Browser OIDC login for tcloud CLI

cli security
2026-07-07
By Thalassa Cloud
Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop. With tcloud v0.20.0, browser-based OIDC login is the default.

Topics

Latest Posts

Introducing Node Pool Autoscaling on Thalassa Cloud

We are excited to announce the launch of Node Pool Autoscaling for our Managed Kubernetes service. This feature automatically adds or removes worker nodes in your node pools based on your workloads’ resource demands, ensuring optimal capacity while helping you control costs. Scale Automatically with Demand The Node Pool Autoscaler uses the upstream Kubernetes Cluster Autoscaler to monitor your cluster resource usage and make scaling decisions. Autoscaling is configured per node pool.

Future-Proof Your Private Cloud Platform Investment

Deploying private cloud infrastructure is just the beginning for organisations. The real challenge lies in keeping your investment valuable as technology rapidly changes. Thalassa Cloud Haven tackles this issue by offering a private cloud platform designed to adapt and expand alongside your evolving needs, ensuring continuous relevance and value. Thalassa Cloud Haven is a private cloud platform designed to offer the same cloud services you are used to from the big public clouds, right within your own data centers.

Infrastructure as Code on Thalassa Cloud: Terraform and Pulumi

2025-10-10
Infrastructure as Code (IaC) is a method that allows teams to implement infrastructure changes in a secure and consistent manner. By using IaC, you can easily maintain and manage your infrastructure just like application code, making it straightforward to implement changes and collaborate across teams. On Thalassa Cloud, you have two options to achieve this: the official Terraform provider and a community-maintained Pulumi provider. Both solutions enable you to version your infrastructure setup, review changes before applying them, and automate updates across various environments.

Introducing Service Accounts in Thalassa Cloud

Service accounts are non‑human identities designed for automated systems, applications, and integrations. In Thalassa Cloud, they are organisation‑level principals with their own roles and one or more access credentials. Use them for CI/CD pipelines, controllers, monitoring, provisioning, or any workload that needs programmatic access. Service accounts separate machine access from human users, enabling least‑privilege policies, independent credential rotation, and clean audit trails. Each service account can hold multiple credentials, so you can rotate keys with zero downtime.

Block Volume Snapshots and Snapshot Policies

2025-10-05
We recently introduced Block Volume Snapshots and Snapshot Policies in Thalassa Cloud. This adds simple, reliable data protection and recovery workflows for your IaaS workloads without disrupting running applications. Snapshots is one of the core building blocks for operating modern cloud services in a safe manner. I.g. quickly restoring or cloning a database, or for additional back up strategies. What are Block Volume Snapshots? Block Volume Snapshots are point‑in‑time, incremental copies of a Block Volume.

Pod Security Standards: Practical Hardening for Kubernetes

Pod Security Standards (PSS) are a low‑friction way to harden clusters by default. With Pod Security Admission (PSA), you can enforce least‑privilege at the namespace level and prevent risky pods from ever being created. It’s simple, auditable, and fits cleanly into GitOps. Improving your security posture Implementing Pod Security Standards is crucial as it helps reduce the blast radius by blocking privilege escalation and host-level access. It allows teams to catch misconfigurations early during the admission phase rather than after deployments, ensuring issues are addressed promptly.

VPC‑Only Access for Kubernetes Clusters

We’ve added support for VPC‑only access to Kubernetes control planes. When enabled, the cluster’s public API endpoint is disabled and the Kubernetes API is reachable only from within your Virtual Private Cloud. This helps teams meet stricter security and compliance requirements without sacrificing operational access. VPC-only access is valuable for DevOps teams because it boosts security by removing the internet-facing API endpoint, which reduces the attack surface. It also makes network rules and identity limits clearer by using your VPC as the boundary.