TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
 
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
NEW! Try Stackie AI
Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage
Why WebAssembly won't replace Kubernetes but makes Helm more secure
Mar 21st 2026 8:45am, by B. Cameron Gain
Why the ‘glorified host’ for AI is exactly the Kubernetes we need
Mar 20th 2026 9:00am, by Danielle Cook
Linux kernel scale is swamping an already-flawed CVE system
Mar 20th 2026 4:30am, by Jed Salazar
Sampling: the philosopher's stone of distributed tracing
Mar 19th 2026 8:00am, by Michele Mancioppi
What is KubeVirt and why it’s growing
Mar 17th 2026 9:00am, by Tiago Castro
How to deploy Pi-Hole with Docker and stop ads on every device on your LAN
Mar 23rd 2026 7:44am, by Jack Wallen
Chainguard has a fix for the open source packages your AI agents keep grabbing
Mar 18th 2026 9:24am, by Darryl K. Taft
Chainguard thinks most DevOps teams are solving container security the hard way
Mar 17th 2026 1:04pm, by Steven J. Vaughan-Nichols
How to deploy an AI server on your Debian/Ubuntu server
Mar 10th 2026 11:00am, by Jack Wallen
NanoClaw can stuff each AI agent into its own Docker container to deal with OpenClaw's security mess
Mar 7th 2026 10:00am, by David Eastman
Scaling Btrfs to petabytes in production: a 74% cost reduction story
Mar 18th 2026 5:00am, by Motiejus Jakštys
The “files are all you need” debate misses what's actually happening in agent memory architecture
Mar 13th 2026 5:00am, by Mikiko Bazeley
With GridGain acquisition, MariaDB bets on in-memory computing and Apache Ignite
Mar 10th 2026 6:47am, by Paul Sawers
Moving AI apps from prototype to production requires enterprise-grade postgres infrastructure
Mar 9th 2026 7:00am, by Meredith Shubel
Why the "bible" of data systems is getting a massive rewrite for 2026
Mar 4th 2026 5:00am, by Cynthia Dunlop
Developers are coding to a moving target, and nobody knows where AI lands next
Mar 3rd 2026 7:33am, by Adrian Bridgwater
Cloudflare’s new Markdown support shows how the web is evolving for AI agents
Mar 2nd 2026 4:30am, by David Eastman
React Server Components Vulnerability Found
Dec 6th 2025 7:00am, by Loraine Lawson
Kubernetes at the Edge: Lessons From GE HealthCare’s Edge Strategy
Nov 24th 2025 10:00am, by Vicki Walker
Building a Cloud-to-Edge Architecture Across 40K Global Locations
Nov 20th 2025 10:00am, by Vicki Walker
Why "automated" infrastructure might cost more than you think
Feb 24th 2026 4:00am, by Justyn Roberts
Why 40% of AI projects will be canceled by 2027 (and how to stay in the other 60%)
Feb 13th 2026 6:00am, by Alex Drag
Durable Execution: Build reliable software in an unreliable world
Feb 2nd 2026 3:23pm, by Charles Humble
Terraform challenger Formae expands to more clouds
Jan 28th 2026 6:00am, by Joab Jackson
IBM HashiCorp 'Sunsets' Terraform's External Language Support
Dec 12th 2025 2:00pm, by Joab Jackson
Linux kernel scale is swamping an already-flawed CVE system
Mar 20th 2026 4:30am, by Jed Salazar
Scaling Btrfs to petabytes in production: a 74% cost reduction story
Mar 18th 2026 5:00am, by Motiejus Jakštys
Chainguard thinks most DevOps teams are solving container security the hard way
Mar 17th 2026 1:04pm, by Steven J. Vaughan-Nichols
Tromjaro is a free-trade Linux distribution with plenty to offer
Mar 14th 2026 11:00am, by Jack Wallen
Google will soon bring Chrome to ARM64 Linux
Mar 12th 2026 1:00pm, by Frederic Lardinois
Tetrate launches open source marketplace to simplify Envoy adoption
Mar 11th 2026 10:52am, by Adrian Bridgwater
OpenTelemetry roadmap: Sampling rates and collector improvements ahead
Feb 24th 2026 11:00am, by B. Cameron Gain
Merging To Test Is Killing Your Microservices Velocity
Dec 16th 2025 7:00am, by Arjun Iyer
IBM’s Confluent Acquisition Is About Event-Driven AI
Dec 11th 2025 6:00am, by Joab Jackson
Deploy Agentic AI Workflows With Kubernetes and Terraform
Nov 26th 2025 9:00am, by Oladimeji Sowole
China is winning the open source AI race — but a US company still controls everything underneath
Mar 20th 2026 10:46am, by Paul Sawers
From pillars to platform: How open observability data is changing the industry
Mar 20th 2026 6:00am, by Ted Young
Chainguard has a fix for the open source packages your AI agents keep grabbing
Mar 18th 2026 9:24am, by Darryl K. Taft
Chainguard thinks most DevOps teams are solving container security the hard way
Mar 17th 2026 1:04pm, by Steven J. Vaughan-Nichols
GitHub Copilot's effect on collaboration has stunned researchers
Mar 17th 2026 11:42am, by Steven J. Vaughan-Nichols
How to deploy Pi-Hole with Docker and stop ads on every device on your LAN
Mar 23rd 2026 7:44am, by Jack Wallen
Why flat Kubernetes networks fail at scale
Mar 20th 2026 7:00am, by Reza Ramezanpour
GSMA Open Gateway offers developers one API for 300+ mobile networks
Mar 4th 2026 10:26am, by Adrian Bridgwater
How Homepage simplifies monitoring your self-hosted services
Feb 6th 2026 8:00am, by Jack Wallen
S3 is the new network: Rethinking data architecture for the cloud era
Feb 2nd 2026 4:00am, by Max Liu
Scaling Btrfs to petabytes in production: a 74% cost reduction story
Mar 18th 2026 5:00am, by Motiejus Jakštys
What is KubeVirt and why it’s growing
Mar 17th 2026 9:00am, by Tiago Castro
S3 is the new network: Rethinking data architecture for the cloud era
Feb 2nd 2026 4:00am, by Max Liu
Agoda’s secret to 50x scale: Getting the database basics right
Jan 28th 2026 7:00am, by Cynthia Dunlop
Chainguard EmeritOSS backs MinIO, other orphaned projects
Jan 27th 2026 6:15am, by Steven J. Vaughan-Nichols
AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly
China is winning the open source AI race — but a US company still controls everything underneath
Mar 20th 2026 10:46am, by
Cursor's Composer 2 beats Opus 4.6 on coding benchmarks at a fraction of the price
Mar 19th 2026 8:39am, by
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by
OpenAI's GPT-5.4 mini and nano are built for the subagent era
Mar 17th 2026 11:57am, by
GitHub Copilot's effect on collaboration has stunned researchers
Mar 17th 2026 11:42am, by
What a security audit of 22,511 AI coding skills found lurking in the code
Mar 22nd 2026 7:00am, by
Will AI force code to evolve or make it extinct?
Mar 22nd 2026 6:00am, by
AI can write your infrastructure code. There's a reason most teams won't let it.
Mar 20th 2026 1:18pm, by
Jellyfish AI development study: The real sting has yet to land
Mar 19th 2026 11:01am, by
Sauce Labs wants to solve an AI-created problem nobody wanted to work on
Mar 18th 2026 9:19am, by
MCP is everywhere, but don't panic. Here's why your existing APIs still matter.
Mar 23rd 2026 5:00am, by and
Before you let AI agents loose, you’d better know what they’re capable of
Mar 12th 2026 1:22pm, by
GSMA Open Gateway offers developers one API for 300+ mobile networks
Mar 4th 2026 10:26am, by
Your AI strategy is built on layers of API sediment
Feb 17th 2026 9:37am, by
Solving the Problems That Accompany API Sprawl With AI
Jan 15th 2026 1:00pm, by
Backend Development in 2026: What's Changed, What Matters, and What to Learn Next
Mar 19th 2026 11:37am, by
How To Get DNS Right: A Guide to Common Failure Modes
Dec 24th 2025 8:00am, by and
Combining Rust and Python for High-Performance AI Systems
Dec 3rd 2025 1:00pm, by
How MCP Uses Streamable HTTP for Real-Time AI Tool Interaction
Aug 18th 2025 10:34am, by
A Backend for Frontend: Watt for Node.js Simplifies Operations
Aug 14th 2025 6:00am, by
Ex-Snowflake engineers say there's a blind spot in data engineering — so they built Tower to fix it
Mar 15th 2026 7:00am, by
Why the "bible" of data systems is getting a massive rewrite for 2026
Mar 4th 2026 5:00am, by
How to clone a drive to an image with Clonezilla
Mar 3rd 2026 1:00pm, by
Databases weren’t built for agent sprawl – SurrealDB wants to fix it
Feb 24th 2026 2:07pm, by
How to ground AI agents in accurate, context-rich data
Feb 13th 2026 5:00am, by
WebMCP turns any Chrome web page into an MCP server for AI agents
Mar 17th 2026 11:50am, by
Confluent adds A2A support, anomaly detection, and Queues for Kafka in major platform update
Mar 3rd 2026 10:21am, by
Google's Chrome browser moves to a two-week release cycle
Mar 3rd 2026 9:00am, by
Meta gave React its own foundation. But it's not letting go just yet.
Mar 3rd 2026 4:00am, by
The shift left hangover: Why modern platforms are shifting down to cure developer fatigue
Jan 30th 2026 6:22pm, by
Andrej Karpathy's 630-line Python script ran 50 experiments overnight without any human input
Mar 14th 2026 5:00am, by
"Self-healing" IT? HPE research explores how AI-trained models can catch silent infrastructure failures
Mar 11th 2026 9:37am, by
How context rot drags down AI and LLM results for enterprises, and how to fix it
Mar 9th 2026 9:00am, by
Snowflake Cortex Code CLI adds dbt and Apache Airflow support for AI-powered data pipelines
Mar 8th 2026 6:00am, by
Prompting vs. RAG vs. fine-tuning: Why it’s not a ladder
Jan 29th 2026 10:00am, by
What a security audit of 22,511 AI coding skills found lurking in the code
Mar 22nd 2026 7:00am, by
Why WebAssembly won't replace Kubernetes but makes Helm more secure
Mar 21st 2026 8:45am, by
Why flat Kubernetes networks fail at scale
Mar 20th 2026 7:00am, by
Linux kernel scale is swamping an already-flawed CVE system
Mar 20th 2026 4:30am, by
Chainguard has a fix for the open source packages your AI agents keep grabbing
Mar 18th 2026 9:24am, by
Will AI force code to evolve or make it extinct?
Mar 22nd 2026 6:00am, by
Backend Development in 2026: What's Changed, What Matters, and What to Learn Next
Mar 19th 2026 11:37am, by
Jellyfish AI development study: The real sting has yet to land
Mar 19th 2026 11:01am, by
Sampling: the philosopher's stone of distributed tracing
Mar 19th 2026 8:00am, by
GitHub Copilot's effect on collaboration has stunned researchers
Mar 17th 2026 11:42am, by
How WebAssembly plugins simplify Kubernetes extensibility
Mar 3rd 2026 2:00pm, by
WebAssembly is everywhere. Here's how it works
Feb 25th 2026 11:00am, by
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by
How WebAssembly and Web Workers prevent UI freezes
Feb 7th 2026 9:00am, by
WebAssembly vs. JavaScript: Testing Side-by-Side Performance
Jan 20th 2026 9:00am, by
AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering
From pillars to platform: How open observability data is changing the industry
Mar 20th 2026 6:00am, by Ted Young
Building a Kubernetes-native pattern for AI infrastructure at scale
Mar 19th 2026 5:00am, by Sachi Desai
The AI blind spot debt: the hidden cost killing your innovation strategy
Mar 17th 2026 7:00am, by Yuval Fernbach
Why AI workloads are breaking traditional Kubernetes observability strategies
Mar 16th 2026 7:04am, by TNS Staff
A practical guide to the 6 categories of AI cloud infrastructure in 2026
Mar 15th 2026 5:00am, by Janakiram MSV
This simple infrastructure gap is holding back AI productivity
Feb 22nd 2026 8:00am, by Charlotte Fleming
Ramp’s Inspect shows closed-loop AI agents are software’s future
Jan 29th 2026 11:00am, by Arjun Iyer
QCon chat: Is agentic AI killing continuous integration?
Jan 27th 2026 6:00am, by Joab Jackson
Async Rust: Pinning demystified
Jan 26th 2026 11:00am, by Anshul Gupta
A security checklist for your React and Next.js apps
Jan 26th 2026 7:00am, by Crystal Morin
A practical guide to the 6 categories of AI cloud infrastructure in 2026
Mar 15th 2026 5:00am, by Janakiram MSV
Runpod report: Qwen has overtaken Meta's Llama as the most-deployed self-hosted LLM
Mar 12th 2026 6:00am, by Adrian Bridgwater
Snowflake Cortex Code CLI adds dbt and Apache Airflow support for AI-powered data pipelines
Mar 8th 2026 6:00am, by Jelani Harper
Databases weren’t built for agent sprawl – SurrealDB wants to fix it
Feb 24th 2026 2:07pm, by Paul Sawers
Rising identity complexity: How CISOs can prevent it from becoming an attacker’s roadmap
Feb 19th 2026 12:47pm, by Jay Reddy
One developer, team power: The future of AI-driven DevSecOps
Mar 5th 2026 2:29pm, by Bryan Ross
Observability platform migration guide: Prometheus, OpenTelemetry, and Fluent Bit
Feb 26th 2026 7:28am, by Katie Greenley
Most platform teams build products, but they don’t know it
Feb 24th 2026 9:00am, by Oleg Danilyuk
Why "automated" infrastructure might cost more than you think
Feb 24th 2026 4:00am, by Justyn Roberts
The essential shift every ITOps leader must make to survive an unrelenting stream of incidents
Feb 19th 2026 1:46pm, by Ariel Russo
Why WebAssembly won't replace Kubernetes but makes Helm more secure
Mar 21st 2026 8:45am, by B. Cameron Gain
Why the ‘glorified host’ for AI is exactly the Kubernetes we need
Mar 20th 2026 9:00am, by Danielle Cook
Why flat Kubernetes networks fail at scale
Mar 20th 2026 7:00am, by Reza Ramezanpour
Building a Kubernetes-native pattern for AI infrastructure at scale
Mar 19th 2026 5:00am, by Sachi Desai
What is KubeVirt and why it’s growing
Mar 17th 2026 9:00am, by Tiago Castro
From pillars to platform: How open observability data is changing the industry
Mar 20th 2026 6:00am, by Ted Young
Sampling: the philosopher's stone of distributed tracing
Mar 19th 2026 8:00am, by Michele Mancioppi
Why your observability bill keeps growing (and it's not your vendor's fault)
Mar 18th 2026 4:00am, by Juraci Paixão Kröhling
Why agentic AI stalls in production — and how a control plane fixes it
Mar 17th 2026 6:00am, by TNS Staff
Why AI workloads are breaking traditional Kubernetes observability strategies
Mar 16th 2026 7:04am, by TNS Staff
Cursor beats Opus at 10x less, Meta's agent goes rogue, and the 300-page Trump America AI Act
Mar 21st 2026 5:52am, by Matthew Burns
Jellyfish AI development study: The real sting has yet to land
Mar 19th 2026 11:01am, by Adrian Bridgwater
Managed OpenClaw bids to kill hidden token tax on AI agents
Mar 17th 2026 6:00am, by Adrian Bridgwater
Why AI systems are failing in familiar ways
Mar 14th 2026 1:00pm, by Steve Fenton
Andrej Karpathy's 630-line Python script ran 50 experiments overnight without any human input
Mar 14th 2026 5:00am, by Janakiram MSV
Capital One deprecated an AI tool it once championed. Its DevEx chief says that's the point.
Mar 18th 2026 8:02am, by Jennifer Riggins
From monolith to global mesh: How Uber standardized ML at scale
Mar 17th 2026 4:00am, by Eric Wang and Ying Zheng
Why enterprise software development needs air traffic control
Mar 4th 2026 2:35pm, by Emilio Salvador
Why traditional ITOps is failing to keep up with the unique nature of AI incidents
Mar 4th 2026 10:00am, by Kat Gaines
Cloud repatriation is hard. Here's how to build a self-service developer platform that works.
Mar 4th 2026 9:14am, by TNS Staff
C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript
Open source USearch library jumpstarts ScyllaDB vector search
Feb 5th 2026 12:00pm, by Jelani Harper
AWS WAF vs. Google Cloud Armor: A Multicloud Security Showdown
Nov 25th 2025 10:00am, by Advait Patel
Goodbye Dashboards: Agents Deliver Answers, Not Just Reports
Nov 23rd 2025 9:00am, by Ketan Karkhanis
Rust vs. C++: a Modern Take on Performance and Safety
Oct 22nd 2025 2:00pm, by Zziwa Raymond Ian
Building a Real-Time System Monitor in Rust Terminal
Oct 15th 2025 7:05am, by Tinega Onchari
OpenAI acquires Astral to bring open source Python developer tools to Codex — but details are still fuzzy
Mar 20th 2026 7:33am, by Meredith Shubel
Jellyfish AI development study: The real sting has yet to land
Mar 19th 2026 11:01am, by Adrian Bridgwater
Sauce Labs wants to solve an AI-created problem nobody wanted to work on
Mar 18th 2026 9:19am, by Frederic Lardinois
Capital One deprecated an AI tool it once championed. Its DevEx chief says that's the point.
Mar 18th 2026 8:02am, by Jennifer Riggins
Cursor built a fleet of security agents to solve a familiar frustration
Mar 16th 2026 11:17am, by Frederic Lardinois
Go Experts: 'I Don't Want to Maintain AI-Generated Code'
Sep 28th 2025 6:00am, by David Cassel
How To Run Kubernetes Commands in Go: Steps and Best Practices 
Jun 27th 2025 8:00am, by Sunny Yadav
Prepare Your Mac for Go Development
Apr 12th 2025 7:00am, by Damon M. Garn
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by Loraine Lawson
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by Darryl K. Taft
62% of enterprises now use Java to power AI apps
Feb 10th 2026 12:58pm, by Darryl K. Taft
BellSoft bets Java expertise can beat hardened container wave
Jan 26th 2026 3:00pm, by Darryl K. Taft
Java Developers Get Multiple Paths To Building AI Agents
Dec 26th 2025 7:02am, by Darryl K. Taft
Your Enterprise AI Strategy Must Start With Java, Not Python
Dec 22nd 2025 1:00pm, by Michael Coté
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
WebAssembly is everywhere. Here's how it works
Feb 25th 2026 11:00am, by Jessica Wachtel
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by Jessica Wachtel
Arcjet reaches v1.0, promises stable security for JavaScript apps
Feb 14th 2026 7:00am, by Darryl K. Taft
How WebAssembly and Web Workers prevent UI freezes
Feb 7th 2026 9:00am, by Jessica Wachtel
Will AI force code to evolve or make it extinct?
Mar 22nd 2026 6:00am, by David Cassel
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by Darryl K. Taft
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Nearly half of all companies now use Rust in production, survey finds
Mar 6th 2026 10:45am, by Darryl K. Taft
Statistical language R is making a comeback against Python
Feb 12th 2026 2:57pm, by Darryl K. Taft
OpenAI acquires Astral to bring open source Python developer tools to Codex — but details are still fuzzy
Mar 20th 2026 7:33am, by Meredith Shubel
Python virtual environments: isolation without the chaos
Feb 16th 2026 7:00am, by Jessica Wachtel
Statistical language R is making a comeback against Python
Feb 12th 2026 2:57pm, by Darryl K. Taft
Arcjet's Python SDK Embeds Security in Code
Jan 16th 2026 2:00pm, by Darryl K. Taft
2025: The Year of the Return of the Ada Programming Language?
Jan 14th 2026 4:00pm, by Darryl K. Taft
Nearly half of all companies now use Rust in production, survey finds
Mar 6th 2026 10:45am, by Darryl K. Taft
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by Jessica Wachtel
Open source USearch library jumpstarts ScyllaDB vector search
Feb 5th 2026 12:00pm, by Jelani Harper
The 'weird' things that happened when Clickhouse replaced C++ with Rust
Feb 4th 2026 7:26am, by B. Cameron Gain
Async Rust: Pinning demystified
Jan 26th 2026 11:00am, by Anshul Gupta
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Mastra empowers web devs to build AI agents in TypeScript
Jan 28th 2026 11:00am, by Loraine Lawson
Inferno Vet Creates Frontend Framework Built With AI in Mind
Dec 10th 2025 11:00am, by Loraine Lawson
JavaScript Utility Library Lodash Changing Governance Model
Nov 1st 2025 7:00am, by Loraine Lawson
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Cloud Native Ecosystem / Kubernetes / Security

Why WebAssembly won’t replace Kubernetes but makes Helm more secure

Helm 4 uses the Extism WebAssembly plugin to add sandboxed security and isolation to Kubernetes deployments without replacing the container orchestration platform.
Mar 21st, 2026 8:45am by
Featued image for: Why WebAssembly won’t replace Kubernetes but makes Helm more secure

My gut reaction has often been to compare WebAssembly to Kubernetes. Flash back to over four years ago: Then, I put this concept to the test by comparing WebAssembly to Kubernetes in an article.

Not long after the article’s publication, I attended a workshop generously hosted by Cosmonic to use the WebAssembly cloud and learn how to deploy applications with WasmCloud. I got my first hands-on experience with WebAssembly.

As Cosmonic CTO Bailey Hayes helped me play around with WasmCloud during the workshop, I really thought, “Wow, I can deploy things without having to change the underlying infrastructure, essentially anywhere I want, with just a CPU instruction set through a single endpoint.” I did that by setting up microservices with WebAssembly, in that case with WasmCloud, all simultaneously with just one command line. Boom — it was there everywhere. I thought, “Well, maybe that could be something. Isn’t that what Kubernetes is supposed to do? Plus, it’s simple.”

As I learned more about WebAssembly, I realized that wasn’t really the case — they are two different things. Still, I had that inkling in the back of my head. Then came Helm, supporting WebAssembly modules directly. I thought, “Oh, here we go again. We can run WebAssembly modules with Helm; maybe we won’t need Kubernetes.” Wrong again.

This has been part of my learning journey, but it helped me realize that now, with Helm 4 supporting direct WebAssembly modules thanks to the Extism WebAssembly plugin, the isolation previously missing in Helm 3 is provided. You can implement many policy considerations, multi-language elements, and other features in these modules and deploy them on Kubernetes.

So no, WebAssembly is not going to replace Kubernetes, and that is missing the point of the concept: WebAssembly is almost always an extender of existing systems. In this case, you use WebAssembly through Helm to deploy, manage, and distribute workloads to a theoretically infinite number of endpoints that can run a CPU instruction on Kubernetes.

That was the topic of the talk “Helm Meets WebAssembly: Secure Extensibility Without Replacing Kubernetes,” which I gave this week in Barcelona at the Wasm I/O conference as the co-presenter with Shivay Lamba. Lamba had to cancel his trip due to geopolitical issues that disrupted his flight from India, but delivered his part of the talk via video.

As Lamba said during his talk, the Existim plugin provides a lightweight framework for building WebAssembly-based systems. To lock these rules in place, instead of simply running the code, Helm 4 uses a built-in tool — with the help of Extism — to instantly build an invisible, isolated sandbox inside of its own system. Helm then drops the plugin’s code into this safe box. In this environment, the plugin is completely blind and disconnected from the actual computer, Lamba said.

“Helm takes the command you have typed, packages the data up safely, and slides it into the sandbox to be executed so the plugin can start working. Since the plugin is isolated, it cannot directly touch your computer’s hard drive or the internet,” Lamba said. “If the plugin needs to download a file to do its job, it must formally ask the host function standing outside of the sandbox. If the security rules specify that the plugin is allowed to download a file from github.com, then the host guard will go out.”

However, if the plugin tries to access something that it does not have permission to reach, the guard will immediately block it, Lamba said. “Once the plugin finishes its work, it packages up the final result and sends it back to Helm. As soon as Helm gets the result, it immediately destroys the sandbox — which is the WebAssembly module — and wipes out any temporary files that the plugin was using,” Lamba said. “In this way, with the help of Extism, Helm ensures that plugins only get what they need to do their jobs and absolutely nothing more.”

Little protection, big protection

My demo partially failed. I did manage to show with Helm 3, the WebAssembly plugin (Extism in this case) is not “sandboxed.” A simple script with my full permissions that lists my home directory and other info is listed. Obviously, you do not want that.

It’s an unbounded security risk:

The “executable not found” error is exactly why the Extism provided protection is so important. Helm 4 refuses to run the plugin because it can’t find the secure sandbox runner.

It would rather fail than run the code insecurely:

Once I restored the secure path, the “guard” went back up and protected the system:

There you have it. Our talk shows how and why the Extism Wasm plugin improves supply chain and runtime security through mandatory signing and verification, clearer provenance, while still keeping Helm “batteries included” for default behavior.

Again, no, it is not going to help WebAssembly replace Kubernetes, but it will help make Kubernetes through Helm more secure and computationally efficient.

TRENDING STORIES
Group Created with Sketch.
BC Gain is founder and principal analyst for ReveCom Media. His obsession with computers began when he hacked a Space Invaders console to play all day for 25 cents at the local video arcade in the early 1980s. He then...
Read more from B. Cameron Gain
SHARE THIS STORY
TRENDING STORIES
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.