The latest release of Cerbos - v0.24 - includes updates to audit logging filters, database connection improvements and more options when deploying via Helm.
We have been working closely with users of Cerbos such as Blockchain.com, Utility Warehouse, 9fin, Salesroom, and Doorfeed on this release and can’t wait to hear more on what you would like to see in future releases - join our Slack community to join the conversation.
Cerbos audit log decision entries now include request metadata. Previously, request metadata was only logged with access log entries. Which metadata gets logged is determined by the
excludeMetadataKeys settings. The behaviour of these settings has changed slightly and users are advised to test the Cerbos deployment with the new version to ensure that the audit logs are still produced in the way they expect. The new behaviour is as follows:
excludeMetadataKeysare empty, no metadata will be logged
includeMetadataKeysis defined, only those metadata keys will be logged
excludeMetadataKeysis defined, all metadata keys not in the exclusion list will be logged
excludeMetadataKeysare defined, only included keys will be logged as long as they're not in the exclusion list.
A new setting named
decisionLogFilters has been introduced to allow users to reduce the amount of audit log entries generated. With these filter settings, it's now possible to do the following:
CheckResourcescalls where none of the actions were denied
PlanResourcescalls that produce
See the audit documentation for more information.
If a database store is configured as the policy repository and if the database is unavailable at the time Cerbos starts, Cerbos now attempts to reconnect to the database a few times before giving up. Previously, Cerbos exited immediately if the database was unavailable.
It's now possible to add custom annotations to the
Service resources created by the Cerbos Helm chart. This is useful for integrating with Kubernetes operators and utilities that work with annotated resources.
If you have cert-manager installed in your cluster, the Cerbos Helm chart can be configured to automatically request a certificate from one of the issuers. This gets rid of the manual step required to create a
Certificate resource for Cerbos before the chart is deployed.
The Cerbos engine used to operate on the assumption that a resource policy always existed as a fallback for principal policies. This led to certain requests that referenced non-existent resources from being completely denied even when a principal policy existed to provide decisions for some actions. This limitation has been removed in this release.
Policy testing framework gains the ability to detect tests that exercise the same combination of (principal, resource, action) more than once. Previously this led to confusing outputs when the duplicate tests produced conflicting results.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team