Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.
84
97%
Does it follow best practices?
Impact
96%
1.18xAverage score across 1 eval scenario
Advisory
Suggest reviewing before use
kubectl get peerauthentication -A -o yaml
kubectl get authorizationpolicy -A -o yaml
kubectl get requestauthentication -A -o yaml| Scenario | Severity |
|---|---|
| Global STRICT mTLS + proxy skew >= N+2 | HIGH RISK -- old proxy cannot complete mTLS handshake with new istiod cert |
| PERMISSIVE mode across upgrade window | PASS -- plaintext fallback absorbs handshake failures |
| DISABLE on any namespace + cross-namespace AuthorizationPolicy | WARNING -- policy enforcement may change with new proxy |
| Per-port STRICT mode with version-specific cipher changes | HIGH RISK -- verify cipher suite compatibility in target Envoy changelog |
Rule: If running STRICT mTLS, rolling restart of all proxies must complete within the N-1 skew window before removing the old revision.
source.principal matching is case-sensitive by default -- policies using mixed-case SPIFFE URIs may silently stop matching.action: CUSTOM policies require explicit provider configuration in meshConfig; missing providers cause DENY by default.kubectl apply in CI.action types: flag any CUSTOM policies and verify provider config exists in meshConfig for target version.source.principal patterns containing uppercase SPIFFE URIs if upgrading to 1.22+.istioctl analyze -A against target CRDs to surface validation failures before applying.forwardOriginalToken: true behaviour is unchanged across versions -- PASS.| Scenario | Severity |
|---|---|
| STRICT mTLS + proxy skew > N-1 | HIGH RISK |
| CUSTOM action policy, no provider config | CRITICAL |
| Mixed-case SPIFFE URIs, upgrading to 1.22+ | HIGH RISK |
| L7 policy on TCP port, upgrading to 1.24+ | HIGH RISK |
| PERMISSIVE mode across all namespaces | LOW |
| No AuthorizationPolicies deployed | PASS |