CtrlK
BlogDocsLog inGet started
Tessl Logo

shweshi/istio-upgrade-skill

Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.

84

1.18x
Quality

97%

Does it follow best practices?

Impact

96%

1.18x

Average score across 1 eval scenario

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

FEDERATION_ANALYSIS.mdreferences/

Federation Analysis Reference

Commands

kubectl get crd | grep -iE "federation|serviceexport|serviceimport"
kubectl get serviceexport -A -o wide
kubectl get serviceimport -A -o wide
kubectl get all -A | grep -i federation
# If using Sail Operator or Admiral federation:
kubectl get admiral -A 2>/dev/null || true
kubectl get federatedservice -A 2>/dev/null || true

Federation Controller Compatibility

Known Compatibility Matrix

Federation MechanismIstio DependencyRisk on Upgrade
MCS (Multi-Cluster Services API)Kubernetes Gateway API; Istio >= 1.17LOW if Kubernetes >= 1.24
AdmiralIstio control plane xDS hooksHIGH RISK -- verify Admiral release supports target Istio minor version
Sail Operator federationIstio operator CRDsHIGH RISK -- Sail must be upgraded in sync
Custom federation controllersUnknownCRITICAL until verified
Istio native ServiceEntry-based federationNo external controllerLOW -- verify ServiceEntry CRD schema unchanged

Decision Logic

  1. Identify federation mechanism from installed CRDs.
  2. Check federation controller's release notes for Istio compatibility of the target version.
  3. If no official compatibility statement exists -> classify as HIGH RISK.
  4. Verify exported ServiceEntry and imported services still resolve after control plane restart:
    • Run istioctl proxy-config endpoints <federation-gateway-pod> | grep <exported-service> before and after upgrade.
  5. Check trust bundle exchange: if the root CA changes during upgrade, cross-mesh mTLS will fail until both sides re-exchange certs.

Trust Bundle Rules

  • If upgrading from self-signed Citadel CA to external CA (or vice versa): CRITICAL -- cross-mesh trust breaks immediately.
  • If CA stays the same but intermediate cert rotates: verify federation peers are configured to accept new intermediate -> HIGH RISK without explicit validation.
  • If cacerts Secret is unchanged: trust bundle exchange is unaffected -> PASS.

Risk Classification

ScenarioSeverity
Federation controller has no published compatibility with target IstioCRITICAL
Root CA changes during upgradeCRITICAL
Federation controller supports target but requires its own upgradeHIGH RISK
ServiceEntry-based federation with no external controllerWARNING
MCS with compatible Kubernetes versionLOW
All compatibility verified through release notesPASS

SKILL.md

tile.json