Requirements

Immuta comprises three core services: Secure, Discover, and Detect. These services rely on PostgreSQL and Elasticsearch to store their states, a caching layer, and Temporal for job execution. The illustration below shows the relationships among these services.

The Immuta Enterprise Helm chart (IEHC) does not include the deployment of PostgreSQL or Elasticsearch, so you must deploy them separately.

Although Immuta recommends using Elasticsearch because it supports several new Immuta features and services, you can deploy Immuta without Elasticsearch. The table below outlines the Immuta features supported with and without Elasticsearch and the dependencies you must deploy and manage yourself.

Immuta with Elasticsearch
Immuta without Elasticsearch

Immuta Detect

Audit of Immuta and data platform events

Legacy audit

(Until October 2024)

Immuta Monitors

Sensitive data discovery

For more information about legacy features and services no longer enabled in the recommended deployment of Immuta, see the Legacy features and services section.

Version requirements

Kubernetes versions

  • Kubernetes 1.29 to 1.32

Metadata database (PostgreSQL)

  • PostgreSQL 15.0 or newer

  • The pgcrypto, btree_gin extensions must be enabled

Elasticsearch

  • Elasticsearch v7 API or newer

  • OpenSearch compatible with Elasticsearch v7 API or newer

OpenSearch user

The user provided during the install must have the following permissions:

  • cluster:monitor/health

  • indices:data/write/bulk*

  • indices:data/write/bulk

  • indices:data/read/search

  • indices:admin/exists

  • indices:admin/create

  • indices:admin/delete

  • indices:admin/settings/update

  • indices:admin/get

  • indices:data/write/delete/byquery

  • indices:data/write/index

  • indices:admin/mapping/put

  • indices:data/write/bulk

  • indices:data/write/bulk*

Follow OpenSearch documentation to create the user and add permissions, or see the Setting up OpenSearch permissions knowledge base article.

Cache (Redis/Memcached)

Built-in cache

The IEHC manages its own Memcached deployment inside the cluster. The key-value cache can optionally be externalized post installation.

  • Redis 7.0 or newer

  • Memcached 1.6 or newer

Temporal

Built-in Temporal server

The IEHC deploys a Temporal server and its requisite components. However, you may choose to use your own Temporal instance.

  • Temporal 1.24.2 or newer

Infrastructure recommendations

Kubernetes distribution
Ingress
External metadata database
External Elasticsearch

Amazon Elastic Kubernetes Service (EKS)

AWS Load Balancer Controller

Azure Kubernetes Service (AKS)

Azure Application Gateway Ingress Controller

Google Kubernetes Engine (GKE)

GKE Ingress Controller

Red Hat OpenShift

OpenShift Ingress Operator

Legacy features and services

Some legacy services and features are no longer enabled in the recommended configuration of the IEHC. The table below lists these features and provides links to documentation that outlines how to enable them in Immuta.

Feature
Immuta Enterprise Helm chart configuration

Legacy audit

Set each of the following global.featureFlags in your immuta-values.yaml file to false:

  • AuditService

  • detect

  • auditLegacyViewHide

Legacy conditional tags

Set the following global.featureFlags in your immuta-values.yaml file to false: DiscoverDeprecateLegacyTags

Data platforms

Policies

  • Masking with format preserving masking (unless using the Snowflake integration)

  • Masking with k-anonymization

  • Masking using randomized response (unless using the Snowflake integration)

Last updated

Was this helpful?