Thalassa Cloud Thalassa Cloud
Sign in Sign up

CVE-2026-31431 (Copy Fail): patched Kubernetes images on Thalassa Cloud

kubernetes security
2026-05-01
By Thalassa Cloud

CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation affecting a wide range of kernels from 2017 until distributors ship the fix. On Kubernetes Clusters that may execute potentially malicious workloads (i.g. third party container images), the vulnerability may facilitate container escape scenarios (from a pod to the host). Utilising microVMs or other isolated runtime classes may mitigate impact. Thalassa Cloud Kubernetes images v1.34.7-1 and v1.35.4-1 include kernel module updates that address CVE-2026-31431 by applying the recommended mitigation from Canonical for Ubuntu.

Read article

Latest Posts

CVE-2026-31431 (Copy Fail): patched Kubernetes images on Thalassa Cloud

2026-05-01
CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation affecting a wide range of kernels from 2017 until distributors ship the fix. On Kubernetes Clusters that may execute potentially malicious workloads (i.g. third party container images), the vulnerability may facilitate container escape scenarios (from a pod to the host). Utilising microVMs or other isolated runtime classes may mitigate impact. Thalassa Cloud Kubernetes images v1.34.7-1 and v1.35.4-1 include kernel module updates that address CVE-2026-31431 by applying the recommended mitigation from Canonical for Ubuntu.

Bootstrap workload identity with tcloud. GitHub, GitLab, and Kubernetes

2026-03-24
We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange. The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle.

Kubernetes v1.34.2-0 and v1.33.6-0: Security Fixes and Component Updates

2025-11-17
We’re announcing two new Kubernetes releases in Thalassa Cloud: v1.34.2-0 and v1.33.6-0. These releases include security fixes that address high-severity vulnerabilities in runc, along with important component updates and stability improvements. Critical Security Fixes Both releases include runc 1.3.3, which fixes three high-severity security vulnerabilities: CVE-2025-31133 CVE-2025-52565 CVE-2025-52881 These vulnerabilities could allow full container breakouts by bypassing runc’s restrictions for writing to arbitrary /proc files. We recommend upgrading your clusters to these versions as soon as possible to mitigate these security risks.

Introducing VPC Peering on Thalassa Cloud

2025-11-08
We are excited to announce the availability of VPC Peering on Thalassa Cloud. This feature lets you connect Virtual Private Clouds (VPCs) securely though our private network, enabling private network communication between VPCs without using the public internet or Site-to-Sites. It works across organisation accounts. Private Network Connections VPC Peering creates a direct network connection between two VPCs. Traffic between peered VPCs stays on the private network and never touches the public internet, providing secure, low-latency communication between your VPCs.

Introducing Service Accounts in Thalassa Cloud

2025-10-10
Service accounts are non‑human identities designed for automated systems, applications, and integrations. In Thalassa Cloud, they are organisation‑level principals with their own roles and one or more access credentials. Use them for CI/CD pipelines, controllers, monitoring, provisioning, or any workload that needs programmatic access. Service accounts separate machine access from human users, enabling least‑privilege policies, independent credential rotation, and clean audit trails. Each service account can hold multiple credentials, so you can rotate keys with zero downtime.

Pod Security Standards: Practical Hardening for Kubernetes

2025-09-29
Pod Security Standards (PSS) are a low‑friction way to harden clusters by default. With Pod Security Admission (PSA), you can enforce least‑privilege at the namespace level and prevent risky pods from ever being created. It’s simple, auditable, and fits cleanly into GitOps. Improving your security posture Implementing Pod Security Standards is crucial as it helps reduce the blast radius by blocking privilege escalation and host-level access. It allows teams to catch misconfigurations early during the admission phase rather than after deployments, ensuring issues are addressed promptly.

VPC‑Only Access for Kubernetes Clusters

2025-09-20
We’ve added support for VPC‑only access to Kubernetes control planes. When enabled, the cluster’s public API endpoint is disabled and the Kubernetes API is reachable only from within your Virtual Private Cloud. This helps teams meet stricter security and compliance requirements without sacrificing operational access. VPC-only access is valuable for DevOps teams because it boosts security by removing the internet-facing API endpoint, which reduces the attack surface. It also makes network rules and identity limits clearer by using your VPC as the boundary.