Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Amazon Elastic Kubernetes Service (EKS)
Google Kubernetes Engine (GKE)
Microsoft Azure Kubernetes Service (AKS)
Your guide to discovering, securing, and monitoring your data with Immuta.
This section illustrates how to install Immuta on Kubernetes using the Immuta Enterprise Helm chart.
This how-to guide includes instructions and links for installing Immuta in any Kubernetes environment.
This reference guide provides an overview of the Immuta Enterprise Helm chart version requirements and infrastructure recommendations.
Amazon Elastic Kubernetes Service (EKS)
Google Kubernetes Engine (GKE)
Microsoft Azure Kubernetes Service (AKS)
The guides in this section illustrate how to configure your Immuta Enterprise Helm chart for various scenarios, including optimizing your deployment for production environments.
The guides in this section illustrate how to upgrade the Immuta Enterprise Helm chart:
This guide provides links to additional resources for disaster recovery strategies.
This page provides troubleshooting guidance and outlines frequently asked questions for the Immuta installation.
This guide outlines the updates and bug fixes to the Immuta Enterprise Helm chart.
Immuta helps you achieve the following outcomes in your data platform:
Immuta provides three modules to create a full data security platform suite.
Discover sensitive data from millions of fields without manual effort. With over 60 pre-built and domain-specific identifiers, you can tailor data classification to your unique business needs based on your desired confidence level.
Leverage timely insights into data access and user activity with anomaly indicators for faster analysis and proactive actions.
Immuta’s attribute-based access control (ABAC) delivers scalable data access without role explosion, and dynamic data masking ensures the right users can access the right data.
The guides in this section illustrate how to install and deploy Immuta in your Kubernetes environment. If your distribution is not listed below (such as or ), follow the generic installation instructions.
: This guide includes instructions for
The guides in this section illustrate how to install and deploy Immuta in your Kubernetes environment. If your distribution is not listed below (such as or ), follow the generic installation instructions:
: This guide includes instructions for
: Upgrade from Immuta v2024.1.x or older to Immuta v2024.2 LTS.
: Upgrade from Immuta v2024.2 LTS or newer.
Simplify Operations: Immuta’s dynamic access control and policy management require 93x fewer data policies to manage access control in your data platform according to the . It is simple and scalable, which improves change management and lowers the total cost of ownership of cloud data management.
Improve data security: Immuta helps prove compliance with rules and regulations, even when securing hundreds of thousands of tables. An Immuta customer, , migrated all critical analytics workloads to the cloud in less than 12 months, including over 100 terabytes from more than 2,500 sources.
Unlock data’s value: Immuta helps organizations get access to more data 100x faster, which translates to improved productivity. An Immuta customer, enabled faster access to data, resulting in a 60x increase in data usage and greater productivity.
After , begin with . This section will guide you through Immuta configuration and leverage the capabilities of Immuta Discover to provide insights into where you have gaps in security and a complete understanding of your data ecosystem.
From there, you can move on to to mitigate (and constantly mitigate) those findings from Immuta Detect. This section includes three separate use cases, which are common across customers and includes recommendations for how to best solve those use cases. Consult the use cases to determine which path is best for you.
This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
The following cloud-managed services must be provisioned before proceeding:
Helm chart availability
The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.
Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:
Create a Kubernetes namespace named immuta
for Immuta.
Switch to namespace immuta
.
Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run
command outlined below. Wait 5 seconds, and then proceed by entering a password.
Create an immuta
role and database.
Revoke privileges from CURRENT_USER
as they're no longer required.
Enable the pgcrypto
extension.
Type \q
, and then press Enter
to exit.
This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.
Create a Helm values file named immuta-values.yaml
with the following content:
Deploy Immuta.
Wait for all pods in the namespace to become ready.
Determine the name of the Secure service.
Listen on local port 8080
, forwarding TCP traffic to the Secure service's port named http
.
Immuta comprises three core services (Secure, Discover, and Detect) that rely on PostgreSQL and Elasticsearch to store their states. The illustration below shows the relationships among these services.
The Immuta Enterprise Helm chart (IEHC) (represented by the yellow box above) does not deploy PostgreSQL or Elasticsearch, so you must deploy and manage them separately.
Although Immuta recommends using Elasticsearch because it supports several new Immuta features and services, you can deploy Immuta without Elasticsearch. The table below outlines the Immuta features supported with and without Elasticsearch and the dependencies you must deploy and manage yourself.
Dependencies
Immuta Detect
Audit of Immuta and data platform events
Legacy audit
Immuta Monitors
Sensitive data discovery
For guidance on how to configure the IEHC to deploy Immuta with or without Elasticsearch, see one of the guides below:
Kubernetes 1.29 to 1.32
PostgreSQL incompatibilities
Immuta is not compatible with PostgreSQL abstraction layers, such as Amazon Aurora.
PostgreSQL 15.0 or newer
The pgcrypto
extension must be enabled
Elasticsearch v7 API or newer
OpenSearch compatible with Elasticsearch v7 API or newer
cluster:monitor/health
indices:data/write/bulk*
indices:data/write/bulk
indices:data/read/search
indices:admin/exists
indices:admin/create
indices:admin/delete
indices:admin/settings/update
indices:admin/get
indices:data/write/delete/byquery
indices:data/write/index
indices:admin/mapping/put
indices:data/write/bulk
indices:data/write/bulk*
Redis 7.0 or newer
Memcached 1.6 or newer
Amazon Elastic Kubernetes Service (EKS)
AWS Load Balancer Controller
Azure Kubernetes Service (AKS)
Azure Application Gateway Ingress Controller
Google Kubernetes Engine (GKE)
GKE Ingress Controller
Red Hat OpenShift
OpenShift Ingress Operator
SUSE Rancher Government (RKE2)
Ingress NGINX Controller
SUSE K3s - For evaluation purposes only
Traefik
Some legacy services and features are no longer enabled in the recommended configuration of the IEHC. The table below lists these features and provides links to documentation that outlines how to enable them in Immuta.
Legacy audit
Set each of the following secure.extraEnvVars
in your immuta-values.yaml
file to false
:
FeatureFlag_AuditService
FeatureFlag_detect
FeatureFlag_auditLegacyViewHide
Legacy sensitive data discovery
Data platforms
Amazon Redshift
Azure Synapse Analytics
Google BigQuery
Policies
Masking with format preserving masking (unless using the Snowflake integration)
Masking with k-anonymization
Masking using randomized response (unless using the Snowflake integration)
Use a supported version of Kubernetes.
Use Helm 3.2.0 or newer (When using a Helm version older than 3.8.0, enable OCI experimental mode by exporting environment variable HELM_EXPERIMENTAL_OCI=1
.)
Helm chart availability
The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.
Copy the snippet below and replace the placeholder text with the credentials provided to you by your Immuta support professional:
Amazon Elastic Kubernetes Service (EKS)
Google Kubernetes Engine (GKE)
Microsoft Azure Kubernetes Service (AKS)
This page provides one possible way to download and package Immuta artifacts for consumption on a separate network with no Internet access.
Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:
Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:
Download the IEHC for the current Immuta release:
After transferring the Immuta container images and IEHC to your air-gapped network, load them into the container registry there after authenticating.
Override the image registry in the Helm chart values overrides:
The IEHC can be referenced via filename if there is no Helm chart repository on the destination network:
The PostgreSQL instance's hostname/FQDN is .
The PostgreSQL instance is .
The Elasticsearch instance's hostname/FQDN is .
The Elasticsearch instance is .
The user must have the .
Create a container registry pull secret. Your credentials to authenticate with ocir.immuta.com can be viewed in your user profile at .
Update all in the immuta-values.yaml
file.
to complete your installation and access your Immuta application.
to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
.
to complete your installation and access your Immuta application.
to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
.
to complete your installation and access your Immuta application.
to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
.
()
(Until October 2024)
For more information about legacy features and services no longer enabled in the recommended deployment of Immuta, see the .
The user provided during the install must have the following :
Follow OpenSearch documentation to and add permissions, or see the .
Follow the to install Immuta.
The instructions and how-to guides on this page illustrate how to install Immuta in your Kubernetes environment. If you are upgrading Immuta, navigate to the instead.
Deploy the services listed on the Deployment requirements guide. See the for guidance for specific cloud providers.
Grant to create Kubernetes resources in the cluster.
Consult the if unsure which Helm chart to use.
Immuta can be installed on any Kubernetes cluster. Select a guide below that corresponds to your Kubernetes distribution to install Immuta. If your distribution is not listed below (such as or ), follow the generic installation instructions:
: This guide includes instructions for
To complete your installation and access the Immuta application, .
The includes guidance for various scenarios you may encounter during and post-deployment. Below are several guides from that section that most customers follow to complete their deployment of Immuta, but none of these is a requirement for the Immuta installation to work.
: Secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
: Follow these best practices for configuring your deployment for a production environment.
: The Immuta Enterprise Helm chart manages its own Memcached deployment inside the cluster. However, you can opt to externalize the key-value cache post-installation.
The commands on this page copy the Immuta images from the registry to the local host and export to tarball using skopeo
. Install skopeo
by following the instructions in the .
The IMMUTA_LEGACY_IMAGES
noted below are only required if the deployment still requires the . If not, those legacy images can be omitted.
Introduced in 2024.2, the Immuta Enterprise Helm chart (IEHC) is an entirely new Helm chart used to deploy Immuta. This section guides you through configuring the IEHC to finish and prepare your installation for a production environment.
Verify artifacts hosted on the ocir.immuta.com OCI registry.
Configure TLS termination for an Ingress resource.
Follow these best practices when deploying Immuta in your production environment.
Configure an external key-value cache (such as Redis or Memcached) with the Immuta Enterprise Helm chart.
Update the credentials referenced in the Immuta Enterprise Helm chart.
Enable these legacy services for your deployment if they are required for your business use case:
If you are using any of the data platforms below, you must enable the query engine:
Amazon Redshift
Azure Synapse Analytics
Google BigQuery
If you are using the legacy sensitive data discovery (SDD) feature, you must enable the query engine and fingerprint services.
Feature availability
The guides below outline how to deploy Immuta without Elasticsearch.
Edit immuta-values.yaml
to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
The Immuta web service listens on the following ports:
Edit the immuta-values.yaml
file to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
Create a file named frontendconfig.yaml
with the following content.
Apply the FrontendConfig
CRD.
Edit immuta-values.yaml
to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
Edit immuta-values.yaml
to include the following Helm values.
Create a file named middleware.yaml
with the following content.
Apply the Middleware
CRD.
Edit immuta-values.yaml
to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, ingress
is set to false
below.
Get the service name for Secure.
Apply the Route
CRD.
This guide demonstrates how to upgrade Immuta. The Immuta Enterprise Helm chart (IEHC) shares the same version with the Immuta product, so upgrading the Immuta version entails upgrading the IEHC. Failure to upgrade the underlying Helm chart will lead to an unsupported configuration.
Helm chart deprecation notice
As of Immuta version 2024.2, the Immuta Helm chart (IHC) has been deprecated in favor of the IEHC. The immuta-values.yaml
Helm values files are not cross-compatible.
Upgrade Immuta.
Introduced in 2024.2, the Immuta Enterprise Helm chart (IEHC) is an entirely new Helm chart used to deploy Immuta. Unlike the previous Immuta Helm chart (IHC), the IEHC shares the same version as the Immuta product. Each version of the chart supports a singular version of Immuta. Upgrading the Immuta version now entails upgrading the underlying Helm chart. Failure to do so will lead to an unsupported configuration.
Helm chart deprecation notice
As of Immuta version 2024.2, the IHC has been deprecated in favor of the IEHC. The immuta-values.yaml
Helm values files are not cross-compatible.
This section provides upgrade guides for two scenarios:
The query engine and fingerprint services are no longer installed by default. This guide demonstrates how to enable the query engine and fingerprint services using the Immuta Enterprise Helm chart (IEHC).
If you are using any of the data platforms below, you must enable the query engine:
Amazon Redshift
Azure Synapse Analytics
Google BigQuery
If you are using the legacy sensitive data discovery (SDD) feature, you must enable the query engine and fingerprint services.
Validate that secret immuta-secret
exists in the current namespace.
Create a file named secret-data.env
with the following content.
Create secret named immuta-legacy-secret
from file secret-data.env
Delete file secret-data.env
, as it's no longer needed.
Edit the immuta-values.yaml
file to include the following Helm values.
This guide highlights best practices when deploying Immuta in a production environment.
Back up or source control your immuta-values.yaml
Helm values file.
Edit immuta-values.yaml
to include the following recommended resource requests and limits for most Immuta deployments.
Create a file named secret-data.env
with the following content.
Create secret named immuta-secret
from file secret-data.env
.
Delete file secret-data.env
, as it's no longer needed.
Edit immuta-values.yaml
to include the following Helm values.
Remove any sensitive key-value pairs from the immuta-values.yaml
Helm values that were made redundant after the secret was created.