Running Serverless Wasm Functions on the Edge with k3s and SpinKube
Originally presented at SUSECON 25 by Matt Butcher, CEO of Fermyon Technologies. Watch the full presentation on YouTube.
The cloud computing landscape has evolved through distinct phases: from one-to-one hardware-OS relationships, to virtual machines enabling multiple operating systems per machine, to containers providing lightweight process isolation. Today, we’re witnessing the emergence of a fourth paradigm: WebAssembly (Wasm) in the cloud — and it’s perfectly suited for serverless workloads on Kubernetes.
Traditional Serverless
While containers revolutionized how we package and deploy long-running services like NGINX, PostgreSQL, and API servers, they fall short for serverless workloads. Both virtual machines and containers suffer from the same fundamental limitation: startup times of 12+ seconds, sometimes stretching into minutes.
This latency makes true serverless difficult to achieve. Current solutions like AWS Lambda and Azure Functions work around this by maintaining huge queues of pre-warmed virtual machines — hardly an efficient approach for handling event-driven workloads where requests should trigger handlers that start, execute, and shut down quickly.
Why WebAssembly is Perfect for Serverless
WebAssembly wasn’t originally designed for the cloud, but its browser-oriented features make it ideal for serverless functions:
-
Security First
Web browsers are arguably our most trusted software — we visit countless websites daily without worrying about system crashes. WebAssembly’s sandbox environment is even more secure than JavaScript’s, using a capability-based system where you can selectively enable or disable features. This is perfect for multi-tenant cloud environments where isolation is critical. -
Lightning-Fast Cold Starts
While Google’s research shows user attention begins to wane after 100 milliseconds of inactivity, WebAssembly was designed for instant execution. In our testing, we’ve achieved 0.5 millisecond cold start times — compared to AWS Lambda’s 100-500 millisecond cold starts. This enables running thousands of applications per node simultaneously. -
Write Once, Run Anywhere
Unlike Docker images that require separate builds for ARM and Intel architectures, WebAssembly binaries are truly portable. The same binary runs across any operating system and architecture — including GPUs for AI inferencing workloads. -
Language Agnostic
About 23 of the top 25 programming languages (according to RedMonk) support WebAssembly compilation. Whether you’re writing in Rust, JavaScript, Python, Ruby, or Go, everything compiles to the same binary format.
Introducing Spin and SpinKube
We’ve built two complementary tools to bring WebAssembly into Kubernetes:
- Spin: The developer framework for building serverless functions with built-in bindings for key-value storage, relational databases, AI inferencing, and more
- SpinKube: The Kubernetes operator that runs Spin applications natively in your cluster
Both Spin and SpinKube are now part of the Cloud Native Computing Foundation (CNCF), officially accepted in January 2025. This ensures long-term sustainability and community-driven development.
How SpinKube Integrates with Kubernetes
SpinKube isn’t just another container runtime — it’s fully integrated into the Kubernetes ecosystem. When you deploy a Spin application:
- The SpinKube operator listens for
SpinAppresources - Converts them to standard Kubernetes
Deployments - Creates
ReplicaSetsandPodsas usual - Integrates with containerd via a WebAssembly shim
- Executes Wasm binaries instead of containers
This means all your existing Kubernetes tools, volumes, secrets, config maps, and SSL certificates work seamlessly with WebAssembly workloads.
Getting Started with Rancher Desktop
The easiest way to try SpinKube is with Rancher Desktop, which includes built-in support:
- Enable containerd: In Preferences → Container Engine, select containerd and enable “WebAssembly (wasm) support”
- Install SpinKube: In Preferences → Kubernetes, check “Install Spin operator”
- Restart: Let Rancher Desktop restart to apply changes
Building Your First Spin Application
Here’s how to create and deploy a simple serverless function:
1. Create a New Project
spin new
# Select template: http-ts (TypeScript HTTP handler)
# Project name: hello-kubecon
# Description: Hello KubeCon demo
# HTTP path: /... (handles all routes under /)
2. Build the Application
cd hello-kubecon
spin build
This compiles your TypeScript into a WebAssembly binary ready for deployment.
3. Deploy to Kubernetes
# Push to OCI registry
spin registry push ttl.sh/hello-kubecon:1h
# Deploy to Kubernetes
spin kube deploy
4. Test Your Function
# Port forward to access locally
kubectl port-forward svc/hello-kubecon 8080:80
# Test the endpoint
curl localhost:8080
The Power of Integration
What makes this approach compelling is that SpinKube applications are first-class Kubernetes citizens:
# Standard Kubernetes commands work
kubectl get spinapp
kubectl get deployment
kubectl get pods
kubectl get services
# Delete the application
kubectl delete spinapp hello-kubecon
Performance Benefits
The performance characteristics of WebAssembly in Kubernetes are remarkable:
- 0.5ms cold start time vs. 100-500ms for traditional serverless
- Thousands of concurrent functions per node
- Efficient scaling up and down based on demand
- Better resource utilization on both small embedded devices and large clusters
Next Steps
Ready to explore serverless WebAssembly on Kubernetes? Here’s how to get started:
- Documentation: spinframework.dev
- Source Code: github.com/spinframework/spin
- Community: Join the CNCF Slack #spin and #spinkube channels
- Try It: Download Rancher Desktop and follow the setup guide above
You can watch the full presentation on YouTube.
