CtrlK
BlogDocsLog inGet started
Tessl Logo

shweshi/istio-upgrade-skill

Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.

84

1.18x
Quality

97%

Does it follow best practices?

Impact

96%

1.18x

Average score across 1 eval scenario

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

CRD_ANALYSIS.mdreferences/

CRD Compatibility Reference

Commands

kubectl get crd -o json | jq '.items[] | select(.metadata.name | contains("istio.io")) | {name: .metadata.name, stored: .spec.versions[] | select(.storage == true) | .name, served: [.spec.versions[] | select(.served == true) | .name]}'

CRD Inventory Checklist

CRDRisk Area
virtualservices.networking.istio.ioHTTP routing behaviour changes
destinationrules.networking.istio.ioLoad balancing / circuit breaker changes
envoyfilters.networking.istio.ioxDS API breakage -- highest risk
gateways.networking.istio.ioIngress/egress config changes
serviceentries.networking.istio.ioExternal service discovery
peerauthentications.security.istio.iomTLS mode enforcement changes
authorizationpolicies.security.istio.ioAccess control breakage
requestauthentications.security.istio.ioJWT validation changes
telemetries.telemetry.istio.ioObservability pipeline changes
wasmplugins.extensions.istio.ioWasm runtime compatibility
sidecars.networking.istio.ioProxy scope changes
workloadentries.networking.istio.ioVM workload registration
proxyconfigs.networking.istio.ioPer-proxy overrides

Decision Logic

  1. For each CRD, compare spec.versions[*].storage: true between source and target Istio release.
  2. If stored version changes (e.g. v1alpha3 -> v1beta1): existing stored objects must be migrated -- classify as HIGH RISK if a conversion webhook is not in place.
  3. If a served version is removed in the target (check upgrade notes): any in-flight controllers or GitOps tools using that version will break -- classify as CRITICAL.
  4. Validation rule additions in target may reject previously-valid resources on first kubectl apply -- classify as WARNING.

Risk Classification

ScenarioSeverity
Stored API version removedCRITICAL
Served version removed, version still in use by controllersCRITICAL
Storage version changed, conversion webhook absentHIGH RISK
New validation rules added that existing resources violateHIGH RISK
New required fields added (with defaults)WARNING
Cosmetic schema changes, all versions still servedPASS

SKILL.md

tile.json