Hi, I'm trying to deploy cerbos to cloud run. Is exposing cerbos with a public endpoint a security concern or is there another way to secure cerbos? Because cloud run doesn't support sidecar containers and doesn't make it easy to let cloud run services connect to each other privately.

Hi. There's nothing inherently insecure about exposing Cerbos publicly. It's stateless and has no access to any of your other services so I would say its security surface area is quite small. We don't currently have a way to natively restrict access to the

Check

and

Plan

APIs. However, anyone who wants to access them needs to know about the policies in your system so I don't see a big risk there either. Obviously, these are general observations. The decision is ultimately up to you. Do some risk assessment based on your architecture and use cases to figure out whether you feel comfortable about Cerbos being public. We are working on some improvements to make serverless workloads easier to manage. So stay tuned for that as well.