Documentation Index Fetch the complete documentation index at: https://mintlify.com/cerbos/cerbos/llms.txt
Use this file to discover all available pages before exploring further.
Cerbos provides official Docker images for easy deployment in containerized environments.
Docker Images Official Cerbos images are available on GitHub Container Registry:
Image : ghcr.io/cerbos/cerbosTags : Version tags (e.g., 0.52.0), latest, devArchitecture : AMD64 and ARM64
Quick Start Basic Container Run Cerbos with default configuration:
docker run -d \ --name cerbos \ -p 3592:3592 \ -p 3593:3593 \ ghcr.io/cerbos/cerbos:latest
With Custom Policies Mount a local policies directory:
docker run -d \ --name cerbos \ -p 3592:3592 \ -p 3593:3593 \ -v $( pwd ) /policies:/policies \ -e CERBOS_CONFIG=__default__ \ ghcr.io/cerbos/cerbos:latest
With Custom Configuration Mount a configuration file:
docker run -d \ --name cerbos \ -p 3592:3592 \ -p 3593:3593 \ -v $( pwd ) /config/.cerbos.yaml:/config/.cerbos.yaml \ ghcr.io/cerbos/cerbos:latest server --config=/config/.cerbos.yaml
Dockerfile Details The official Cerbos Dockerfile:
FROM alpine:3.16 AS base RUN apk add -U --no-cache ca-certificates && update-ca-certificates FROM scratch ARG TARGETPLATFORM EXPOSE 3592 3593 ENV CERBOS_CONFIG= "__default__" VOLUME [ "/policies" , "/tmp" , "/.cache" ] ENTRYpoint [ "/cerbos" ] CMD [ "server" ] HEALTHCHECK --interval=10s --timeout=2s --retries=2 CMD [ "/cerbos" , "healthcheck" ] COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY ${TARGETPLATFORM}/cerbos /cerbos
Key features:
Minimal scratch-based image for security
Multi-architecture support (AMD64, ARM64)
Built-in health check every 10 seconds
Exposed ports: 3592 (HTTP), 3593 (gRPC)
Default volumes for policies, temp, and cache
Ports and Volumes Exposed Ports
3592 : HTTP API (REST endpoints, health checks, metrics)3593 : gRPC API (recommended for production)
Volumes
/policies: Policy files directory/tmp: Temporary files and caches/.cache: Bundle cache directory (for Hub/remote bundles)
Environment Variables Default Configuration When CERBOS_CONFIG=__default__, Cerbos uses:
server : httpListenAddr : ":3592" grpcListenAddr : ":3593" storage : driver : "disk" disk : directory : /policies watchForChanges : false
Common Variables Configuration
Storage
Audit
Schema
CERBOS_CONFIG = __default__ # Use default config CERBOS_LOG_LEVEL = info # Log level: debug, info, warn, error
Docker Compose Basic Setup Create docker-compose.yml:
services : cerbos : image : ghcr.io/cerbos/cerbos:latest container_name : cerbos restart : unless-stopped ports : - "3592:3592" - "3593:3593" volumes : - ./policies:/policies - ./config/.cerbos.yaml:/config/.cerbos.yaml command : [ "server" , "--config=/config/.cerbos.yaml" ] healthcheck : test : [ "/cerbos" , "healthcheck" ] interval : 10s timeout : 2s retries : 3
Start the service:
Production Setup A production-ready configuration with monitoring:
services : cerbos : image : ghcr.io/cerbos/cerbos:0.52.0 container_name : cerbos restart : always ports : - "3592:3592" - "3593:3593" volumes : - ./config:/conf:ro - ./policies:/policies:ro - ./audit:/audit - cerbos-cache:/.cache command : - "server" - "--config=/conf/.cerbos.yaml" - "--log-level=info" environment : - AUDIT_ENABLED=true - SCHEMA_ENFORCEMENT=reject deploy : resources : limits : cpus : '2.0' memory : 512M reservations : cpus : '0.5' memory : 128M healthcheck : test : [ "/cerbos" , "healthcheck" ] interval : 10s timeout : 2s retries : 3 start_period : 5s networks : - cerbos-network prometheus : image : prom/prometheus:latest container_name : prometheus ports : - "9090:9090" volumes : - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro - prometheus-data:/prometheus command : - '--config.file=/etc/prometheus/prometheus.yml' - '--storage.tsdb.path=/prometheus' networks : - cerbos-network depends_on : - cerbos grafana : image : grafana/grafana:latest container_name : grafana ports : - "3000:3000" volumes : - ./grafana/dashboards.yaml:/etc/grafana/provisioning/dashboards/dashboards.yaml:ro - ./grafana/datasources.yaml:/etc/grafana/provisioning/datasources/datasources.yaml:ro - ./grafana/dashboards:/var/lib/grafana/dashboards:ro - grafana-data:/var/lib/grafana environment : - GF_SECURITY_ADMIN_PASSWORD=admin networks : - cerbos-network depends_on : - prometheus volumes : cerbos-cache : prometheus-data : grafana-data : networks : cerbos-network : driver : bridge
Prometheus configuration (prometheus/prometheus.yml):
global : scrape_interval : 15s evaluation_interval : 15s scrape_configs : - job_name : 'cerbos' static_configs : - targets : [ 'cerbos:3592' ] metrics_path : '/_cerbos/metrics'
With Database Storage Using PostgreSQL for policy storage:
services : cerbos : image : ghcr.io/cerbos/cerbos:latest container_name : cerbos restart : always ports : - "3592:3592" - "3593:3593" volumes : - ./config:/conf:ro command : [ "server" , "--config=/conf/.cerbos.yaml" ] environment : - DB_HOST=postgres - DB_PORT=5432 - DB_USER=cerbos - DB_PASSWORD=cerbos - DB_NAME=cerbos depends_on : postgres : condition : service_healthy networks : - cerbos-network postgres : image : postgres:14-alpine container_name : postgres restart : always environment : - POSTGRES_USER=cerbos - POSTGRES_PASSWORD=cerbos - POSTGRES_DB=cerbos volumes : - postgres-data:/var/lib/postgresql/data - ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro ports : - "5432:5432" healthcheck : test : [ "CMD-SHELL" , "pg_isready -U cerbos" ] interval : 10s timeout : 5s retries : 5 networks : - cerbos-network volumes : postgres-data : networks : cerbos-network : driver : bridge
Configuration file for PostgreSQL (config/.cerbos.yaml):
server : httpListenAddr : ":3592" grpcListenAddr : ":3593" storage : driver : "postgres" postgres : url : "postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=disable"
Configuration Storage Backends Disk Storage
Git Storage
Cerbos Hub
PostgreSQL
server : httpListenAddr : ":3592" grpcListenAddr : ":3593" storage : driver : "disk" disk : directory : /policies watchForChanges : true
TLS Configuration Enable TLS for secure communication:
server : httpListenAddr : ":3592" grpcListenAddr : ":3593" tls : cert : /certs/server.crt key : /certs/server.key caCert : /certs/ca.crt
Mount certificates:
docker run -d \ --name cerbos \ -p 3592:3592 \ -p 3593:3593 \ -v $( pwd ) /certs:/certs:ro \ -v $( pwd ) /config/.cerbos.yaml:/config/.cerbos.yaml:ro \ ghcr.io/cerbos/cerbos:latest server --config=/config/.cerbos.yaml
Audit Logging Enable audit logs:
audit : enabled : true backend : "file" file : path : /audit/audit.log retentionPeriod : 168h # 7 days
Mount audit directory:
docker run -d \ --name cerbos \ -p 3592:3592 \ -p 3593:3593 \ -v $( pwd ) /audit:/audit \ -v $( pwd ) /config/.cerbos.yaml:/config/.cerbos.yaml:ro \ ghcr.io/cerbos/cerbos:latest server --config=/config/.cerbos.yaml
Health Checks Built-in Health Check The Docker image includes a health check:
HEALTHCHECK --interval=10s --timeout=2s --retries=2 \ CMD [ "/cerbos" , "healthcheck" ]
Manual Health Check # Check container health docker inspect --format= '{{.State.Health.Status}}' cerbos # Using curl docker exec cerbos /cerbos healthcheck # HTTP endpoint curl http://localhost:3592/_cerbos/health
Expected response:
Resource Limits Using Docker Run docker run -d \ --name cerbos \ --memory= "512m" \ --cpus= "1.0" \ --pids-limit=100 \ -p 3592:3592 \ -p 3593:3593 \ ghcr.io/cerbos/cerbos:latest
Using Docker Compose services : cerbos : image : ghcr.io/cerbos/cerbos:latest deploy : resources : limits : cpus : '2.0' memory : 512M reservations : cpus : '0.5' memory : 128M
Networking Bridge Network (Default) docker network create cerbos-net docker run -d \ --name cerbos \ --network cerbos-net \ -p 3592:3592 \ -p 3593:3593 \ ghcr.io/cerbos/cerbos:latest
Host Network For maximum performance:
docker run -d \ --name cerbos \ --network host \ ghcr.io/cerbos/cerbos:latest
Host networking is only available on Linux and removes network isolation.
Security Best Practices Run as Non-Root User The Cerbos image runs as a non-root user by default (scratch-based image).
Read-Only Root Filesystem docker run -d \ --name cerbos \ --read-only \ --tmpfs /tmp:rw,noexec,nosuid,size=100m \ -p 3592:3592 \ -p 3593:3593 \ -v $( pwd ) /policies:/policies:ro \ ghcr.io/cerbos/cerbos:latest
Security Options docker run -d \ --name cerbos \ --cap-drop=ALL \ --security-opt=no-new-privileges:true \ --read-only \ -p 3592:3592 \ -p 3593:3593 \ ghcr.io/cerbos/cerbos:latest
Docker Compose Security services : cerbos : image : ghcr.io/cerbos/cerbos:latest read_only : true security_opt : - no-new-privileges:true cap_drop : - ALL tmpfs : - /tmp:rw,noexec,nosuid,size=100m volumes : - ./policies:/policies:ro
Monitoring Container Stats # Real-time stats docker stats cerbos # Logs docker logs -f cerbos # Specific time range docker logs --since 1h cerbos
Prometheus Metrics Metrics are exposed at http://localhost:3592/_cerbos/metrics:
curl http://localhost:3592/_cerbos/metrics
Key metrics:
cerbos_check_duration_seconds: Authorization check durationcerbos_check_total: Total authorization checkscerbos_policy_repo_load_duration_seconds: Policy load time
Troubleshooting Container Won’t Start # Check logs docker logs cerbos # Inspect container docker inspect cerbos # Run interactively docker run -it --rm \ -v $( pwd ) /config:/config \ ghcr.io/cerbos/cerbos:latest server --config=/config/.cerbos.yaml
Policy Errors # Validate policies before mounting docker run --rm \ -v $( pwd ) /policies:/policies \ ghcr.io/cerbos/cerbosctl:latest compile /policies # Check policy loading docker logs cerbos | grep -i policy
Permission Issues # Check volume permissions ls -la policies/ # Fix permissions chmod -R 755 policies/ chmod 644 policies/ * .yaml
Port Conflicts # Check if ports are in use lsof -i :3592 lsof -i :3593 # Use different ports docker run -d \ --name cerbos \ -p 13592:3592 \ -p 13593:3593 \ ghcr.io/cerbos/cerbos:latest
Complete Production Example A complete production setup with all best practices:
services : cerbos : image : ghcr.io/cerbos/cerbos:0.52.0 container_name : cerbos-prod restart : always hostname : cerbos # Ports ports : - "3592:3592" - "3593:3593" # Volumes volumes : - ./config/.cerbos.yaml:/config/.cerbos.yaml:ro - ./policies:/policies:ro - ./certs:/certs:ro - ./audit:/audit - cerbos-cache:/.cache # Command command : - "server" - "--config=/config/.cerbos.yaml" - "--log-level=info" # Environment environment : - AUDIT_ENABLED=true - SCHEMA_ENFORCEMENT=reject # Security read_only : true security_opt : - no-new-privileges:true cap_drop : - ALL tmpfs : - /tmp:rw,noexec,nosuid,size=100m # Resources deploy : resources : limits : cpus : '2.0' memory : 512M reservations : cpus : '0.5' memory : 128M restart_policy : condition : on-failure delay : 5s max_attempts : 3 window : 120s # Health check healthcheck : test : [ "/cerbos" , "healthcheck" ] interval : 10s timeout : 2s retries : 3 start_period : 5s # Logging logging : driver : "json-file" options : max-size : "10m" max-file : "3" # Network networks : - cerbos-network volumes : cerbos-cache : driver : local networks : cerbos-network : driver : bridge ipam : config : - subnet : 172.28.0.0/16
This configuration provides:
Automatic restarts and health checks
Resource limits and security hardening
Persistent cache and audit logs
Proper logging and monitoring
Network isolation