Backup and restore with Rancher Backup Operator
The rancher-backup operator can be used to backup and restore Rancher on any
Kubernetes cluster.
Since version v9.0.0, rancher-backup has support for SUSE Security Admission Controller. This
includes:
-
The default Rancher Namespace
cattle-kubewarden-system(orcattle-kubewarden-*), and the default Admission Controller Namespacekubewarden. -
Admission Controller needed resources are installed via the Helm charts.
-
Admission Controller CRDs, which get reconciled after restore by the Admission Controller controller.
-
The
policy-reportersubchart of thekubewarden-controllerchart, for their default values. This doesn’t include the Grafana integration nor other plugins.
User Secrets
The backup process doesn’t include user-created Secrets such as those used to configure PolicyServers for private registries, unless they are correctly labeled. For that, label the secrets in one of the following ways. Either:
kubectl label secret secret-ghcr-docker app.kubernetes.io/part-of=kubewardenOr:
kubectl label secret secret-ghcr-docker resources.cattle.io/backup=trueInstalling Rancher Backup Operator
Follow the
Rancher
Manager documentation. For a Minikube install using the PersistentVolumes of
type hostPath named standard that Minikube supports out of the box.
One needs to instruct the Backup Operator to also backup Admission Controller
user-defined CRs by setting the Value optionalResources.kubewarden.enabled to
true.
The installation would be as follows:
helm repo add rancher-charts https://charts.rancher.io
helm repo update
helm install --wait --create-namespace -n cattle-resources-system \
rancher-backup-crd rancher-charts/rancher-backup-crd
helm install --wait -n cattle-resources-system \
rancher-backup rancher-charts/rancher-backup \
--set persistence.enabled=true --set persistence.storageClass=standard \
--set optionalResources.kubewarden.enabled=trueBackup
Use the rancher-resource-set-full to backup the Admission Controller Secrets.
These include the TLS Secrets that get created on Helm installation.
If you prefer to use rancher-resource-basic, please remember to backup or
manually create needed TLS Secrets.
Here is an example of performing an unencrypted backup to the default location
with the rancher-resource-set-full:
kubectl apply -f - <<EOF
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: default-location-backup
spec:
resourceSetName: rancher-resource-set-full
EOF
backup.resources.cattle.io/default-location-backup createdThe rancher-backup logs or the backup show the creation of the backup file:
kubectl logs -n cattle-resources-system -l app.kubernetes.io/name=rancher-backup -f
...
INFO[2025/06/26 10:07:48] Processing backup default-location-backup
INFO[2025/06/26 10:07:48] For backup CR default-location-backup, filename: default-location-backup-32d64f39-d3c7-4331-9101-8ca493bd9d2e-2025-06-26T10-07-48Z
...
INFO[2025/06/26 10:07:49] Done with backupYou can also see its status by describing the resource:
kubectl get backups
NAME LOCATION TYPE LATEST-BACKUP RESOURCESET AGE STATUS
default-location-backup PV One-time default-location-backup-43f3ccb7-5624-4eed-9c3b-1c15d287080e-2025-06-26T15-53-27Z.tar.gz rancher-resource-set-full 111s CompletedSee the Rancher documentation for more backup examples.
Restore
To restore the unencrypted backup from the default location, take the filename from the LATEST-BACKUP column when displaying the backup resource to create a Restore resource:
kubectl apply -f - <<EOF
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-default
spec:
backupFilename: default-location-backup-32d64f39-d3c7-4331-9101-8ca493bd9d2e-2025-06-26T10-07-48Z.tar.gz
EOF
restore.resources.cattle.io/restore-default created
kubectl get restores
NAME BACKUP-SOURCE BACKUP-FILE AGE STATUS
restore-default PV default-location-backup-43f3ccb7-5624-4eed-9c3b-1c15d287080e-2025-06-26T15-53-27Z.tar.gz 6s CompletedSee the Rancher documentation for more restore examples.