K3s Deployment

This is a generic guide that demonstrates how to deploy Immuta into K3s without dependencies on any particular cloud provider. Advanced Kubernetes expertise is required; therefore, it is not suitable for beginners.

For the official Immuta self-managed deployment documentation, see Install Immuta.

Considerations

This guide deploys PostgreSQL and Elasticsearch in-cluster using enterprise-ready operators:

CloudNativePG (PostgreSQL)
Elastic Cloud on Kubernetes (ECK) (Elasticsearch)

Running stateful workloads in Kubernetes requires operational investment in backups, monitoring, and high availability. Where available, cloud-managed databases can reduce this overhead.

Prerequisites

Checklist

This checklist outlines the necessary prerequisites for successfully deploying Immuta.

Credentials

You have credentials (username and token) for the ocir.immuta.com OCI registry.

Setup

Helm

Authenticate with OCI registry

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Kubernetes

Creating a dedicated namespace ensures a logically isolated environment for your Immuta deployment, preventing resource conflicts with other applications.

Create namespace

Create a Kubernetes namespace named immuta.
```
kubectl create namespace immuta
```
Switch to namespace immuta. All subsequent kubectl commands will default to this namespace.
```
kubectl config set-context --current --namespace=immuta
```

Create registry secret

Create a container registry pull secret using your ocir.immuta.com credentials.

kubectl create secret docker-registry immuta-oci-registry \
    --docker-server=https://ocir.immuta.com \
    --docker-username="<username>" \
    --docker-password="<token>" \
    [email protected]

Elasticsearch

Elasticsearch & Audit

PostgreSQL

Configure databases

After the CNPG cluster is healthy, configure the temporal and temporal_visibility databases:

Grant schema permissions on the temporal database.

kubectl exec -n immuta immuta-postgresql-1 -- \
    psql -U postgres -d temporal -c "GRANT CREATE ON SCHEMA public TO immuta;"

Grant schema permissions and create the btree_gin extension on the temporal_visibility database.

kubectl exec -n immuta immuta-postgresql-1 -- \
    psql -U postgres -d temporal_visibility \
    -c "GRANT CREATE ON SCHEMA public TO immuta;" \
    -c "CREATE EXTENSION IF NOT EXISTS btree_gin;"

Retrieve database credentials

The immuta user password is auto-generated by CloudNativePG and stored in a Kubernetes secret.

PG_PASSWORD=$(kubectl get -n immuta secret immuta-postgresql-app \
    -o go-template='{{.data.password | base64decode}}')

Similarly, retrieve the Elasticsearch elastic user password:

ES_PASSWORD=$(kubectl get -n immuta secret immuta-elasticsearch-es-elastic-user \
    -o go-template='{{.data.elastic | base64decode}}')

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite services are configured.

immuta-values.yaml

global:
  imageRegistry: ocir.immuta.com
  imagePullSecrets:
    - name: immuta-oci-registry
  postgresql:
    host: immuta-postgresql-rw.immuta.svc.cluster.local
    port: 5432
    username: immuta
    password: <password-from-cnpg-secret>
    ssl: true

audit:
  enabled: true
  config:
    elasticsearchEndpoint: http://immuta-elasticsearch-es-http.immuta.svc.cluster.local:9200
    elasticsearchUsername: elastic
    elasticsearchPassword: <password-from-eck-secret>
  postgresql:
    database: immuta

secure:
  postgresql:
    database: immuta
  ingress:
    hostname: <your-hostname>
    annotations:
      traefik.ingress.kubernetes.io/router.tls: "true"
    tls: true
    # If left unset the TLS secret name defaults to <hostname>-tls
    secretName: <secret-name>

temporal:
  enabled: true
  schema:
    createDatabase:
      enabled: false
  server:
    config:
      persistence:
        default:
          sql:
            database: temporal
        visibility:
          sql:
            database: temporal_visibility

Create a file named immuta-values.yaml with the above content, replacing <password-from-cnpg-secret> and <password-from-eck-secret> with the values retrieved in the previous step.

Deploy Immuta.

helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \
    --values immuta-values.yaml \
    --version 2026.1.0 \
    --timeout 10m --wait

Wait for all pods to become ready.

kubectl wait --for=condition=Ready pods --all

Validation

This section helps you validate your Immuta installation by temporarily accessing the application locally. However, this access is limited to your own computer. To enable access for other devices, you must configure Ingress for your environment.

Determine the name of the Secure service.

kubectl get service --selector "app.kubernetes.io/component=secure" --output name

Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.
```
kubectl port-forward <service-name> 8080:http
```
In a web browser, navigate to localhost:8080, to ensure the Immuta application loads.
Press Control+C to stop port forwarding.

Next step

Configure TLS certificates for K3s.

PreviousAzure Deployment (AKS)NextSUSE Rancher (RKE2) Deployment

Last updated 26 days ago

hashtagConsiderations

hashtagPrerequisites

hashtagChecklist

hashtagCredentials

hashtagSetup

hashtagHelm

hashtagAuthenticate with OCI registry

hashtagKubernetes

hashtagCreate namespace

hashtagCreate registry secret

hashtagElasticsearch

hashtagElasticsearch & Audit

hashtagPostgreSQL

hashtagPostgreSQL

hashtagConfigure databases

hashtagRetrieve database credentials

hashtagInstall Immuta

hashtagValidation

hashtagNext step

Considerations

Prerequisites

Checklist

Credentials

Setup

Helm

Authenticate with OCI registry

Kubernetes

Create namespace

Create registry secret

Elasticsearch

Elasticsearch & Audit

PostgreSQL

PostgreSQL

Configure databases

Retrieve database credentials

Install Immuta

Validation

Next step