Skip to main content
VESSL Cloud manages a layered software stack for Container Compute Services (Workspaces and Jobs). This page describes which components VESSL Cloud is responsible for, which components Customer is responsible for, and how security patching is handled.

Components VESSL Cloud manages

LayerComponent
ClusterKubernetes control plane and worker nodes
Node OSCloud provider’s GPU-optimized image (patched by the underlying cloud provider)
Container runtimecontainerd, provided through the node OS
GPU stackNVIDIA driver, CUDA libraries, and the NVIDIA GPU Operator
PlatformVESSL Cloud control plane, agents, and monitoring components
The Region(s) in which these components run are determined by the Cluster selected when launching a workload.

VESSL Cloud-provided base images

VESSL Cloud publishes prebuilt container images you can use as a starting point for your Workspaces and Jobs.
Image familyDescriptionExample tag
Python (CPU)Slim Python base for CPU workloadsquay.io/vessl-ai/python:3.13-slim
CUDA + PythonCUDA toolkit and Python, no ML frameworkquay.io/vessl-ai/cuda:13.0.1-py3.13-slim
PyTorchPyTorch on CUDA, ready for training and inferencequay.io/vessl-ai/torch:2.9.1-cuda13.0.1-py3.13-slim
Each family ships in multiple CUDA × Python version combinations. The available variants are shown in the image selector when you create a Workspace or Job. Updates to these images are announced in the changelog. You can also bring your own container images. Responsibility for Customer-supplied images is governed by the Container Compute service terms.

Shared responsibility for security patching

ComponentPatched by
Kubernetes control planeVESSL Cloud (with the underlying cloud provider)
Worker node OSCloud provider, applied by VESSL Cloud
Container runtime (containerd)VESSL Cloud
NVIDIA driver and CUDA librariesVESSL Cloud
VESSL Cloud platform componentsVESSL Cloud
Customer-supplied container imagesCustomer
Application code, libraries, and dependencies inside Customer ImagesCustomer
User-installed packages inside a running containerCustomer
If your workload uses a Customer-supplied container image, you are responsible for keeping that image up to date. VESSL Cloud does not modify Customer Images.

Security patching

VESSL Cloud applies security patches to the components listed above. Severity-based response times, advance notice for disruptive patches, and notification procedures are set forth in the SLA. Notable stack updates, including new VESSL Cloud-provided base images, are announced in the changelog.