CtrlK
BlogDocsLog inGet started
Tessl Logo

shweshi/istio-upgrade-skill

Use when the user asks about upgrading Istio, checking Istio version compatibility, planning an Istio migration, performing pre-upgrade checks, preparing for a version bump, or creating an Istio upgrade plan. Checks CRD compatibility and storage version changes, validates sidecar proxy version skew against control-plane skew limits, reviews EnvoyFilter deprecated xDS API usage and Wasm ABI compatibility, analyzes east-west gateway upgrade ordering in multi-cluster environments, assesses federation controller compatibility and trust bundle exchange, identifies breaking changes across all intermediate Istio releases, and produces a scored upgrade readiness assessment with a go/no-go recommendation and rollback strategy.

84

1.18x
Quality

97%

Does it follow best practices?

Impact

96%

1.18x

Average score across 1 eval scenario

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

SECURITY_ANALYSIS.mdreferences/

Security Analysis Reference

Commands

kubectl get peerauthentication -A -o yaml
kubectl get authorizationpolicy -A -o yaml
kubectl get requestauthentication -A -o yaml

mTLS Compatibility Rules

ScenarioSeverity
Global STRICT mTLS + proxy skew >= N+2HIGH RISK -- old proxy cannot complete mTLS handshake with new istiod cert
PERMISSIVE mode across upgrade windowPASS -- plaintext fallback absorbs handshake failures
DISABLE on any namespace + cross-namespace AuthorizationPolicyWARNING -- policy enforcement may change with new proxy
Per-port STRICT mode with version-specific cipher changesHIGH RISK -- verify cipher suite compatibility in target Envoy changelog

Rule: If running STRICT mTLS, rolling restart of all proxies must complete within the N-1 skew window before removing the old revision.

AuthorizationPolicy Changes by Version

Known Breaking Patterns (check against target release notes)

  • Istio 1.22+: source.principal matching is case-sensitive by default -- policies using mixed-case SPIFFE URIs may silently stop matching.
  • Istio 1.23+: action: CUSTOM policies require explicit provider configuration in meshConfig; missing providers cause DENY by default.
  • Istio 1.24+: L7 policies on TCP ports are rejected at admission (previously silently ignored) -- may block kubectl apply in CI.

Decision Logic

  1. Identify global and per-namespace PeerAuthentication modes.
  2. If STRICT mode: verify proxy skew is <= N-1 before cutover or switch to PERMISSIVE for the upgrade window.
  3. Audit AuthorizationPolicy action types: flag any CUSTOM policies and verify provider config exists in meshConfig for target version.
  4. Check for source.principal patterns containing uppercase SPIFFE URIs if upgrading to 1.22+.
  5. Check for L7 policies applied to TCP ports if upgrading to 1.24+.
  6. Run istioctl analyze -A against target CRDs to surface validation failures before applying.

JWT / RequestAuthentication Rules

  • OIDC issuer URL must remain reachable from all sidecars during upgrade -- not an Istio concern but commonly overlooked during cluster-level changes.
  • If JWKs cache TTL is short and OIDC endpoint is unavailable during upgrade: requests fail with 401 -> WARNING.
  • forwardOriginalToken: true behaviour is unchanged across versions -- PASS.

Risk Classification

ScenarioSeverity
STRICT mTLS + proxy skew > N-1HIGH RISK
CUSTOM action policy, no provider configCRITICAL
Mixed-case SPIFFE URIs, upgrading to 1.22+HIGH RISK
L7 policy on TCP port, upgrading to 1.24+HIGH RISK
PERMISSIVE mode across all namespacesLOW
No AuthorizationPolicies deployedPASS

SKILL.md

tile.json