Cerbos v0.27.0

Highlights

Cerbos now supports returning user-defined output values from policy evaluation. Policy authors define an optional expression to evaluate if a rule is activated and Cerbos collects and returns the set of outputs as part of the API response. This enables developers to take specific actions in their applications based on the outcome of an authorization check. See the outputs documentation for more information.

The new overlay storage is a special driver that allows you to configure any two Cerbos storage drivers as base and fallback stores. If the base store becomes unavailable for some reason, Cerbos automatically switches to the fallback store until the base becomes available again. See the overlay documentation for more information.

The database storage drivers now perform a schema check on startup to make sure that the required tables exist. This behaviour can be switched off in the configuration.

Policy conditions can now make use of the new math.greatest and math.least functions to find the maximum and minimum values in a list of numbers.

Common causes of errors such as the incorrect placement of schemas directory and invalid content structure in policies now produces detailed error messages to help debug those issues.

The HorizontalPodAutoscaler resources created by the Cerbos Helm chart now uses the v2 API which requires Kubernetes 1.23.0 or higher.

Changelog

Bug Fixes

  • Mark /tmp as a container volume (#1546)

  • Return correct error code when store is invalid (#1592)

  • Use IncludeMetadata option on all gRPC requests (#1586)

Features

  • Storage overlay (#1560)

  • User-defined output from policy evaluation (#1594)

  • Validate policy and test files with JSON schema (#1526)

Enhancements

  • Add CEL math extension (#1569)

  • Allow LoadBalancerIP to be set (#1605)

  • Handle schemas folder being in wrong place with more verbose error (#1550)

  • Upgrade to HPA v2 API (#1548)

  • Verify required tables are present in the db (#1584)

  • Volume mounts for Cerbos Cloud (#1547)

Documentation

  • Add page with output example (#1622)

  • Clarify policy repository layout (#1551)

  • Fix typo in charAt example (#1606)

Chores

  • Add bundle driver info to telemetry (#1545)

  • Add paths to test schema files (#1564)

  • Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#1577)

  • Bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible in /tools (#1578)

  • Bump github.com/goreleaser/nfpm/v2 from 2.28.0 to 2.29.0 in /tools (#1599)

  • Bump github.com/sigstore/rekor from 1.0.1 to 1.1.1 in /tools (#1563)

  • Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#1600)

  • Bump version to 0.27.0

  • Change Cloud API version to api.cerbos.cloud/v1 (#1559)

  • Disable automatic label updates (#1544)

  • Fix data race in store test (#1537)

  • Fix referencing non-existent format flag (#1617)

  • Overlay e2e test (#1579)

  • Remove the cerbos prefix from output keys (#1614)

  • Update Antora to 3.1.2 (#1575)

  • Update Renovate labels (#1565)

  • Update bufbuild/buf-setup-action action to v1.18.0 (#1567)

  • Update github actions deps (#1597)

  • Update github actions deps (#1625)

  • Update go deps (#1553)

  • Update go deps (#1556)

  • Update go deps (#1568)

  • Update go deps (#1581)

  • Update go deps (#1596)

  • Update go deps (#1624)

  • Update google-github-actions/setup-gcloud action to v1.1.1 (#1582)

  • Update module github.com/envoyproxy/protoc-gen-validate to v1 (#1557)

  • Update to go 1.19 (#1543)