Uninstall Cloud Service Mesh

This page explains how to uninstall Cloud Service Mesh.

Uninstall Cloud Service Mesh

Use the following commands to uninstall all Cloud Service Mesh components. These commands also delete the istio-system namespace and all custom resource definitions (CRDs), including any CRDs that you applied.

  1. To prevent interruption of application traffic:

    • Downgrade any STRICT mTLS policies to PERMISSIVE.
    • Remove any AuthorizationPolicy that may block traffic.
  2. Disable Automatic Management on this cluster (whether you applied it directly or using the fleet-default configuration):

      gcloud container fleet mesh update --management manual
    
  3. Disable sidecar auto-injection on your namespace(s), if it is enabled. Run the following command to display namespace labels:

     kubectl get namespace YOUR_NAMESPACE --show-labels
    

    The output is similar to the following:

     NAME   STATUS   AGE     LABELS
     demo   Active   4d17h   istio.io/rev=asm-181-5

    If you see istio.io/rev= in the output under the LABELS column, remove it:

     kubectl label namespace YOUR_NAMESPACE istio.io/rev-
    

    If you see istio-injection in the output under the LABELS column, remove it:

     kubectl label namespace YOUR_NAMESPACE istio-injection-
    

    If you don't see either the istio.io/rev or istio-injection labels, then auto-injection wasn't enabled on the namespace.

  4. Restart your workloads that have sidecars injected to remove the proxies.

  5. If you're using managed Cloud Service Mesh, remove any controlplanerevision resources in the cluster:

    kubectl delete controlplanerevision RELEASE_CHANNEL -n istio-system
    

    Where RELEASE_CHANNEL is the release channel you provisioned, such as asm-managed, asm-managed-rapid, or asm-managed-stable.

  6. Delete webhooks from your cluster, if they exist.

    In-cluster Cloud Service Mesh

    Delete the validatingwebhooksconfiguration and mutatingwebhookconfiguration.

    kubectl delete validatingwebhookconfiguration,mutatingwebhookconfiguration -l operator.istio.io/component=Pilot
    

    Managed Cloud Service Mesh

    A. Delete the validatingwebhooksconfiguration.

    kubectl delete validatingwebhookconfiguration istiod-istio-system-mcp
    

    B. Delete the mutatingwebhookconfiguration.

    kubectl delete mutatingwebhookconfiguration istiod-RELEASE_CHANNEL
    
  7. Once all workloads come up and no proxies are observed, then you can safely delete the in-cluster control plane to stop billing. If you deployed a managed control plane, then it is automatically deleted with the previous step.

    To remove the in-cluster control plane, run the command below:

    istioctl x uninstall --purge
    

    If there are no other control planes, you can delete the istio-system namespace to get rid of all Cloud Service Mesh resources. Otherwise, delete the services corresponding to the Cloud Service Mesh revisions. This avoids deleting shared resources, such as CRDs.

  8. Delete the istio-system and asm-system namespaces:

     kubectl delete namespace istio-system asm-system --ignore-not-found=true
    
  9. Check if the deletions were successful:

     kubectl get ns
    

    The output should indicate a Terminating state and return as shown, otherwise you might have to manually delete any remaining resources in the namespaces and try again.

     NAME                 STATUS       AGE
     istio-system         Terminating  71m
     asm-system           Terminating  71m
    
    1. If you will delete your clusters, or have already deleted them, ensure that each cluster is unregistered from your fleet.
  10. If you have enabled managed Cloud Service Mesh fleet-default configuration and want to disable it for future clusters, disable it. You can skip this step if you're only uninstalling from a single cluster.

     gcloud container hub mesh disable --fleet-default-member-config --project FLEET_PROJECT_ID
    

    Where FLEET_PROJECT_ID is the ID of your Fleet Host project.

  11. If you're using managed Cloud Service Mesh, delete the mdp-controller deployment:

     kubectl delete deployment mdp-controller -n kube-system
    
  12. Check to see if the istio-cni-plugin-config configmap is present:

     kubectl get configmap istio-cni-plugin-config -n kube-system
    

    If present, delete the istio-cni-plugin-config configmap:

     kubectl delete configmap istio-cni-plugin-config -n kube-system
    
  13. Delete the istio-cni-node daemonset:

     kubectl delete daemonset istio-cni-node -n kube-system
    

Upon completion of these steps, all Cloud Service Mesh components, including proxies, in-cluster certificate authorities, and RBAC roles and bindings, are systematically removed from the cluster. During the installation process, a Google-owned service account is granted the necessary permissions to establish the service mesh resources within the cluster. These uninstall instructions don't revoke these permissions, allowing for a seamless re-activation of Cloud Service Mesh in the future.