Thalassa Cloud Thalassa Cloud
Sign in Sign up

Bootstrap workload identity with tcloud. GitHub, GitLab, and Kubernetes

security iam
2026-03-24
By Thalassa Cloud

We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange. The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle.

Read article

Latest Posts

Bootstrap workload identity with tcloud. GitHub, GitLab, and Kubernetes

2026-03-24
We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange. The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle.

IaaS controller: Manage Thalassa Cloud Infrastructure from Kubernetes

2026-03-22
We’re launching the Thalassa Cloud IaaS Controller in beta. It is a Kubernetes controller that extends the API with Custom Resource Definitions (CRDs) for Thalassa Cloud Infrastructure as a Service. You define VPCs, subnets, NAT gateways, route tables and routes, security groups, target groups, and VPC peering connections as Kubernetes resources; the controller reconciles them against the Thalassa IaaS API so cloud state matches what you commit-kubectl, standard RBAC, and GitOps (Argo CD, Flux, and similar) all apply.

Running WASM on Thalassa Kubernetes Service with RuntimeClass

2026-03-15
We’ve added WebAssembly (WASM) support to our Kubernetes service. A RuntimeClass for WASM is automatically provisioned on every cluster, so you can run WASM workloads alongside your containers without any extra setup. This post explains how it works and how to use it. Why run WASM on Kubernetes? WebAssembly gives you a portable, sandboxed execution environment. WASM modules are typically much smaller than container images, start very quickly, and run with strong isolation.

Kubernetes v1.35 Available on Thalassa Kubernetes Service

2026-01-31
We’re announcing two new Kubernetes releases in Thalassa Cloud: v1.35.1-0 and v1.34.3-0. These releases include various patches and upgrades of the container runtime, Kubernetes, Cilium and more. Available Versions v1.35.1-0 release notes. v1.34.3-0 documentation tcloud kubernetes upgrade The tcloud kubernetes versions command lists all available Kubernetes versions in Thalassa Cloud, along with their component versions and release information. Refer to this table to select a version for new deployments or to confirm that runc 1.

Quickly launching Kubernetes clusters

2026-01-23
As we continue launching and introducing new cloud services, recently we have been receiving feedback that it can be overwellming to quickly try out our platform. You need familiarity with other cloud platforms such as AWS, Azure to fully understand the services we are offering. This makes sense, as we are building an alternative for the hyperscaler clouds, so we focus on building blocks, APIs and tight service integrations. But as we love to also make things easier to just try out and see what we have, without having to setup a terraform project, or do a lot of clickops work, we are happy to introduce a new feature that allows people to quickly launch a preconfigured environment with a Kubernetes cluster and other Infrastructure.

Kubernetes v1.34.2-0 and v1.33.6-0: Security Fixes and Component Updates

2025-11-17
We’re announcing two new Kubernetes releases in Thalassa Cloud: v1.34.2-0 and v1.33.6-0. These releases include security fixes that address high-severity vulnerabilities in runc, along with important component updates and stability improvements. Critical Security Fixes Both releases include runc 1.3.3, which fixes three high-severity security vulnerabilities: CVE-2025-31133 CVE-2025-52565 CVE-2025-52881 These vulnerabilities could allow full container breakouts by bypassing runc’s restrictions for writing to arbitrary /proc files. We recommend upgrading your clusters to these versions as soon as possible to mitigate these security risks.

Why Node Pool Autoscaling Matters for Your Infrastructure

2025-11-12
Running Kubernetes clusters often means balancing two competing priorities: ensuring your workloads have enough resources to perform well, and not overspending on idle infrastructure. Node Pool Autoscaling solves this by automatically adjusting your node pool size based on actual demand. What it solves Autoscaling directly addresses two key challenges—all related to how efficiently you use your infrastructure resources. 1. The Cost Problem Without autoscaling, you typically size your node pools for peak demand.