CtrlK
BlogDocsLog inGet started
Tessl Logo

shweshi/istio-upgrade-skill

Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.

84

1.18x
Quality

97%

Does it follow best practices?

Impact

96%

1.18x

Average score across 1 eval scenario

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

ENVOYFILTER_ANALYSIS.mdreferences/

EnvoyFilter Risk Analysis Reference

Commands

kubectl get envoyfilter -A -o yaml

High-Risk Patterns

xDS API Version References

Classify as HIGH RISK if the filter references any of the following deprecated/removed patterns:

PatternRiskNotes
envoy.filters.http.luaWARNINGLua filter stable but Envoy may rename configuration fields
typed_config with @type: type.googleapis.com/envoy.config.filter.*v2.*CRITICALv2 xDS APIs removed; target version will reject
typed_config with @type: type.googleapis.com/envoy.extensions.*v3.*PASSv3 is stable
route.v3.RouteAction fields removed in targetHIGH RISKCheck Envoy changelog for target version
applyTo: HTTP_FILTER with name: envoy.routerWARNINGRenamed to envoy.filters.http.router in Envoy 1.14+
applyTo: NETWORK_FILTER with custom Wasm pluginHIGH RISKWasm ABI compatibility must be verified per target Envoy version

Wasm-Specific Rules

  • If vm_config.runtime: envoy.wasm.runtime.v8 -- verify Wasm module was compiled for the target Envoy's V8 ABI version.
  • If Wasm module is pulled from OCI: confirm the tag resolves and the image is accessible at upgrade time.
  • ABI mismatch causes silent proxy crash on first request -- classify as CRITICAL.

Decision Logic

  1. For each EnvoyFilter: scan typed_config.@type for v2 proto paths -> CRITICAL.
  2. Check applyTo target and match.listener/routeConfiguration/cluster against Envoy changelog for target version.
  3. If filter uses name referencing a built-in filter: verify the name was not renamed in the target Envoy release.
  4. If any EnvoyFilter targets istio-proxy image and uses version-locked patch values: compare with target proxy config schema.
  5. Unknown / unverified -> default to HIGH RISK (never assume compatibility).

Risk Classification

ScenarioSeverity
v2 xDS proto referenceCRITICAL
Wasm ABI mismatchCRITICAL
Deprecated filter nameHIGH RISK
Removed route action fieldHIGH RISK
Unverified custom filterHIGH RISK
Stable v3 API, field unchangedPASS

SKILL.md

tile.json