Browser OIDC login for tcloud CLI

cli security
2026-07-07
By Thalassa Cloud

Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop. With tcloud v0.20.0, browser-based OIDC login is the default.

Latest Posts

Browser OIDC login for tcloud CLI

2026-07-07
Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop. With tcloud v0.20.0, browser-based OIDC login is the default.

Expose workloads with Gateway API and kgateway on Thalassa Cloud Kubernetes

Ingress controllers have served Kubernetes well for years, but they bundle concerns that teams often want to separate: platform operators manage the edge, while application developers attach routes to their services. The Kubernetes Gateway API was designed for that approach, and kgateway implements it with Envoy as the data plane. On Thalassa Cloud Kubernetes, each Gateway you create provisions an Envoy proxy and a LoadBalancer Service backed by a VPC Load Balancer.

Working with Thalassa Container Registry from Kubernetes

You’ve pushed an image to Thalassa Cloud Container Registry. Now you want your Kubernetes cluster to pull it. Good news: there’s nothing exotic about this. It’s the same imagePullSecrets flow you’d use with any private registry - Docker Hub, ECR, whatever you’ve worked with before. This post walks you through it step by step, from credentials to a running pod. If you want the full reference, the Kubernetes guide has that covered.

Kubernetes Cluster provisioning, without hardcoded secrets

You can deploy a Kubernetes cluster in 5 minutes using GitLab CI and Terraform—without storing any secrets in your pipeline. This guide shows you how to use OIDC (OpenID Connect) for secure authentication and deploy a production-ready cluster. By the end, you’ll have a working pipeline that creates and manages your Kubernetes cluster automatically. Why Use OIDC? Usually, CI/CD pipelines need API tokens stored as secrets. This causes problems. You must manually rotate tokens, which is easy to forget.

CVE-2026-31431 (Copy Fail): patched Kubernetes images on Thalassa Cloud

CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation affecting a wide range of kernels from 2017 until distributors ship the fix. On Kubernetes Clusters that may execute potentially malicious workloads (i.g. third party container images), the vulnerability may facilitate container escape scenarios (from a pod to the host). Utilising microVMs or other isolated runtime classes may mitigate impact. Thalassa Cloud Kubernetes images v1.34.7-1 and v1.35.4-1 include kernel module updates that address CVE-2026-31431 by applying the recommended mitigation from Canonical for Ubuntu.

Bootstrap workload identity with tcloud. GitHub, GitLab, and Kubernetes

We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange. The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle.

IaaS controller: Manage Thalassa Cloud Infrastructure from Kubernetes

We’re launching the Thalassa Cloud IaaS Controller in beta. It is a Kubernetes controller that extends the API with Custom Resource Definitions (CRDs) for Thalassa Cloud Infrastructure as a Service. You define VPCs, subnets, NAT gateways, route tables and routes, security groups, target groups, and VPC peering connections as Kubernetes resources; the controller reconciles them against the Thalassa IaaS API so cloud state matches what you commit-kubectl, standard RBAC, and GitOps (Argo CD, Flux, and similar) all apply.