Run from container

This documentation is for a previous version of Cerbos. Choose 0.40.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version.

docker run --rm --name cerbos -p 3592:3592 ghcr.io/cerbos/cerbos:0.37.0

Cerbos images can be verified using sigstore tools as follows:

cosign verify \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity="https://github.com/cerbos/cerbos/.github/workflows/release.yaml@refs/tags/v0.37.0" \
  ghcr.io/cerbos/cerbos:0.37.0

By default, the container is configured to listen on ports 3592 (HTTP) and 3593 (gRPC) and watch for policy files on the volume mounted at /policies. You can override these by creating a new configuration file.

Create a directory to hold the config file and policies.

mkdir -p cerbos-quickstart/policies

Create a config file.

cat > cerbos-quickstart/.cerbos.yaml <<EOF
server:
  httpListenAddr: ":3592"

storage:
  driver: "disk"
  disk:
    directory: /quickstart/policies
    watchForChanges: true
EOF

Launch the container with the new config file.

docker run --rm --name cerbos -d -v $(pwd)/cerbos-quickstart:/quickstart -p 3592:3592 ghcr.io/cerbos/cerbos:0.37.0 server --config=/quickstart/.cerbos.yaml

Cerbos container images are mirrored to Docker Hub and the latest version is available at docker.io/cerbos/cerbos:0.37.0 as well.