Updated on 2025-04-03 GMT+08:00

Before Your Upgrade

  • Calculate the cluster resources using the following formulas:

    CPU: Total number of istiod, istio-ingressgateway, and istio-egressgateway instances × Requested CPU

    Memory: Total number of istiod, istio-ingressgateway, and istio-egressgateway instances × Requested memory

  • Check the cluster version.
  • Check the cluster status. If the cluster is unavailable, do not perform the upgrade.
  • Check the service mesh status. If the service mesh is unavailable, do not perform the upgrade.
  • Check CRDs to be discarded. (This check is not required for 1.8 and later versions.)

    Some CRDs used in 1.3 and 1.6 will be unavailable in 1.8. Before the upgrade to 1.8, discard ClusterRbacConfigs, ServiceRoles, ServiceRoleBindings, and policies.

  • Check Istio gateway labels. (This check is not required for 1.8 and later versions.)

    Istio gateway labels specified by matchLabels must be in {app: istio-ingressgateway, istio: ingressgateway} format.

  • Check the format of VirtualService. (This check is not required for 1.8 and later versions.)

    In 1.8 and later versions, only VirtualService in delegate format can be displayed on the ASM console.. This check will not affect the upgrade.

  • Check the gateway settings. (This check is not required for 1.8 and later versions.)

    In 1.8 and later versions, the gateway listening port number must be greater than 1024. If your gateway uses a port number smaller than 1024, change the port number.

  • Check component affinity.

    During canary upgrades, the control plane and gateway instances of the new version will be deployed in the cluster. Before the upgrade, ensure that at least one of the following conditions is met:

    1. There are at least twice as many nodes labeled with istio:master as there are istiod instances, and at least twice as many schedulable nodes as there are istio-ingressgateway or istio-egressgateway instances (depending on which one is larger).
    2. The anti-affinity of istiod, istio-ingressgateway, and istio-egressgateway is changed from Required to Preferred.
  • Check add-ons. (This check is not required for 1.8 and later versions.)

    The add-ons supported in 1.3 and 1.6 are no longer supported in 1.8 and later versions. Before the upgrade, uninstall the add-ons.

  • Check automatic namespace injection.

    Namespace injection is used in the Basic service mesh. If there is no injection label for the namespace where the pod is located, you need to add one before the upgrade.

  • Check the service selector.

    If there is sidecarVersion, delete the selector.