Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.
84
97%
Does it follow best practices?
Impact
96%
1.18xAverage score across 1 eval scenario
Advisory
Suggest reviewing before use
kubectl get envoyfilter -A -o yamlClassify as HIGH RISK if the filter references any of the following deprecated/removed patterns:
| Pattern | Risk | Notes |
|---|---|---|
envoy.filters.http.lua | WARNING | Lua filter stable but Envoy may rename configuration fields |
typed_config with @type: type.googleapis.com/envoy.config.filter.*v2.* | CRITICAL | v2 xDS APIs removed; target version will reject |
typed_config with @type: type.googleapis.com/envoy.extensions.*v3.* | PASS | v3 is stable |
route.v3.RouteAction fields removed in target | HIGH RISK | Check Envoy changelog for target version |
applyTo: HTTP_FILTER with name: envoy.router | WARNING | Renamed to envoy.filters.http.router in Envoy 1.14+ |
applyTo: NETWORK_FILTER with custom Wasm plugin | HIGH RISK | Wasm ABI compatibility must be verified per target Envoy version |
vm_config.runtime: envoy.wasm.runtime.v8 -- verify Wasm module was compiled for the target Envoy's V8 ABI version.typed_config.@type for v2 proto paths -> CRITICAL.applyTo target and match.listener/routeConfiguration/cluster against Envoy changelog for target version.name referencing a built-in filter: verify the name was not renamed in the target Envoy release.istio-proxy image and uses version-locked patch values: compare with target proxy config schema.| Scenario | Severity |
|---|---|
| v2 xDS proto reference | CRITICAL |
| Wasm ABI mismatch | CRITICAL |
| Deprecated filter name | HIGH RISK |
| Removed route action field | HIGH RISK |
| Unverified custom filter | HIGH RISK |
| Stable v3 API, field unchanged | PASS |