# Requirements
Immuta comprises three core services: Secure, Discover, and Detect. These services rely on PostgreSQL and Elasticsearch to store their states, a caching layer, and Temporal for job execution. The illustration below shows the relationships among these services.
The Immuta Enterprise Helm chart (IEHC) does not include the deployment of PostgreSQL or Elasticsearch, so you must deploy them separately.
Although Immuta recommends using Elasticsearch because it supports all audit events, you can deploy Immuta without Elasticsearch. The table below outlines the Immuta features supported with and without Elasticsearch and the dependencies you must deploy and manage yourself.
| | Immuta with Elasticsearch | Immuta without Elasticsearch |
| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
| Dependencies |
| [Externalized PostgreSQL](#metadata-database-postgresql) |
| Immuta Detect | :white\_check\_mark: | :x: |
| Audit of Immuta and data platform events | :white\_check\_mark: | :x: |
| Legacy audit | :white\_check\_mark: ([Disabled by default, but can be enabled](#legacy-features-and-services)) | :white\_check\_mark: (Until October 2024) |
| Immuta Monitors | :white\_check\_mark: | :x: |
| Sensitive data discovery | :white\_check\_mark: | :white\_check\_mark: |
For more information about legacy features and services no longer enabled in the recommended deployment of Immuta, see the [Legacy features and services section](#legacy-features-and-services).
## Version requirements
### Kubernetes versions
* Kubernetes 1.29 to 1.32
### Metadata database (PostgreSQL)
{% hint style="danger" %}
**PostgreSQL incompatibilities**
Immuta is not compatible with PostgreSQL abstraction layers, such as Amazon Aurora.
{% endhint %}
* PostgreSQL 15.0 or newer
* The `pgcrypto`, `btree_gin` extensions must be enabled
### Elasticsearch
* Elasticsearch v7 API or newer
* AWS OpenSearch Service compatible with Elasticsearch v7 API or newer
* AWS OpenSearch Serverless is not supported
#### OpenSearch user
The user provided during the install must have the following [permissions](https://opensearch.org/docs/latest/security/access-control/permissions/):
* cluster:monitor/health
* indices:data/write/bulk\*
* indices:data/write/bulk
* indices:data/read/search
* indices:admin/exists
* indices:admin/create
* indices:admin/delete
* indices:admin/settings/update
* indices:admin/get
* indices:data/write/delete/byquery
* indices:data/write/index
* indices:admin/mapping/put
* indices:data/write/bulk
* indices:data/write/bulk\*
Follow OpenSearch documentation to [create the user](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomains) and add permissions.
### Cache (Redis/Memcached)
{% hint style="info" %}
**Built-in cache**
The IEHC manages its own Memcached deployment inside the cluster. The key-value cache can optionally be externalized post installation.
{% endhint %}
* Redis 7.0 or newer
* Memcached 1.6 or newer
### Temporal
{% hint style="info" %}
Built-in Temporal server
The IEHC deploys a Temporal server and its requisite components. However, you may choose to use your own Temporal instance.
{% endhint %}
* Temporal 1.24.2 or newer
## Infrastructure recommendations
### Legacy features and services
Some legacy services and features are no longer enabled in the recommended configuration of the IEHC. The table below lists these features and provides links to documentation that outlines how to enable them in Immuta.
| Feature | Immuta Enterprise Helm chart configuration |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Legacy audit |
Set each of the following global.featureFlags in your immuta-values.yaml file to false:
AuditService
detect
auditLegacyViewHide
|
| Legacy conditional tags | Set the following `global.featureFlags` in your `immuta-values.yaml` file to `false`: `DiscoverDeprecateLegacyTags` |
| Legacy sensitive data discovery | [Enable the query engine and fingerprint services](https://documentation.immuta.com/2024.3/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint) |
|
| [Enable the query engine](https://documentation.immuta.com/2024.3/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint) |
|
Policies
Masking with format preserving masking (unless using the Snowflake integration)
Masking with k-anonymization
Masking using randomized response (unless using the Snowflake integration)
| [Enable the query engine and fingerprint services](https://documentation.immuta.com/2024.3/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint) |
[^1]: Cloud-managed PostgreSQL, such as Amazon RDS, Azure Database for PostgreSQL, or Google Cloud SQL for PostgreSQL, is recommended when running Kubernetes in cloud environments.
[^2]: Cloud-managed Elasticsearch, such as Amazon OpenSearch, or Elastic Cloud, is recommended when running Kubernetes in cloud environments.
[^3]: Cloud-managed Redis/Memcached, such as Amazon ElastiCache, Azure Cache, or Google Cloud Memorystore, is recommended when running Kubernetes in cloud environments.
