Stay organized with collections
Save and categorize content based on your preferences.
These steps are specific to the bundled version of Istio that is included by
default with the Knative serving "GKE add-on".
Since the bundled version of Istio is uninstalled when you performed the
process of uninstalling the Knative serving "GKE add-on",
the steps on this page install Cloud Service Mesh on your cluster and then
configures your ingress gateway.
The commands on this page use the environment variables and migration script
from the upgrade preparation step.
It is important that you perform each step of this process in the
specified order.
Overview
In general, the process for installing Cloud Service Mesh when migrating from the
bundled version of Istio, is the same process as performing a clean
Cloud Service Mesh installation. In this process Cloud Service Mesh version
1.18 is installed with the
In-cluster control plane.
Install Cloud Service Mesh version 1.18
You use the Cloud Service Mesh installation documentation to install Cloud Service Mesh.
Before you begin:
For the migration, the ingress gateway must be installed
separately during the subsequent configuration steps. The
installation script won't install the ingress gateway by default.
Optional: If you use Cloud Service Mesh certificate authority (Mesh CA), you must
also include the --ca mesh_ca flag with the Cloud Service Mesh installation
script.
In this section, the migration script is used to
create the Cloud Service Mesh ingress gateway within the gke-system namespace.
For the migration, the gke-system namespace is used so that the ingress
gateway is placed within the same namespace used by the recently removed
"bundled Istio". Therefore, the Cloud Service Mesh ingress pods can seamlessly
takeover traffic without any required configuration changes to the ingress
service. For example, you do not need to configure a new external IP address.
To create the ingress gateway within the gke-system namespace,
run the following command to start the migration script:
./migration-addon.sh--commandset-up-asm-ingress
The terminal output during the process looks similar to the following:
Setting up Cloud Service Mesh ingress. Note that the Cloud Service Mesh ingress is not
serving traffic at this step.
namespace/gke-system labeled
deployment.apps/istio-ingressgateway created
horizontalpodautoscaler.autoscaling/istio-ingressgateway created
role.rbac.authorization.k8s.io/istio-ingressgateway-sds created
rolebinding.rbac.authorization.k8s.io/istio-ingressgateway-sds created
Cloud Service Mesh ingress is successfully installed.
Verify that the istio-ingrerssgateway ingress gateway is running in the
gke-system namespace by running the following command:
The terminal output during the process looks similar to the following:
Deleting Cloud Service Mesh ingress
deployment.apps "istio-ingressgateway" deleted
horizontalpodautoscaler.autoscaling "istio-ingressgateway" deleted
role.rbac.authorization.k8s.io "istio-ingressgateway-sds" deleted
rolebinding.rbac.authorization.k8s.io "istio-ingressgateway-sds" deleted
Cloud Service Mesh ingress is successfully deleted.
To verify that the Cloud Service Mesh ingress gateway was removed, check that the
istio-ingressgateway service no longer exists in the gke-system
namespace:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Migrate the bundled Istio to Cloud Service Mesh\n\nThese steps are specific to the bundled version of Istio that is included by\ndefault with the Knative serving \"*GKE add-on*\".\n| **Important:** If the \"*Istio add-on* \" is installed on your cluster, you must instead perform the steps to [migrate the Istio add-on to Cloud Service Mesh](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/uninstall-istio-addon).\n\nSince the bundled version of Istio is uninstalled when you performed the\n[process of uninstalling the Knative serving \"*GKE add-on*\"](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/uninstall-addon),\nthe steps on this page install Cloud Service Mesh on your cluster and then\nconfigures your ingress gateway.\n\nBefore you begin\n----------------\n\n- You must first review and ensure that you meet the\n [requirements for upgrading](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade).\n\n- The commands on this page use the environment variables and migration script\n from the [upgrade preparation step](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/prepare).\n\n- It is important that you perform each step of this process in the\n [specified order](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade#upgrading).\n\nOverview\n--------\n\nIn general, the process for installing Cloud Service Mesh when migrating from the\nbundled version of Istio, is the same process as performing a clean\nCloud Service Mesh installation. In this process Cloud Service Mesh version\n1.18 is installed with the\n[In-cluster control plane](/service-mesh/v1.18/docs/supported-features).\n\nInstall Cloud Service Mesh version 1.18\n---------------------------------------\n\nYou use the Cloud Service Mesh installation documentation to install Cloud Service Mesh.\n\n**Before you begin**:\n\n- For the migration, the ingress gateway must be installed\n separately during the subsequent [configuration steps](#meshconfig). The\n installation script won't install the ingress gateway by default.\n\n- Optional: If you use Cloud Service Mesh certificate authority (Mesh CA), you must\n also include the `--ca mesh_ca` flag with the Cloud Service Mesh installation\n script.\n\n**To install Cloud Service Mesh**:\n\nFollow the steps in the Cloud Service Mesh documentation:\n[Install Cloud Service Mesh version 1.18](/service-mesh/v1.18/docs/unified-install/install-anthos-service-mesh)\n\nExample\n\n: The following is an example of the default command that includes the required\n flag:\n\n ./asmcli install \\\n --project_id ${PROJECT_ID} \\\n --cluster_name ${CLUSTER_NAME} \\\n --cluster_location ${CLUSTER_LOCATION} \\\n --ca mesh_ca \\\n --output_dir DIR_PATH \\\n --enable_all\n\n### Configure Cloud Service Mesh ingress\n\nIn this section, the [migration script](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/prepare) is used to\ncreate the Cloud Service Mesh ingress gateway within the `gke-system` namespace.\n\nFor the migration, the `gke-system` namespace is used so that the ingress\ngateway is placed within the same namespace used by the recently removed\n\"bundled Istio\". Therefore, the Cloud Service Mesh ingress pods can seamlessly\ntakeover traffic without any required configuration changes to the ingress\nservice. For example, you do not need to configure a new external IP address.\n\n1. To create the ingress gateway within the `gke-system` namespace,\n run the following command to start the migration script:\n\n ./migration-addon.sh --command set-up-asm-ingress\n\n The terminal output during the process looks similar to the following: \n\n Setting up Cloud Service Mesh ingress. Note that the Cloud Service Mesh ingress is not\n serving traffic at this step.\n namespace/gke-system labeled\n deployment.apps/istio-ingressgateway created\n horizontalpodautoscaler.autoscaling/istio-ingressgateway created\n role.rbac.authorization.k8s.io/istio-ingressgateway-sds created\n rolebinding.rbac.authorization.k8s.io/istio-ingressgateway-sds created\n Cloud Service Mesh ingress is successfully installed.\n\n2. Verify that the `istio-ingrerssgateway` ingress gateway is running in the\n `gke-system` namespace by running the following command:\n\n kubectl get deployment istio-ingressgateway -n gke-system\n\n Note that the number of `istio-ingressgateway` pods is intentionally `0`.\n After installing the Knative serving fleet component, there is a subsequent\n step to\n [migrate all traffic to the Cloud Service Mesh ingress](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/migrate-traffic).\n\nWhat's next\n-----------\n\n[Install the fleet component](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/fleet-install-script)\n\nRollback\n--------\n\nIf you need to rollback the changes that you made through the preceding steps,\nyou can use the migration script to:\n\n- Delete the Cloud Service Mesh ingress gateway.\n- Uninstall Cloud Service Mesh.\n\nTo rollback the Cloud Service Mesh configuration and installation:\n\n1. Run the following command to start the rollback.\n\n ./migration-addon.sh --command rollback-set-up-asm-ingress\n\n The terminal output during the process looks similar to the following: \n\n Deleting Cloud Service Mesh ingress\n deployment.apps \"istio-ingressgateway\" deleted\n horizontalpodautoscaler.autoscaling \"istio-ingressgateway\" deleted\n role.rbac.authorization.k8s.io \"istio-ingressgateway-sds\" deleted\n rolebinding.rbac.authorization.k8s.io \"istio-ingressgateway-sds\" deleted\n Cloud Service Mesh ingress is successfully deleted.\n\n2. To verify that the Cloud Service Mesh ingress gateway was removed, check that the\n `istio-ingressgateway` service no longer exists in the `gke-system`\n namespace:\n\n kubectl get deployment istio-ingressgateway -n gke-system\n\n3. [Uninstall Cloud Service Mesh](/service-mesh/v1.18/docs/uninstall)\n\n4. To continue rolling back all the changes to your installations original state,\n [rollback the Knative serving \"GKE add-on\"](/kubernetes-engine/enterprise/knative-serving/docs/install/on-gcp/upgrade/uninstall-addon#rollbackgkeaddon)."]]
