Run from container

This documentation is for a previous version of Cerbos. Choose 0.39.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version.
docker run --rm --name cerbos -p 3592:3592 ghcr.io/cerbos/cerbos:0.35.1

Cerbos images can be verified using sigstore tools as follows:

cosign verify \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity="https://github.com/cerbos/cerbos/.github/workflows/release.yaml@refs/tags/v0.35.1" \
  ghcr.io/cerbos/cerbos:0.35.1

By default, the container is configured to listen on ports 3592 (HTTP) and 3593 (gRPC) and watch for policy files on the volume mounted at /policies. You can override these by creating a new configuration file.

Create a directory to hold the config file and policies.
mkdir -p cerbos-quickstart/policies
Create a config file.
cat > cerbos-quickstart/.cerbos.yaml <<EOF
server:
  httpListenAddr: ":3592"

storage:
  driver: "disk"
  disk:
    directory: /quickstart/policies
    watchForChanges: true
EOF
Launch the container with the new config file.
docker run --rm --name cerbos -d -v $(pwd)/cerbos-quickstart:/quickstart -p 3592:3592 ghcr.io/cerbos/cerbos:0.35.1 server --config=/quickstart/.cerbos.yaml
Cerbos container images are mirrored to Docker Hub and the latest version is available at docker.io/cerbos/cerbos:0.35.1 as well.