G’day Cerbos team! I have one simple question, we are evaluating using Cerbos for a multi tenant use case where eventually we would allow each tenant to have its own set of policies that build upon our default base policies, this could be upwards of 1000+ tenants at this point in time, and grow from there. My question being:

Has Cerbos been load tested with a great number of Scoped Policies, but only say two levels deep, say

organization.member

?

If not, we’ll try to run load testing, but also it would be good to have your opinion on managing performance, is it running more pods in K8S, adding more shared memory etc. Thank you

Hi. We have tested Cerbos with large numbers of policies internally and haven't had any issues. However, I'd always recommend that you do some testing of your own because things like hardware, networking, policy complexity etc. are kind of unique to each site. You'll also gain some valuable insights into how Cerbos behaves, what to tune and how to scale and so on. Cerbos is mostly CPU-bound so if you're running on k8s, make sure it has plenty of CPU. Set resource

requests

for CPU but not

limits

because the latter causes throttling. Memory usage depends on the "live" policy set and the number of concurrent requests so you'll need to tune those based on what you observe from your typical usage. Because Cerbos is stateless, you can scale it horizontally. It's always good to have at least 2 replicas running for redundancy and scale it up and down on demand based on metrics.

Thank you @Charith (Cerbos), will pass on your comments to our SRE team.