Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.
84
97%
Does it follow best practices?
Impact
96%
1.18xAverage score across 1 eval scenario
Advisory
Suggest reviewing before use
kubectl get crd | grep -iE "federation|serviceexport|serviceimport"
kubectl get serviceexport -A -o wide
kubectl get serviceimport -A -o wide
kubectl get all -A | grep -i federation
# If using Sail Operator or Admiral federation:
kubectl get admiral -A 2>/dev/null || true
kubectl get federatedservice -A 2>/dev/null || true| Federation Mechanism | Istio Dependency | Risk on Upgrade |
|---|---|---|
| MCS (Multi-Cluster Services API) | Kubernetes Gateway API; Istio >= 1.17 | LOW if Kubernetes >= 1.24 |
| Admiral | Istio control plane xDS hooks | HIGH RISK -- verify Admiral release supports target Istio minor version |
| Sail Operator federation | Istio operator CRDs | HIGH RISK -- Sail must be upgraded in sync |
| Custom federation controllers | Unknown | CRITICAL until verified |
| Istio native ServiceEntry-based federation | No external controller | LOW -- verify ServiceEntry CRD schema unchanged |
ServiceEntry and imported services still resolve after control plane restart:
istioctl proxy-config endpoints <federation-gateway-pod> | grep <exported-service> before and after upgrade.cacerts Secret is unchanged: trust bundle exchange is unaffected -> PASS.| Scenario | Severity |
|---|---|
| Federation controller has no published compatibility with target Istio | CRITICAL |
| Root CA changes during upgrade | CRITICAL |
| Federation controller supports target but requires its own upgrade | HIGH RISK |
| ServiceEntry-based federation with no external controller | WARNING |
| MCS with compatible Kubernetes version | LOW |
| All compatibility verified through release notes | PASS |