Tomáš Hanus

07/31/2023, 1:47 PM
Hello everyone 👋 I'm now evaluating Cerbos as a candidate for a POC. Can someone please explain to me, or point me to some article where I could find more information about how Cerbos manages multiple sidecar instances and data ownership/synchronization? I'd like to use dynamic storage to be able to CRUD my policies. Do I need to configure the same database instance from all Sidecar Cerbos Instances? What instance do I send my AdminAPI CRUD requests against? How does the synchronization of policies work? If it's a single database indeed, doesn't it become a potential bottleneck? I'm sorry if this was already discussed here. I couldn't find any mention of it - neither in Slack Channels nor in the docs 🙂

Charith (Cerbos)

07/31/2023, 2:23 PM
Hi. Cerbos was built for GitOps and that's our recommended approach but you can certainly use a database for dynamic storage as well. You can share a single database with all your sidecars -- the load on the DB is quite small for Cerbos so I wouldn't worry about it becoming a bottleneck unless you have other heavy workloads sharing the DB as well. Unlike git, when using DB storage with multiple Cerbos instances, those instances don't have a way to detect when things change in the database. So if you make a change to an existing policy, you need to notify the other Cerbos instances to refresh their internal caches using the `store/reload` admin API call. Alternatively, if you're OK with a little bit of staleness, you can configure the compile cache expiry time to a value that suits you (it never expires by default). There are a couple of threads on this on #help such as this one: