Elasticsearch & Audit

It is possible to deploy Immuta without the use of cloud provided managed services by using enterprise-ready tools for Kubernetes.

This article describes deploying an Elasticsearch cluster in the Immuta installation namespace and pointing the Immuta application at this cluster for deployment.

Deploying ECK

This section relies heavily on the Elasticsearch official guides found at the link below

Install ECK using the YAML manifests | Elastic Docswww.elastic.co

Install CRDs and Operator

kubectl create -f https://download.elastic.co/downloads/eck/3.3.0/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/3.3.0/operator.yaml

If you are upgrading an existing ECK installation, use kubectl replace instead of kubectl create for the CRDs, as create will fail on resources that already exist:

kubectl replace -f https://download.elastic.co/downloads/eck/3.3.0/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/3.3.0/operator.yaml

Deploy an Elasticsearch cluster

Elasticsearch requires the kernel setting vm.max_map_count to be at least 262144. Most Kubernetes distributions (including AKS) default to 65530. The manifest below includes a privileged init container that sets this value before Elasticsearch starts. If your nodes already have this configured (e.g., via a DaemonSet or node pool setting), you can remove the podTemplate section.

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: immuta-elasticsearch
  namespace: immuta
spec:
  version: 9.3.0
  volumeClaimDeletePolicy: DeleteOnScaledownOnly
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - name: default
    count: 1
    podTemplate:
      spec:
        initContainers:
        - name: sysctl
          securityContext:
            privileged: true
            runAsUser: 0
          command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 200Gi
EOF

Verifying cluster health

kubectl get -n immuta elasticsearch
NAME                   HEALTH   NODES   VERSION   PHASE   AGE
immuta-elasticsearch   green   1       9.3.0    Ready   18m

Validate Connectivity

PASSWORD=$(kubectl get -n immuta secret immuta-elasticsearch-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

Forward the port in a separate terminal

kubectl port-forward -n immuta service/immuta-elasticsearch-es-http 9200

In the original terminal with the password set curl the endpoint

curl -u "elastic:$PASSWORD" -k "http://localhost:9200"
{
  "name" : "immuta-elasticsearch-es-default-0",
  "cluster_name" : "immuta-elasticsearch",
  "cluster_uuid" : "1shfTzp-SNG4QH5aZsme6g",
  "version" : {
    "number" : "9.3.0",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "17b451d8979a29e31935fe1eb901310350b30e62",
    "build_date" : "2026-01-29T10:05:46.708397977Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.2",
    "minimum_wire_compatibility_version" : "8.19.0",
    "minimum_index_compatibility_version" : "8.0.0"
  },
  "tagline" : "You Know, for Search"
}

Immuta Helm Values

Use the following audit configuration in your Immuta Helm values to connect to the in-cluster ECK deployment. The elastic user password is stored in the secret created automatically by ECK.

PASSWORD=$(kubectl get -n immuta secret immuta-elasticsearch-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')
echo $PASSWORD

audit:
  config:
    elasticsearchEndpoint: http://immuta-elasticsearch-es-http.immuta.svc.cluster.local:9200
    elasticsearchUsername: elastic
    elasticsearchPassword: <password-from-secret-above>
  postgresql:
    database: immuta

PreviousTemporal with Amazon RDS NextOpenSearch User Permissions

Last updated 29 days ago

hashtagDeploying ECK

hashtagInstall CRDs and Operator

hashtagDeploy an Elasticsearch cluster

hashtagVerifying cluster health

hashtagValidate Connectivity