Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.
84
97%
Does it follow best practices?
Impact
96%
1.18xAverage score across 1 eval scenario
Advisory
Suggest reviewing before use
Assess whether Istio can be safely upgraded from <SOURCE_ISTIO_VERSION> to <TARGET_ISTIO_VERSION>.
Produce: risk matrix, readiness score, confidence score, and a go/no-go recommendation.
Classify issues by severity: CRITICAL (blocked), HIGH RISK (mitigate before upgrade), or WARNING (verify/remediate).
For each issue, report:
Separate findings into: Verified | Probable | Possible | Unknown (unknowns reduce confidence score).
kubectl version && kubectl get nodes -o wide
istioctl version && istioctl x precheck
kubectl get ns --show-labels
istioctl proxy-statusCapture: Kubernetes version, Istio control plane version, all installed revisions, oldest/newest proxy version, version skew.
kubectl get ns --show-labels | grep 'istio.io/rev'
kubectl get mutatingwebhookconfigurations | grep istioSee references/PROXY_COMPATIBILITY.md for classification thresholds and decision logic.
Key rule: skew >= N+2 minor versions -> HIGH RISK; skew > N+3 -> CRITICAL (upgrade blocked).
kubectl get crd | grep istio.io
kubectl get crd -o json | jq '.items[] | select(.metadata.name | contains("istio.io")) | {name: .metadata.name, storedVersion: .spec.versions[] | select(.storage==true) | .name}'See references/CRD_ANALYSIS.md for inventory checklist and risk classification.
Key rule: stored API version removed in target -> CRITICAL; new validation rules breaking existing resources -> HIGH RISK.
kubectl get envoyfilter -A -o yamlSee references/ENVOYFILTER_ANALYSIS.md for xDS pattern detection and Wasm ABI rules.
Key rule: any v2 proto reference -> CRITICAL; Wasm ABI mismatch -> CRITICAL; unverified filter -> HIGH RISK.
kubectl get deploy -A | grep -E "east-west|eastwest"
kubectl get secret -A | grep -E "remote-secret|multiCluster"
istioctl remote-clustersSee references/EAST_WEST_GATEWAY.md for upgrade ordering rules and decision logic.
Key rule: upgrade EW gateways before control plane; missing remote secret -> CRITICAL.
kubectl get crd | grep -iE "federation|serviceexport|serviceimport"
kubectl get serviceexport,serviceimport -ASee references/FEDERATION_ANALYSIS.md for controller compatibility matrix and trust bundle rules.
Key rule: no published federation controller compatibility with target Istio -> CRITICAL; CA change -> CRITICAL.
kubectl get peerauthentication,authorizationpolicy,requestauthentication -A -o yamlSee references/SECURITY_ANALYSIS.md for mTLS, AuthorizationPolicy version-specific breaking changes, and JWT rules.
Key rule: STRICT mTLS + proxy skew > N-1 -> HIGH RISK; CUSTOM action policy with missing provider -> CRITICAL.
kubectl get virtualservice,destinationrule,serviceentry -A
istioctl analyze -Aistioctl analyze against target CRD schema to surface invalid resources before upgrade.For each release between source and target, review:
Do not skip intermediate releases.
Evaluate in this order:
istioctl proxy-status)See references/SCORING_AND_RISK.md for the evaluation template. Assess and complete the matrix for all 12 operational areas (Control Plane, Data Plane / Proxy Skew, Revisions/Webhooks, Sidecar Injection, CRDs, EnvoyFilters, East-West Gateways, Federation, Service Discovery, Security, Telemetry, and Kubernetes Compatibility).
See references/SCORING_AND_RISK.md for the scoring rubric and deduction values. Calculate the Readiness Score (0-100) and Confidence Score (0-100%) to determine the final upgrade decision.
UPGRADE DECISION: APPROVED / CONDITIONAL / NOT RECOMMENDED
SOURCE VERSION: <SOURCE_ISTIO_VERSION>
TARGET VERSION: <TARGET_ISTIO_VERSION>
READINESS SCORE: XX/100
CONFIDENCE: XX%
CRITICAL ISSUES: (list)
HIGH RISKS: (list)
WARNINGS: (list)
REQUIRED ACTIONS BEFORE UPGRADE:
1.
2.
FINAL RECOMMENDATION:
<production-grade go/no-go with rollback strategy>