Deploy Cerbos on Kubernetes
Run the Cerbos PDP on Kubernetes as a standalone service or sidecar container alongside your application pods.
Flexible topology
Deploy as a centralized service, a sidecar, or a DaemonSet depending on your latency and isolation requirements
Horizontal scaling
Cerbos is stateless and scales horizontally, add replicas to match your traffic without any coordination
Observable
Built-in Prometheus metrics, distributed tracing, and health check endpoints for liveness and readiness probes
What is Cerbos?
Cerbos is an open-source authorization layer that decouples access control from your application code. It runs as a stateless Policy Decision Point (PDP) that evaluates fine-grained policies at request time.
Authorization policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. They can be updated, tested, and deployed independently of your application.
Deploying Cerbos via Kubernetes gives you a production-ready authorization service that scales horizontally and fits naturally into your existing infrastructure and observability stack.
How to deploy Cerbos on Kubernetes
- Choose a deployment topology, Decide between a standalone Deployment with a Service, a sidecar container in each pod, or a DaemonSet.
- Deploy the Cerbos container, Use the official Cerbos container image or the Helm chart to deploy the PDP into your cluster.
- Configure policy loading, Point Cerbos at a ConfigMap, Git repository, or Cerbos Hub bundle for policy storage.
- Connect your services, Use a Cerbos SDK to send authorization checks from your application pods to the PDP.
FAQ
Should I deploy Cerbos as a service or a sidecar?
A standalone Deployment with a Service is the simplest approach and works well for most setups. Sidecar deployments eliminate network hops and are useful when you need the lowest possible latency or want to isolate authorization per pod.
Does Cerbos require any external dependencies?
No. Cerbos is fully stateless and requires no database or message queue. Policies can be loaded from a ConfigMap, a Git repository, or Cerbos Hub.
How do I update policies without restarting Cerbos?
Configure Cerbos to load policies from a Git repository or Cerbos Hub. Policy changes are picked up automatically without restarting the PDP.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Kubernetes
- Cerbos runs alongside your workloads in Kubernetes
- No external databases or message queues required
- Built-in metrics, distributed tracing, and structured logging
- Stateless PDP instances scale horizontally
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.