Hi, I have a few questions regarding Cerbos sidecar deployment (as presented in https://docs.cerbos.dev/cerbos/latest/deployment/k8s-sidecar.html) according to the requirements I have received: 1. I need the main app and Cerbos to communicated via IPC. Do I need a special config for that or its automatically achieved by using "localhost" from the main app? Note that external apps (outside the sidecar) should not have access to Cerbos. 2. Which is the preferred way: to build a docker image with Cerbos or install Cerbos on docker build? 3. I have several apps that will be with Cerbos in sidecar deployment, meaning that there will be a one sidecar deployment with app1 and Cerbos, another with app2 and Cerbos etc. and all of Cerbos instances will communicate with the same DB. The question is how to run these different sidecars with different configs for Cerbos: for example, I want Admin API enable in one sidecar and disable on the other. 4. Is there any way to test the sidecar deployment locally? (I am running a Windows machine). Prod environment is AWS (EKS) Any other useful comments are appreciated. I understand that most of the questions can be easily answered by docker / k8s experts, unfortunately, I don't have mush experience in that area. Thanks!

Hi Yehiel! 1. With a sidecar deployment, you have two options for the communication. You can either use a Unix domain socket (which is the option shown in the documentation you linked to) or you can do it via

localhost

within the pod. Both options keep Cerbos isolated from the external network; the UDS is a bit more efficient but getting the filesystem permissions correct can be fiddly sometimes. 2. We provide an official Docker image, I would recommend using that unless you have a good reason not to (https://docs.cerbos.dev/cerbos/latest/installation/container). 3. Generally with Kubernetes you would mount the Cerbos config into the container as a volume from a configmap or secret. You can therefore configure your different apps' pods with different configmaps/secrets to have different Cerbos setups. Alternatively, you can use the

--set

command line flag in the sidecar containers'

args

to change individual settings (https://docs.cerbos.dev/cerbos/latest/configuration/). 4. For local testing, you could use Minikube (https://github.com/kubernetes/minikube) which supports Windows (you can use it on its own with the

vm

driver, or run a cluster on Docker Desktop with the

docker

driver).