1 of 100

2024.2

Immuta Documentation - 2024.2

Your guide to discovering, securing, and monitoring your data with Immuta.

What is Immuta?

Immuta helps you achieve the following outcomes in your data platform:

How does Immuta do it?

Immuta provides three modules to create a full data security platform suite.

Discover sensitive data from millions of fields without manual effort. With over 60 pre-built and domain-specific identifiers, you can tailor data classification to your unique business needs based on your desired confidence level.

Leverage timely insights into data access and user activity with anomaly indicators for faster analysis and proactive actions.

Immuta’s attribute-based access control (ABAC) delivers scalable data access without role explosion, and dynamic data masking ensures the right users can access the right data.

How to get started

Self-Managed Deployment

This section illustrates how to install Immuta on Kubernetes using the Immuta Enterprise Helm chart.

This how-to guide includes instructions and links for installing Immuta in any Kubernetes environment.

Requirements

This reference guide provides an overview of the Immuta Enterprise Helm chart version requirements and infrastructure recommendations.

Install

- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)

The guides in this section illustrate how to configure your Immuta Enterprise Helm chart for various scenarios, including optimizing your deployment for production environments.

Upgrade

The guides in this section illustrate how to upgrade the Immuta Enterprise Helm chart:

This guide provides links to additional resources for disaster recovery strategies.

This page provides troubleshooting guidance and outlines frequently asked questions for the Immuta installation.

This guide outlines the updates and bug fixes to the Immuta Enterprise Helm chart.

Getting Started

Prerequisites and requirements

Use a supported version of Kubernetes.
Use Helm 3.2.0 or newer (When using a Helm version older than 3.8.0, enable OCI experimental mode by exporting environment variable HELM_EXPERIMENTAL_OCI=1.)

Pull the Helm chart

ocir.immuta.com

Helm chart availability

The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.

Copy the snippet below and replace the placeholder text with the credentials provided to you by your Immuta support professional:

Install Immuta

- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)

Configure Ingress

Additional recommendations

Deployment Requirements

Immuta comprises three core services (Secure, Discover, and Detect) that rely on PostgreSQL and Elasticsearch to store their states. The illustration below shows the relationships among these services.

The Immuta Enterprise Helm chart (IEHC) (represented by the yellow box above) does not deploy PostgreSQL or Elasticsearch, so you must deploy and manage them separately.

Although Immuta recommends using Elasticsearch because it supports several new Immuta features and services, you can deploy Immuta without Elasticsearch. The table below outlines the Immuta features supported with and without Elasticsearch and the dependencies you must deploy and manage yourself.

Immuta with Elasticsearch

Immuta without Elasticsearch

Dependencies

Immuta Detect

Audit of Immuta and data platform events

Legacy audit

Immuta Monitors

Sensitive data discovery

For guidance on how to configure the IEHC to deploy Immuta with or without Elasticsearch, see one of the guides below:

Version requirements

Kubernetes versions

Kubernetes 1.29 to 1.32

Metadata database (PostgreSQL)

PostgreSQL incompatibilities

Immuta is not compatible with PostgreSQL abstraction layers, such as Amazon Aurora.

PostgreSQL 15.0 or newer
The pgcrypto extension must be enabled

Elasticsearch

Elasticsearch v7 API or newer
OpenSearch compatible with Elasticsearch v7 API or newer

OpenSearch user

cluster:monitor/health
indices:data/write/bulk*
indices:data/write/bulk
indices:data/read/search
indices:admin/exists
indices:admin/create
indices:admin/delete
indices:admin/settings/update
indices:admin/get
indices:data/write/delete/byquery
indices:data/write/index
indices:admin/mapping/put
indices:data/write/bulk
indices:data/write/bulk*

Cache (Redis/Memcached)

Built-in cache

The IEHC manages its own Memcached deployment inside the cluster. The key-value cache can optionally be externalized post installation.

Redis 7.0 or newer
Memcached 1.6 or newer

Infrastructure recommendations

Kubernetes distribution

Ingress

External metadata database

External Elasticsearch

Amazon Elastic Kubernetes Service (EKS)

AWS Load Balancer Controller

Azure Kubernetes Service (AKS)

Azure Application Gateway Ingress Controller

Google Kubernetes Engine (GKE)

GKE Ingress Controller

Red Hat OpenShift

OpenShift Ingress Operator

SUSE Rancher Government (RKE2)

Ingress NGINX Controller

SUSE K3s - For evaluation purposes only

Traefik

Legacy features and services

Some legacy services and features are no longer enabled in the recommended configuration of the IEHC. The table below lists these features and provides links to documentation that outlines how to enable them in Immuta.

Feature

Immuta Enterprise Helm chart configuration

Legacy audit

Set each of the following secure.extraEnvVars in your immuta-values.yaml file to false:

FeatureFlag_AuditService
FeatureFlag_detect
FeatureFlag_auditLegacyViewHide

Legacy sensitive data discovery

Data platforms

Amazon Redshift
Azure Synapse Analytics
Google BigQuery

Policies

Masking with format preserving masking (unless using the Snowflake integration)
Masking with k-anonymization
Masking using randomized response (unless using the Snowflake integration)

Next step

Install

- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)

Managed Public Cloud

This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:

Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)

Prerequisites

The following cloud-managed services must be provisioned before proceeding:

Validation

PostgreSQL

Elasticsearch

Authenticate with OCI registry

Helm chart availability

The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Setup

Create a Kubernetes namespace named immuta for Immuta.
```
kubectl create namespace immuta
```

Switch to namespace immuta.

kubectl config set-context --current --namespace=immuta

kubectl create secret docker-registry immuta-oci-registry \
    --docker-server=https://ocir.immuta.com \
    --docker-username="<username>" \
    --docker-password="<token>" \
    --docker-email=support@immuta.com

PostgreSQL

Connecting to the database

There are numerous ways to connect to a PostgreSQL database. This step demonstrates how to connect by creating an ephemeral Kubernetes pod.

Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run command outlined below. Wait 5 seconds, and then proceed by entering a password.
```
kubectl run pgclient \
    --stdin \
    --tty \
    --rm \
    --image docker.io/bitnami/postgresql -- \
    psql --host <postgres-fqdn> --username postgres --port 5432 --password
```

Create an immuta role and database.

CREATE ROLE immuta with login encrypted password '<postgres-password>';

GRANT immuta TO CURRENT_USER;

CREATE DATABASE immuta OWNER immuta;

GRANT all ON DATABASE immuta TO immuta;
ALTER ROLE immuta SET search_path TO bometadata,public;

Revoke privileges from CURRENT_USER as they're no longer required.
```
REVOKE immuta FROM CURRENT_USER;
```
Enable the pgcrypto extension.
```
\c immuta
CREATE EXTENSION pgcrypto;
```
Type \q, and then press Enter to exit.

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

Create a Helm values file named immuta-values.yaml with the following content:

global:
  imageRegistry: ocir.immuta.com
  imagePullSecrets:
    - name: immuta-oci-registry
  imageRepositoryMap:
    immuta/immuta-service: stable/immuta-service
    immuta/immuta-db: stable/immuta-db
    immuta/immuta-fingerprint: stable/immuta-fingerprint
    immuta/audit-service: stable/audit-service
    immuta/audit-export-cronjob: stable/audit-export-cronjob
    immuta/classify-service: stable/classify-service
    immuta/cache: stable/cache

audit:
  config:
    databaseConnectionString: postgres://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit
    elasticsearchEndpoint: <elasticsearch-endpoint>
    elasticsearchUsername: <elasticsearch-username>
    elasticsearchPassword: <elasticsearch-password>

secure:
  ingress:
    enabled: false
    tls: false
  extraEnvVars:
    - name: FeatureFlag_AuditService
      value: "true"
    - name: FeatureFlag_detect
      value: "true"
    - name: FeatureFlag_auditLegacyViewHide
      value: "true"

  postgresql:
    host: <postgres-fqdn>
    port: 5432
    database: immuta
    username: immuta
    password: <postgres-password>
    ssl: true

Deploy Immuta.

helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \
    --values immuta-values.yaml \
    --version 2024.2.16

Validation

Wait for all pods in the namespace to become ready.
```
kubectl wait --for=condition=Ready pods --all
```

Determine the name of the Secure service.

kubectl get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'

Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.
```
kubectl port-forward service/<name> 8080:http
```

Next steps

Immuta in an Air-Gapped Environment

This page provides one possible way to download and package Immuta artifacts for consumption on a separate network with no Internet access.

Install Skopeo

Authenticate Skopeo to the Immuta registry

Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:

Copy images from the Immuta registry

Pull the Immuta Enterprise Helm chart (IEHC)

Copy the snippet below and replace the placeholder text with the credentials provided by your Immuta representative:
Download the IEHC for the current Immuta release:

Push images to the private registry

After transferring the Immuta container images and IEHC to your air-gapped network, load them into the container registry there after authenticating.

Install from IEHC tarball

Override the image registry in the Helm chart values overrides:

The IEHC can be referenced via filename if there is no Helm chart repository on the destination network:

Deploy Immuta without Elasticsearch

Feature availability

The guides below outline how to deploy Immuta without Elasticsearch.

Configure

Introduced in 2024.2, the Immuta Enterprise Helm chart (IEHC) is an entirely new Helm chart used to deploy Immuta. This section guides you through configuring the IEHC to finish and prepare your installation for a production environment.

Verify artifacts hosted on the ocir.immuta.com OCI registry.

Configure TLS termination for an Ingress resource.

Follow these best practices when deploying Immuta in your production environment.

Configure an external key-value cache (such as Redis or Memcached) with the Immuta Enterprise Helm chart.

Update the credentials referenced in the Immuta Enterprise Helm chart.

Enable these legacy services for your deployment if they are required for your business use case:

If you are using any of the data platforms below, you must enable the query engine:
- Amazon Redshift
- Azure Synapse Analytics
- Google BigQuery
If you are using the legacy sensitive data discovery (SDD) feature, you must enable the query engine and fingerprint services.

Ingress Configuration

Kubernetes namespace

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.

The Immuta web service listens on the following ports:

Ingress hostname

This is the fully qualified domain name (FQDN) as defined by RFC 3986 used to access the Immuta UI. If a FQDN has yet to be determined set Secure's ingress hostname to immuta.local.

Edit the immuta-values.yaml file to include the following Helm values.

Edit immuta-values.yaml to include the following Helm values.
Create a file named frontendconfig.yaml with the following content.
Apply the FrontendConfig CRD.

Edit immuta-values.yaml to include the following Helm values.

Edit immuta-values.yaml to include the following Helm values.

Edit immuta-values.yaml to include the following Helm values.
Create a file named middleware.yaml with the following content.
Apply the Middleware CRD.

Edit immuta-values.yaml to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, ingress is set to false below.
Get the service name for Secure.
Apply the Route CRD.

Cosign Verification

Cosign installation

Verify

Create a file named immuta-cosign.pub with the following content:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIGUDdu5dgqxQTlbNt0bCIl+zCN65
JC/PmmaC08Eb/UbpkSDmcn/t9Jh+w6Chwkkcp1olcOS1BqCaWrbtViu6Xg==
-----END PUBLIC KEY-----

Verify artifact signature.

cosign verify \
    --key ./immuta-cosign.pub \
    ocir.immuta.com/stable/<artifact-name>:2024.2.16

Frequently asked question

How can I list all container images referenced in the IEHC?

Yq installation

List all container images by rendering the chart templates locally.

helm template <release-name> oci://ocir.immuta.com/stable/immuta-enterprise \
    --values immuta-values.yaml \
    --version 2024.2.16 \
| yq '..|.image? | select(.)' | sort -u

TLS Configuration

Kubernetes namespace

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.