CtrlK
BlogDocsLog inGet started
Tessl Logo

shweshi/istio-upgrade-skill

Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.

84

1.18x
Quality

97%

Does it follow best practices?

Impact

96%

1.18x

Average score across 1 eval scenario

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

PROXY_COMPATIBILITY.mdreferences/

Proxy Compatibility Reference

Version Skew Classification

SkewClassification
Same minor versionPASS
+1 minor versionGOOD
+2 minor versionsWARNING
+3 minor versionsHIGH RISK -- rolling restart required before cutover
> +3 minor versionsCRITICAL -- upgrade blocked; must stage through intermediate versions

Rule: Istio supports N-1 proxy/control-plane skew officially. N-2 is tolerated but unsupported. Beyond N-2, proxies may fail to connect to istiod.

Commands

istioctl proxy-status
kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: {.spec.containers[*].image}{"\n"}{end}' | grep istio-proxy

Decision Logic

  1. Extract oldest proxy version from istioctl proxy-status.
  2. Compute skew = target_minor - oldest_proxy_minor.
  3. Apply the classification table above.
  4. If skew >= 3: block upgrade -- require rolling restart of workloads first to bring proxies to N-1.
  5. If any proxy version predates the source control plane: classify as CRITICAL (stale proxy).

Risk Triggers

  • Pods with istio-proxy image from a revision that no longer has a live istiod -> proxy cannot reconnect after control plane upgrade.
  • DaemonSets (e.g. istio-cni) pinned to old node image -> node-level injection failure after upgrade.
  • Jobs/CronJobs with istio-proxy sidecars that are not restarted -> permanent skew after upgrade.

SKILL.md

tile.json