Uninstall Cloud Service Mesh
This page explains how to uninstall Cloud Service Mesh.
Uninstall Cloud Service Mesh
Use the following commands to uninstall all Cloud Service Mesh components. These
commands also delete the istio-system
namespace and all custom resource
definitions (CRDs), including any CRDs that you applied.
To prevent interruption of application traffic:
- Downgrade any STRICT mTLS policies to PERMISSIVE.
- Remove any AuthorizationPolicy that may block traffic.
Disable Automatic Managed Cloud Service Mesh through the Fleet API, if it is enabled.
Disable sidecar auto-injection on your namespace(s), if it is enabled. Run the following command to display namespace labels:
kubectl get namespace YOUR_NAMESPACE --show-labels
The output is similar to the following:
NAME STATUS AGE LABELS demo Active 4d17h istio.io/rev=asm-181-5
If you see
istio.io/rev=
in the output under theLABELS
column, remove it:kubectl label namespace YOUR_NAMESPACE istio.io/rev-
If you see
istio-injection
in the output under theLABELS
column, remove it:kubectl label namespace YOUR_NAMESPACE istio-injection-
If you don't see either the
istio.io/rev
oristio-injection
labels, then auto-injection wasn't enabled on the namespace.Restart your workloads that have sidecars injected to remove the proxies.
If you're using managed Cloud Service Mesh, remove any
controlplanerevision
resources in the cluster:kubectl delete controlplanerevision RELEASE_CHANNEL -n istio-system
Where RELEASE_CHANNEL is the release channel you provisioned, such as
asm-managed
,asm-managed-rapid
, orasm-managed-stable
.Delete webhooks from your cluster, if they exist.
In-cluster Cloud Service Mesh
Delete the
validatingwebhooksconfiguration
andmutatingwebhookconfiguration
.kubectl delete validatingwebhookconfiguration,mutatingwebhookconfiguration -l operator.istio.io/component=Pilot
Managed Cloud Service Mesh
A. Delete the
validatingwebhooksconfiguration
.kubectl delete validatingwebhookconfiguration istiod-istio-system-mcp
B. Delete the
mutatingwebhookconfiguration
.kubectl delete mutatingwebhookconfiguration istiod-RELEASE_CHANNEL
Once all workloads come up and no proxies are observed, then you can safely delete the in-cluster control plane to stop billing. If you deployed a managed control plane, then it is automatically deleted with the previous step.
To remove the in-cluster control plane, run the command below:
istioctl x uninstall --purge
If there are no other control planes, you can delete the
istio-system
namespace to get rid of all Cloud Service Mesh resources. Otherwise, delete the services corresponding to the Cloud Service Mesh revisions. This avoids deleting shared resources, such as CRDs.Delete the
istio-system
andasm-system
namespaces:kubectl delete namespace istio-system asm-system --ignore-not-found=true
Check if the deletions were successful:
kubectl get ns
The output should indicate a
Terminating
state and return as shown, otherwise you might have to manually delete any remaining resources in the namespaces and try again.NAME STATUS AGE istio-system Terminating 71m asm-system Terminating 71m
Follow the steps to unregister each cluster from your fleet. This step is required even if you deleted the cluster, since deleted clusters may still be registered to your fleet.
If you're using managed Cloud Service Mesh, delete the
mdp-controller
deployment:kubectl delete deployment mdp-controller -n kube-system
Delete the
istio-cni-node
daemonset:kubectl delete daemonset istio-cni-node -n kube-system