Deploying PDP

After successfully deploying the Permit Platform on-premise, you can deploy additional Policy Decision Points (PDPs) to handle authorization decisions in your environment.

Prerequisites

Permit Platform on-premise installation completed
Access to the deployed permit-backend-v2 service
PDP API key from your Permit workspace
Helm 3.x installed

Installation

The PDP can be deployed using the official Helm chart from the Permit.io PDP repository.

Add the PDP Helm Repository

helm repo add pdp https://permitio.github.io/PDP/
helm repo update

Deploy PDP

OpenShift/ROSA
Standard Kubernetes

For OpenShift deployments, you need to enable OpenShift-specific configurations:

helm install pdp pdp/pdp \
  --set openshift.enabled=true \
  --set pdp.ApiKey="<YOUR_API_TOKEN>" \
  --set "pdp.pdpEnvs[0].name=PDP_CONTROL_PLANE" \
  --set "pdp.pdpEnvs[0].value=http://permit-backend-v2:8000" \
  --namespace permit-platform

For standard Kubernetes deployments:

helm install pdp pdp/pdp \
  --set pdp.ApiKey="<YOUR_API_TOKEN>" \
  --set "pdp.pdpEnvs[0].name=PDP_CONTROL_PLANE" \
  --set "pdp.pdpEnvs[0].value=http://permit-backend-v2:8000" \
  --namespace permit-platform

Configuration Parameters

Parameter	Description	Required
`pdp.ApiKey`	Your PDP API token from Permit.io	✅ Yes
`openshift.enabled`	Enable OpenShift-specific configurations	✅ Yes (for OpenShift)
`pdp.pdpEnvs[0].name`	Environment variable name for control plane	✅ Yes
`pdp.pdpEnvs[0].value`	URL of your on-premise backend service	✅ Yes

Advanced Configuration

Custom Resource Allocation

You can customize resource requests and limits:

helm install pdp pdp/pdp \
  --set openshift.enabled=true \
  --set pdp.ApiKey="<YOUR_API_TOKEN>" \
  --set "pdp.pdpEnvs[0].name=PDP_CONTROL_PLANE" \
  --set "pdp.pdpEnvs[0].value=http://permit-backend-v2:8000" \
  --set pdp.resources.requests.cpu="512m" \
  --set pdp.resources.requests.memory="1Gi" \
  --set pdp.resources.limits.memory="2Gi" \
  --namespace permit-platform

Multiple Replicas

For high availability, deploy multiple PDP replicas:

helm install pdp pdp/pdp \
  --set openshift.enabled=true \
  --set pdp.ApiKey="<YOUR_API_TOKEN>" \
  --set "pdp.pdpEnvs[0].name=PDP_CONTROL_PLANE" \
  --set "pdp.pdpEnvs[0].value=http://permit-backend-v2:8000" \
  --set pdp.replicaCount=3 \
  --namespace permit-platform

Additional Environment Variables

You can add custom environment variables for logging or debugging:

helm install pdp pdp/pdp \
  --set openshift.enabled=true \
  --set pdp.ApiKey="<YOUR_API_TOKEN>" \
  --set "pdp.pdpEnvs[0].name=PDP_CONTROL_PLANE" \
  --set "pdp.pdpEnvs[0].value=http://permit-backend-v2:8000" \
  --set "pdp.pdpEnvs[1].name=PDP_LOG_LEVEL" \
  --set "pdp.pdpEnvs[1].value=DEBUG" \
  --namespace permit-platform

Verification

After deployment, verify the PDP is running correctly:

Check Pod Status

kubectl get pods -n permit-platform | grep pdp

You should see output similar to:

permitio-pdp-7597689658-95ntd   1/1     Running   0          2m

Check PDP Health

kubectl port-forward svc/permitio-pdp 7766:7766 -n permit-platform

Then test the health endpoint:

curl http://localhost:7766/health

Check Logs

kubectl logs -f deployment/permitio-pdp -n permit-platform

Look for successful connection messages to the control plane.

Service Access

The PDP service is available within the cluster at:

Service Name: permitio-pdp
Port: 7766
Namespace: permit-platform

Integration with Applications

Your applications can now make authorization requests to the PDP service:

# Example authorization request
curl -X POST http://permitio-pdp:7766/allowed \
  -H "Content-Type: application/json" \
  -d '{
    "user": "user@example.com",
    "action": "read",
    "resource": "document:123"
  }'

Troubleshooting

PDP Cannot Connect to Backend

If the PDP fails to connect to the control plane:

Verify backend service: Ensure permit-backend-v2 is running and accessible
```
kubectl get svc permit-backend-v2 -n permit-platform
```

Check network connectivity: Test connection from PDP pod

kubectl exec -it deployment/permitio-pdp -n permit-platform -- curl http://permit-backend-v2:8000/health

Verify API key: Ensure the API key is valid and has the correct permissions

OpenShift Security Context Issues

If you encounter security context constraints issues on OpenShift:

Check SCC: Verify the Security Context Constraint is applied
```
oc get scc restricted-v2
```
Check service account: Ensure the service account has the correct permissions
```
kubectl get serviceaccount permitio-pdp-sa -n permit-platform
```

Resource Constraints

If the PDP pod is pending or crashing due to resource constraints:

Check resource requests: Verify cluster has sufficient resources
```
kubectl describe nodes
```

Adjust resource limits: Reduce resource requests if necessary

helm upgrade pdp pdp/pdp \
  --set pdp.resources.requests.memory="512Mi" \
  --namespace permit-platform

Prerequisites​

Installation​

Add the PDP Helm Repository​

Deploy PDP​

Configuration Parameters​

Advanced Configuration​

Custom Resource Allocation​

Multiple Replicas​

Additional Environment Variables​

Verification​

Check Pod Status​

Check PDP Health​

Check Logs​

Service Access​

Integration with Applications​

Troubleshooting​

PDP Cannot Connect to Backend​

OpenShift Security Context Issues​

Resource Constraints​

Contents