include the default PodSecurityPolicy.

Before you deploy PX-Backup, for example in the central namespace, you need to create a rolebinding for privileged and restricted workload deployment using the following commands:

kubectl create ns central
kubectl create rolebinding rolebinding-default-privileged-sa-ns_default --namespace=central --clusterrole=psp:vmware-system-privileged --group=system:serviceaccounts

Install PX-Backup

  1. If you are installing PX-Backup alone – without Portworx Enterprise – skip this step. If you want to install PX-Backup with Portworx Enterprise , you must first install Portworx, then create the following storage class on your Kubernetes cluster:

    kind: StorageClass
        name: portworx-sc
        repl: "3"
  2. Generate the install spec through the PX-Backup spec generator.

    If you are using Portworx for the PX-Backup installation, select the Use storage class checkbox under the Configuration section of the Spec Details tab of the spec generator and enter the name of the storageclass you created in step 1 above.

  3. Using Helm, add the Portworx Enterprise repo to your cluster and update it:

    helm repo add <repo-name> && helm repo update
  4. Install PX-Backup using either the helm set command or the values.yml file provided in the output of the Complete tab of the spec generator.

    You can find more information about the PX-Backup Helm chart in the reference article.

Configure external OIDC endpoints

If you enabled an external OIDC during the PX-Backup installation, you must manually configure the redirect URI in your OIDC provider.

Refer to the Set up login redirects section of the Portworx Enterprise documentation for instructions.

Last edited: Monday, Jul 4, 2022