This information was originally presented at SUSECON 25 by Matt Butcher, CEO of Fermyon Technologies. Watch the full presentation on YouTube.
The cloud computing landscape has evolved through distinct phases: from one-to-one hardware-OS relationships, to virtual machines enabling multiple operating systems per machine, to containers providing lightweight process isolation. Today, we're witnessing the emergence of a fourth paradigm, WebAssembly (Wasm) in the cloud, which is perfectly suited for serverless workloads on Kubernetes.
Traditional serverless
While containers revolutionized how we package and deploy long-running services like NGINX, PostgreSQL, and API servers, they fall short for serverless workloads. Both virtual machines and containers suffer from the same fundamental limitation: startup times of 12+ seconds, sometimes stretching into minutes.
This latency makes true serverless difficult to achieve. Current solutions like AWS Lambda and Azure Functions work around this by maintaining huge queues of pre-warmed virtual machines. This is hardly an efficient approach for handling event-driven workloads where requests should trigger handlers that start, execute, and shut down quickly.
Why WebAssembly is perfect for serverless
WebAssembly wasn't originally designed for the cloud, but its browser-oriented features make it ideal for serverless functions:
- Security-first environment: Web browsers are arguably our most trusted software. WebAssembly's sandbox environment is even more secure than JavaScript's, using a capability-based system where you can selectively enable or disable features. This is perfect for multi-tenant cloud environments where isolation is critical.
- Lightning-fast cold starts: WebAssembly was designed for instant execution. In our testing, we've achieved 0.5 millisecond cold start times, compared to AWS Lambda's 100–500 millisecond cold starts. This enables running thousands of applications per node simultaneously.
- Write once, run anywhere: Unlike Docker images that require separate builds for ARM and Intel architectures, WebAssembly binaries are truly portable. The same binary runs across any operating system and architecture.
- Language-agnostic: Approximately 23 of the top 25 programming languages support WebAssembly compilation.
Introducing Spin and SpinKube
We've built two complementary tools to bring WebAssembly into Kubernetes:
- Spin: The developer framework for building serverless functions with built-in bindings for key-value storage, relational databases, AI inferencing, and more
- SpinKube: The Kubernetes operator that runs Spin applications natively in your cluster
Both Spin and SpinKube are now part of the Cloud Native Computing Foundation (CNCF), officially accepted in January 2025.
How SpinKube integrates with Kubernetes
SpinKube isn't just another container runtime — it's fully integrated into the Kubernetes ecosystem. When you deploy a Spin application, the SpinKube operator:
- Listens for SpinApp resources
- Converts them to standard Kubernetes Deployments
- Creates ReplicaSets and Pods as usual
- Integrates with containerd via a WebAssembly shim
- Executes Wasm binaries instead of containers
This means all your existing Kubernetes tools, volumes, secrets, ConfigMaps, and SSL certificates work seamlessly with WebAssembly workloads.
Getting started with Rancher Desktop
The easiest way to try SpinKube is with Rancher Desktop, which includes built-in support:
- Enable containerd: In Preferences, select containerd and enable "WebAssembly (wasm) support"
- Install SpinKube: In Preferences, check "Install Spin operator"
- Restart: Let Rancher Desktop restart to apply changes
Building your first Spin application
1. Create a new project
spin new
# Select template: http-ts (TypeScript HTTP handler)
# Project name: hello-kubecon
# Description: Hello KubeCon demo
# HTTP path: /...2. Build the application
cd hello-kubecon
spin buildThis compiles your TypeScript into a WebAssembly binary ready for deployment.
3. Deploy to Kubernetes
# Push to OCI registry
spin registry push ttl.sh/hello-kubecon:1h
# Deploy to Kubernetes
spin kube deploy4. Test your function
# Port forward to access locally
kubectl port-forward svc/hello-kubecon 8080:80
# Test the endpoint
curl localhost:8080The power of integration
What makes this approach compelling is that SpinKube applications are first-class Kubernetes citizens.
# Standard Kubernetes commands work
kubectl get spinapp
kubectl get deployment
kubectl get pods
kubectl get services
# Delete the application
kubectl delete spinapp hello-kubeconPerformance benefits
The performance characteristics of WebAssembly in Kubernetes are remarkable:
- 0.5 ms cold start time vs. 100-500 ms for traditional serverless
- Thousands of concurrent functions per node
- Efficient scaling up and down based on demand
- Better resource utilization on both small embedded devices and large clusters
Next steps
Ready to explore serverless WebAssembly on Kubernetes? Here's how to get started:
- Documentation: spinframework.dev
- Source code: github.com/spinframework/spin
- Community: Join the CNCF Slack #spin and #spinkube channels
- Try it: Download Rancher Desktop and follow the setup guide above
Tags
