CNCF Rust Projects Analysis
Executive Summary
The CNCF ecosystem has embraced Rust for its performance, memory safety, and reliability characteristics. This report identifies 24 CNCF projects utilizing Rust, categorized by whether they are pure Rust implementations (>89% Rust) or projects with Rust components.
Pure Rust Projects (11):
- Graduated: TiKV (24.8M LOC)
- Incubating: wasmCloud (122 crates)
- Sandbox: Tremor (4.4M), KCL (3.8M), Hyperlight (1.7M), bootc (1.7M), Youki (1.6M), kube-rs (1.2M), bpfman (949k), Akri (944k), Kuasar (914k), Parsec (892k)
Projects with Rust Components (13):
- Graduated: Linkerd, containerd, Dragonfly, Istio, Falco, TUF, in-toto
- Incubating: OpenTelemetry, Chaos Mesh
- Sandbox: Keylime, Confidential Containers, Kubewarden, Drasi, Inspektor Gadget
Overview
This report analyzes Rust adoption within the Cloud Native Computing Foundation (CNCF) landscape. Data is sourced from the official @cncf/landscape repository, which serves as the single source of truth for CNCF projects. The analysis categorizes projects by their CNCF maturity level: Graduated, Incubating, and Sandbox.
All project data sourced from @cncf/landscape - landscape.yml (December 2025)
Key Findings
| Metric | Value | Notes |
|---|---|---|
| Total CNCF Rust Projects | 24 | Official CNCF projects only |
| Pure Rust Projects | 11 | >89% Rust in primary codebase |
| Rust Component Projects | 13 | Significant Rust components or SDKs |
| Graduated | 8 | 1 pure Rust, 7 with Rust components |
| Incubating | 3 | 1 pure Rust, 2 with Rust components |
| Sandbox | 16 | 10 pure Rust, 6 with Rust components |
| First Accepted | 2017-01-23 | Linkerd |
| Most Recent | 2025-04-15 | Hyperlight |
Rust Lines of Code Summary
| Project | Type | Rust LOC | Rust % |
|---|---|---|---|
| TiKV | Pure Rust | 24,814,809 | 100% |
| Tremor | Pure Rust | 4,387,511 | 97% |
| Dragonfly (nydus+client) | Components | 3,941,080 | - |
| KCL | Pure Rust | 3,757,632 | 98% |
| Hyperlight | Pure Rust | 1,720,988 | 94% |
| bootc | Pure Rust | 1,694,355 | 94% |
| Youki | Pure Rust | 1,608,007 | 97% |
| Linkerd (proxy) | Component | 1,485,071 | - |
| Istio (ztunnel) | Component | 1,318,825 | - |
| Keylime (rust-keylime) | Component | 1,273,869 | - |
| Confidential Containers | Component | 1,263,846 | - |
| containerd (3 repos) | Components | 1,207,012 | - |
| kube-rs | Pure Rust | 1,159,088 | 98% |
| bpfman | Pure Rust | 948,586 | 95% |
| Akri | Pure Rust | 944,186 | 95% |
| Kuasar | Pure Rust | 913,882 | 89% |
| Parsec | Pure Rust | 892,287 | 93% |
Graduated Projects
TiKV is the only graduated CNCF project written entirely in Rust (24.8M LOC).
TiKV ⭐ Pure Rust
- Status: Graduated (2020-09-02)
- Accepted: 2018-08-28
TiKV is a distributed transactional key-value database, originally created to complement TiDB. It is written entirely in Rust and represents one of the largest Rust codebases in production.
- Repository: tikv/tikv
- Languages: Rust (100% core)
- Rust LOC: 24,814
Why Rust? TiKV chose Rust for its memory safety guarantees without garbage collection, critical for a database where predictable latency and data integrity are paramount. The language's zero-cost abstractions allow high-level code without runtime overhead.
Known Adopters: TiKV powers TiDB, used by organizations including PingCAP, ByteDance, and numerous enterprises running distributed SQL workloads. TiKV is a core component of the TiDB ecosystem serving production workloads globally.
Linkerd (Rust Component)
- Status: Graduated (2021-07-28)
- Accepted: 2017-01-23
Linkerd is a service mesh providing security, observability, and reliability. The data plane proxy (linkerd2-proxy) is written in Rust.
- Repository: linkerd/linkerd2
- Languages: Go (control plane), Rust (data plane proxy)
- Rust LOC: 1,485,071 (linkerd2-proxy)
Why Rust? Linkerd's data plane proxy is written in Rust to achieve ultra-low overhead, memory safety without garbage collection, and blazing fast performance critical for service mesh operations.
Known Adopters (100+): Microsoft, Expedia, Nordstrom, HP Inc, AT&T, Adidas, M1 Finance, Docker, Buoyant, Giant Swarm. See full adopters list.
containerd (Rust Components)
- Status: Graduated (2019-02-28)
- Accepted: 2017-03-29
containerd is an industry-standard container runtime. While the core is Go, it maintains significant Rust components for WebAssembly support and low-level interfaces.
- Repository: containerd/containerd
- Languages: Go (core), Rust (Wasm/ttrpc components)
- Rust LOC: 1,207,012 (across 3 repos)
Rust Components: runwasi (335k), ttrpc-rust (400k), rust-extensions (471k)
Why Rust? containerd uses Rust for WebAssembly runtime support (runwasi) and low-level RPC protocols (ttrpc) where memory safety and performance are critical.
Dragonfly (Rust Components)
- Status: Graduated (2024-09-03)
- Accepted: 2018-10-25
Dragonfly is a P2P-based image and file distribution system. The project uses Rust extensively for its image service (nydus) and client.
- Repository: dragonflyoss/Dragonfly2
- Languages: Go (scheduler), Rust (nydus, client)
- Rust LOC: 3,941,080 (across 2 repos)
Rust Components: nydus (2.4M), client (1.5M)
Why Rust? Dragonfly chose Rust for nydus to achieve high-performance container image loading with memory safety.
Istio (Rust Component)
- Status: Graduated (2023-07-12)
- Accepted: 2020-03-03
Istio is a service mesh for microservices. The ztunnel component for ambient mesh is written entirely in Rust.
- Repository: istio/istio
- Languages: Go (control plane), Rust (ztunnel)
- Rust LOC: 1,318,825 (ztunnel)
Why Rust? Istio chose Rust for ztunnel to achieve the performance and security requirements of ambient mesh. The ztunnel proxy handles L4 traffic processing where Rust's memory safety and performance are critical.
Falco (Rust Component)
- Status: Graduated (2024-01-29)
- Accepted: 2018-10-10
Falco is a cloud-native runtime security project. The project provides Rust SDKs for plugin development.
- Repository: falcosecurity/falco
- Languages: C++ (core), Rust (plugin SDK)
- Rust LOC: 1,271,214 (plugin-sdk-rs)
Why Rust? Falco provides Rust SDK support to enable plugin development with memory safety guarantees, important for security tooling.
TUF (Rust Implementation)
- Status: Graduated (2023-02-09)
- Accepted: 2017-10-24
TUF is a framework for securing software update systems. The project maintains an official Rust implementation.
- Repository: theupdateframework/specification
- Languages: Python (reference), Go, Rust
- Rust LOC: 642,891 (rust-tuf)
Why Rust? TUF's Rust implementation provides memory-safe update verification critical for supply chain security.
in-toto (Rust Implementation)
- Status: Graduated (2023-07-12)
- Accepted: 2019-08-21
in-toto is a framework to secure the integrity of software supply chains. The project maintains a Rust implementation.
- Repository: in-toto/in-toto
- Languages: Python (reference), Go, Rust
- Rust LOC: 299,757 (in-toto-rs)
Why Rust? in-toto's Rust implementation ensures memory-safe handling of cryptographic attestations and supply chain metadata.
Incubating Projects
wasmCloud is the only incubating CNCF project written entirely in Rust (122 crates).
wasmCloud ⭐ Pure Rust
- Status: Incubating
- Accepted: 2021-07-13
wasmCloud is a platform for building distributed applications using WebAssembly components. The entire project is written in Rust.
- Repository: wasmCloud/wasmCloud
- Languages: Rust (100% core)
- Rust Crates: 122 Cargo.toml files
Pure Rust Components: Host runtime, CLI tools (wash), application deployment manager (wadm), Wasmtime integration.
Why Rust? wasmCloud chose Rust for its first-class WebAssembly support, memory safety, and performance.
Known Adopters: Cosmonic (Production), BMW AG, MachineMetrics, Orange, SigScale. See full adopters list.
OpenTelemetry (Rust Components)
- Status: Incubating
- Accepted: 2019-05-07
OpenTelemetry provides APIs, SDKs, and tools for telemetry data. The project maintains official Rust SDKs.
- Repository: open-telemetry/opentelemetry-rust
- Languages: Go (collector), Rust (SDK)
- Rust Crates: 143 Cargo.toml files
Rust Components: opentelemetry-rust (core SDK), opentelemetry-rust-contrib, weaver (pure Rust CLI), opentelemetry-ebpf-profiler, opentelemetry-network.
Why Rust? OpenTelemetry chose Rust for its SDK to provide zero-overhead instrumentation, memory safety without garbage collection pauses, and excellent async support.
Chaos Mesh (Rust Components)
- Status: Incubating
- Accepted: 2020-07-15
Chaos Mesh is a Chaos Engineering platform. The project uses Rust for chaos injection components.
- Repository: chaos-mesh/chaos-mesh
- Languages: Go (controller), Rust (chaos injection)
- Rust LOC: ~200,000 (across 4 repos)
Rust Components: toda (156k), chaos-tproxy (~20k), nsexec (~15k), iproute2-rs (~10k)
Why Rust? Chaos Mesh uses Rust for low-level system interactions where memory safety and performance are critical.
Known Adopters (40+): ByteDance, Tencent, PingCAP (TiDB), Microsoft Azure Chaos Studio, Percona, GreptimeDB. See full adopters list.
Sandbox Projects
10 sandbox projects are written primarily in Rust (>89%): Tremor, KCL, Hyperlight, bootc, Youki, kube-rs, bpfman, Akri, Kuasar, and Parsec.
Tremor ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2020-09-08
Tremor is an event processing system for unstructured data with rich support for structural pattern matching, filtering, and transformation.
- Repository: tremor-rs/tremor-runtime
- Languages: Rust (97%)
- Rust LOC: 4,387,511
Why Rust? Tremor chose Rust for high-throughput event processing with predictable latency. Memory safety without GC is critical for real-time data pipelines.
KCL ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2023-09-05
KCL is a constraint-based record & functional language for configuration and policy scenarios.
- Repository: kcl-lang/kcl
- Languages: Rust (98%)
- Rust LOC: 3,757,632
Why Rust? KCL uses Rust for its compiler and runtime to achieve fast configuration validation with strong type safety guarantees.
Hyperlight ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2025-04-15
Hyperlight is a lightweight Virtual Machine Manager (VMM) designed to execute untrusted code in micro-VMs with minimal overhead.
- Repository: hyperlight-dev/hyperlight
- Languages: Rust (94%)
- Rust LOC: 1,720,988
Why Rust? Hyperlight requires memory safety for VM isolation. Rust's zero-cost abstractions enable lightweight virtualization without compromising security.
bootc ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2025-01-21
bootc provides transactional OS updates using OCI container images. Written almost entirely in Rust.
- Repository: containers/bootc
- Languages: Rust (94%)
- Rust LOC: 1,694,355
Why Rust? bootc requires memory safety for OS update operations. Direct interaction with bootloaders, filesystems, and OS internals makes Rust ideal.
Youki ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2024-10-22
Youki is an OCI-compliant low-level container runtime written entirely in Rust.
- Repository: youki-dev/youki
- Languages: Rust (97%)
- Rust LOC: 1,608,007
Why Rust? Youki is 2x faster than runc in container creation due to Rust's performance and lack of garbage collection overhead.
Known Adopters: Azure Kubernetes Service (Wasm workloads), containerd/runwasi, Docker
kube-rs ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2021-11-16
kube-rs is the core Rust ecosystem for building Kubernetes applications. Written entirely in Rust.
- Repository: kube-rs/kube
- Languages: Rust (98%)
- Rust LOC: 1,159,088
Why Rust? kube-rs enables building Kubernetes controllers and operators with Rust's async ecosystem, providing memory safety and performance.
bpfman ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2024-04-03
bpfman is an eBPF manager for loading, unloading, and managing eBPF programs on Linux systems.
- Repository: bpfman/bpfman
- Languages: Rust (95%)
- Rust LOC: 948,586
Why Rust? bpfman uses Rust for safe interaction with eBPF subsystems, avoiding memory corruption risks in privileged kernel operations.
Akri ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2021-09-14
Akri is a Kubernetes Resource Interface for the Edge. Written entirely in Rust.
- Repository: project-akri/akri
- Languages: Rust (95%)
- Rust LOC: 944,186
Why Rust? Akri uses Rust for edge device discovery agents where memory efficiency and reliability are critical in constrained environments.
Kuasar ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2023-09-05
Multi-sandbox container runtime supporting multiple isolation technologies.
- Repository: kuasar-io/kuasar
- Languages: Rust (89%)
- Rust LOC: 913,882
Why Rust? Kuasar uses Rust for runtime shims and sandboxers where performance and safety are critical for container isolation.
Known Adopters: Menging Software, Huawei Cloud Native, iSulad
Parsec ⭐ Pure Rust
- Status: Sandbox
- Accepted: 2021-03-09
Parsec (Platform AbstRaction for SECurity) provides a common API to security services across hardware and software platforms.
- Repository: parallaxsecond/parsec
- Languages: Rust (93%)
- Rust LOC: 892,287
Why Rust? Parsec uses Rust for security-critical abstraction layers. Memory safety is essential when interfacing with TPMs, HSMs, and crypto providers.
Keylime (Rust Components)
- Status: Sandbox
- Accepted: 2020-09-22
Remote attestation for Edge, Cloud, and IoT devices. Has Rust agent component.
- Repository: keylime/keylime
- Languages: Python, Rust (agent)
- Rust LOC: 1,273,869 (rust-keylime)
Why Rust? The Rust agent provides memory-safe TPM interactions and cryptographic operations for attestation.
Confidential Containers (Rust Components)
- Status: Sandbox
- Accepted: 2022-03-08
Enables cloud native confidential computing by leveraging Trusted Execution Environments (TEEs).
- Repository: confidential-containers/confidential-containers
- Languages: Multiple, Rust (TEE components)
- Rust LOC: 1,263,846 (guest-components)
Why Rust? Security-critical guest components require memory safety when interfacing with TEE technologies.
Known Adopters: Alibaba Cloud, IBM LinuxONE, Red Hat, Intel, ByteDance, Edgeless Systems. See full adopters list.
Kubewarden (Rust Components)
- Status: Sandbox
- Accepted: 2022-06-17
Kubewarden is a WebAssembly-powered Kubernetes policy engine.
- Repository: kubewarden/kubewarden-controller
- Languages: Go (controller), Rust (policy-server)
- Rust LOC: 217,807 (policy-server)
Why Rust? The policy-server executes Wasm policies with Rust for performance and safety. Policies can be written in Rust.
Drasi (Rust Components)
- Status: Sandbox
- Accepted: 2024-09-10
Drasi is a data change processing platform that continuously monitors data sources for changes.
- Repository: drasi-project/drasi-platform
- Languages: Multiple (29% Rust)
- Rust LOC: 720,277
Why Rust? Drasi uses Rust for high-performance change detection and event processing components.
Inspektor Gadget (Rust Components)
- Status: Sandbox
- Accepted: 2022-08-03
Collection of eBPF-based tools for debugging and inspecting Kubernetes resources and applications.
- Repository: inspektor-gadget/inspektor-gadget
- Languages: C, Go, Rust (1%)
- Rust LOC: 94,583
Why Rust? Minor Rust components for eBPF tooling integration.
Analysis
Rust's adoption in CNCF projects centers on security-critical and performance-sensitive workloads, with eight graduated projects now using Rust components proving Rust's viability at the highest maturity level.
CNCF Rust Projects Summary
| Type | Project | Maturity | Rust LOC | Description |
|---|---|---|---|---|
| ⭐ Pure | TiKV | Graduated | 24,814,809 | Distributed database |
| ⭐ Pure | wasmCloud | Incubating | 122 crates | WebAssembly platform |
| ⭐ Pure | Youki | Sandbox | ~500,000 | OCI container runtime |
| ⭐ Pure | bootc | Sandbox | 1,694,355 | OS container updates |
| ⭐ Pure | Akri | Sandbox | - | Edge device discovery |
| ⭐ Pure | kube-rs | Sandbox | - | Kubernetes Rust SDK |
| ⭐ Pure | Kubewarden | Sandbox | - | Policy engine |
| Component | Linkerd | Graduated | 1,485,071 | Service mesh proxy |
| Component | containerd | Graduated | 1,207,012 | Container runtime Wasm |
| Component | Dragonfly | Graduated | 3,941,080 | Image distribution |
| Component | Istio | Graduated | 1,318,825 | Service mesh ztunnel |
| Component | Falco | Graduated | 1,271,214 | Security plugin SDK |
| Implementation | TUF | Graduated | 642,891 | Supply chain security |
| Implementation | in-toto | Graduated | 299,757 | Supply chain integrity |
| Component | OpenTelemetry | Incubating | 143 crates | Observability SDK |
| Component | Chaos Mesh | Incubating | ~200,000 | Chaos injection |
| Component | Confidential Containers | Sandbox | - | TEE security |
| Component | Keylime | Sandbox | - | Remote attestation |
| Component | Kuasar | Sandbox | - | Container sandboxer |
| Component | Paralus | Sandbox | - | Zero trust access |
Adoption Trends
- Service Mesh Leadership: Both Linkerd (Rust proxy) and Istio (ztunnel) use Rust for data plane components
- Database Leadership: TiKV proves Rust's viability for large-scale distributed databases with 16,000+ stars
- Container Runtime Innovation: containerd (runwasi), Youki, Kuasar, and bootc demonstrate Rust's dominance in container tech
- Supply Chain Security: TUF and in-toto both have official Rust implementations for secure software updates
- Image Distribution: Dragonfly's nydus (2.4M lines Rust) leads container image optimization
- Observability: OpenTelemetry's Rust SDK enables zero-overhead instrumentation
- WebAssembly Leadership: wasmCloud and containerd/runwasi drive Wasm adoption in cloud native
- Runtime Security: Falco provides Rust SDK for security plugin development
- Chaos Engineering: Chaos Mesh uses Rust for low-level chaos injection (IO, network, kernel)
- Security Focus: 10+ projects focus on security use cases
- Performance Critical: Projects choosing Rust cite performance, memory safety, and reliability as key factors
Why Rust for Cloud Native?
- Memory Safety: No garbage collection, preventing unpredictable latencies
- Performance: Near C/C++ performance without memory safety trade-offs
- Concurrency: Safe, efficient concurrent programming models
- WebAssembly: First-class Wasm support for portable, sandboxed execution
- Type Safety: Strong type system catches errors at compile time
- Zero-Cost Abstractions: High-level ergonomics with no runtime overhead
Growth Trajectory
2017: Linkerd, TUF, containerd accepted (first CNCF Rust projects)
2018: TiKV, Dragonfly, Falco accepted
2019: OpenTelemetry, in-toto accepted (with Rust implementations)
2020: Keylime, Chaos Mesh accepted; TiKV graduates; containerd graduates
2021: Akri, kube-rs, wasmCloud accepted; Linkerd graduates
2022: Confidential Containers, Kubewarden, Paralus accepted
2023: Kuasar accepted; TUF, in-toto, Istio graduate
2024: Youki accepted; Falco, Dragonfly graduate
2025: bootc accepted (1.7M lines pure Rust)
Project Health Summary
| Project | Commits (2025) | Contributors | Release Cadence | Health |
|---|---|---|---|---|
| Linkerd | High | Multi-org | Regular | ✅ Excellent |
| TiKV | High | Multi-org | Regular | ✅ Excellent |
| containerd | High | Multi-org | Regular | ✅ Excellent |
| Dragonfly | High | Multi-org | Regular | ✅ Excellent |
| Istio | High | Multi-org | Regular | ✅ Excellent |
| OpenTelemetry | High | Multi-org | Regular | ✅ Excellent |
| Chaos Mesh | High | Multi-org | Regular | ✅ Excellent |
| wasmCloud | High | Multi-org | Regular | ✅ Excellent |
| Youki | High | Multi-org | Regular | ✅ Excellent |
| bootc | High | Multi-org | Regular | ✅ Excellent |
| Falco | High | Multi-org | Regular | ✅ Good |
| TUF | Moderate | Multi-org | Regular | ✅ Good |
| in-toto | Moderate | Multi-org | Regular | ✅ Good |
| Kuasar | Moderate | Multi-org | Regular | ✅ Good |
| kube-rs | High | Multi-org | Regular | ✅ Good |
| Keylime | High | Multi-org | Regular | ✅ Good |
| Confidential Containers | Moderate | Multi-org | Regular | ✅ Good |
| Kubewarden | Moderate | SUSE-led | Regular | ✅ Good |
| Akri | Low | Microsoft-led | Infrequent | ⚠️ Moderate |
| Paralus | Low | Single-org | Infrequent | ⚠️ Needs attention |
Related Work
- CNCF Landscape - Official CNCF projects and landscape data
- CNCF Projects - Official CNCF project directory
- Linkerd - Graduated service mesh
- TiKV - Graduated distributed database
- Youki - Sandbox container runtime
- Rust Programming Language - Official Rust website
References
- CNCF Landscape Data - Source of truth for CNCF projects
- Linkerd Graduation Announcement
- TiKV Graduation Announcement
- CNCF Technical Oversight Committee
Changelog
| Date | Change |
|---|---|
| 2025-12-10 | Major update: Added 6 graduated projects with Rust (containerd, Dragonfly, Istio, Falco, TUF, in-toto); Added bootc (Sandbox); Total now 20 projects (8 graduated, 3 incubating, 9 sandbox) |
| 2025-12-10 | Added Chaos Mesh (Incubating) with 4 Rust repos (toda, chaos-tproxy, nsexec, iproute2-rs); project count now 13 incl. 3 incubating |
| 2025-12-10 | Added OpenTelemetry (Incubating) and Kuasar (Sandbox) as CNCF Rust projects; updated wasmCloud to Incubating status; comprehensive review of all incubating projects for Rust usage; project count now 12 |
| 2025-12-10 | Added Youki as newly accepted sandbox project; updated project count to 9; refreshed all activity data |
| 2025-12-10 | Updated with fresh project activity data; added TiKV as second graduated project; removed non-CNCF projects per scope requirements; added health summary table |
| 2025-10-12 | Initial report |
Report Generated: 2025-12-10
Data Source: CNCF Landscape (landscape.yml), GitHub API
Methodology: Analyzed the official CNCF landscape repository to identify all projects with Rust components or implementations. Projects were categorized by CNCF maturity level (Graduated, Incubating, Sandbox). Activity data collected from GitHub repository commits and releases.
Note on Data: This report focuses exclusively on official CNCF projects. Many additional cloud native projects use Rust but are not included unless they are part of the CNCF.