Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.
84
97%
Does it follow best practices?
Impact
96%
1.18xAverage score across 1 eval scenario
Advisory
Suggest reviewing before use
kubectl get crd -o json | jq '.items[] | select(.metadata.name | contains("istio.io")) | {name: .metadata.name, stored: .spec.versions[] | select(.storage == true) | .name, served: [.spec.versions[] | select(.served == true) | .name]}'| CRD | Risk Area |
|---|---|
virtualservices.networking.istio.io | HTTP routing behaviour changes |
destinationrules.networking.istio.io | Load balancing / circuit breaker changes |
envoyfilters.networking.istio.io | xDS API breakage -- highest risk |
gateways.networking.istio.io | Ingress/egress config changes |
serviceentries.networking.istio.io | External service discovery |
peerauthentications.security.istio.io | mTLS mode enforcement changes |
authorizationpolicies.security.istio.io | Access control breakage |
requestauthentications.security.istio.io | JWT validation changes |
telemetries.telemetry.istio.io | Observability pipeline changes |
wasmplugins.extensions.istio.io | Wasm runtime compatibility |
sidecars.networking.istio.io | Proxy scope changes |
workloadentries.networking.istio.io | VM workload registration |
proxyconfigs.networking.istio.io | Per-proxy overrides |
spec.versions[*].storage: true between source and target Istio release.v1alpha3 -> v1beta1): existing stored objects must be migrated -- classify as HIGH RISK if a conversion webhook is not in place.kubectl apply -- classify as WARNING.| Scenario | Severity |
|---|---|
| Stored API version removed | CRITICAL |
| Served version removed, version still in use by controllers | CRITICAL |
| Storage version changed, conversion webhook absent | HIGH RISK |
| New validation rules added that existing resources violate | HIGH RISK |
| New required fields added (with defaults) | WARNING |
| Cosmetic schema changes, all versions still served | PASS |