We value your privacy

This website or its third-party tools process personal data. You can opt out of the sale of your personal information by clicking on the “Do Not Sell or Share My Personal Information” link.

Opt-out Preferences

We use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. However, you can opt out of these cookies by checking "Do Not Sell or Share My Personal Information" and clicking the "Save My Preferences" button. Once you opt out, you can opt in again at any time by unchecking "Do Not Sell or Share My Personal Information" and clicking the "Save My Preferences" button.

Do Not Sell or Share My Personal Information
Powered by Cookieyes logo

Cerbos deployment patterns

This documentation is for a previous version of Cerbos. Choose 0.42.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version.

Cerbos can be deployed as a service or as a sidecar. Which mode to choose depends on your requirements.

Service model

Service model

  • Central policy decision point shared by a group of applications.

  • Cerbos can be upgraded independently from the applications — reducing maintenance overhead.

  • In a busy environment, careful capacity planning would be required to ensure that the central Cerbos endpoint does not become a bottleneck.

Sidecar model

Sidecar model

  • Each application instance gets its own Cerbos instance — ensuring high performance and availability.

  • Upgrades to Cerbos would require a rolling update to all the application instances.

  • Policy updates could take slightly longer to propagate to all the individual application instances — resulting in a period where both the old and new policies are in effect at the same time.