Uninstall Cloud Service Mesh
This page explains how to uninstall Cloud Service Mesh if you are using the Istio APIs. If you are using Compute Engine APIs, no steps are necessary. See the Cloud Service Mesh overview to understand the differences.
Uninstall Cloud Service Mesh
Use the following commands to uninstall all Cloud Service Mesh components. These
commands also delete the istio-system namespace and all custom resource
definitions (CRDs), including any CRDs that you applied.
To prevent interruption of application traffic:
- Downgrade any STRICT mTLS policies to PERMISSIVE.
- Remove any AuthorizationPolicy that may block traffic.
Disable Automatic Management on this cluster (whether you applied it directly or using the fleet-default configuration):
gcloud container fleet mesh update \ --management manual \ --memberships MEMBERSHIP_NAME \ --project FLEET_PROJECT_ID \ --location MEMBERSHIP_LOCATIONReplace the following:
- MEMBERSHIP_NAME is the membership name listed when you verified that your cluster was registered to the fleet.
- MEMBERSHIP_LOCATION is the location of your membership (either
a region, or
global).
Disable sidecar auto-injection on your namespace(s), if it is enabled. Run the following command to display namespace labels:
kubectl get namespace YOUR_NAMESPACE --show-labelsThe output is similar to the following:
NAME STATUS AGE LABELS demo Active 4d17h istio.io/rev=asm-181-5
If you see
istio.io/rev=in the output under theLABELScolumn, remove it:kubectl label namespace YOUR_NAMESPACE istio.io/rev-If you see
istio-injectionin the output under theLABELScolumn, remove it:kubectl label namespace YOUR_NAMESPACE istio-injection-If you don't see either the
istio.io/revoristio-injectionlabels, then auto-injection wasn't enabled on the namespace.Restart your workloads that have sidecars injected to remove the proxies.
If you're using managed Cloud Service Mesh, check which control plane implementation you have in your cluster, this will help delete relevant resources in further steps.
If you're using managed Cloud Service Mesh, remove all
controlplanerevisionresources in the cluster:kubectl delete controlplanerevision asm-managed asm-managed-rapid asm-managed-stable -n istio-system --ignore-not-found=trueDelete webhooks from your cluster, if they exist.
In-cluster Cloud Service Mesh
Delete the
validatingwebhooksconfigurationandmutatingwebhookconfiguration.kubectl delete validatingwebhookconfiguration,mutatingwebhookconfiguration -l operator.istio.io/component=PilotManaged Cloud Service Mesh
A. Delete the
validatingwebhooksconfiguration.kubectl delete validatingwebhookconfiguration istiod-istio-system-mcpB. Delete all
mutatingwebhookconfiguration.kubectl delete mutatingwebhookconfiguration istiod-RELEASE_CHANNELOnce all workloads come up and no proxies are observed, then you can safely delete the in-cluster control plane to stop billing.
To remove the in-cluster control plane, run the following command:
istioctl uninstall --purgeIf there are no other control planes, you can delete the
istio-systemnamespace to get rid of all Cloud Service Mesh resources. Otherwise, delete the services corresponding to the Cloud Service Mesh revisions. This avoids deleting shared resources, such as CRDs.Delete the
istio-systemandasm-systemnamespaces:kubectl delete namespace istio-system asm-system --ignore-not-found=trueCheck if the deletions were successful:
kubectl get nsThe output should indicate a
Terminatingstate and return as shown, otherwise you might have to manually delete any remaining resources in the namespaces and try again.NAME STATUS AGE istio-system Terminating 71m asm-system Terminating 71mIf you will delete your clusters, or have already deleted them, ensure that each cluster is unregistered from your fleet.
If you enabled managed Cloud Service Mesh fleet-default configuration and want to disable it for future clusters, disable it. You can skip this step if you're only uninstalling from a single cluster.
gcloud container hub mesh disable --fleet-default-member-config --project FLEET_PROJECT_IDWhere FLEET_PROJECT_ID is the ID of your Fleet Host project.
If you enabled managed Cloud Service Mesh, check and delete managed resources if they present:
Delete the
mdp-controllerdeployment:kubectl delete deployment mdp-controller -n kube-systemIf you have the
TRAFFIC_DIRECTORcontrol plane implementation, clean up Transparent Health Check resources. Normally these are removed automatically, but you can make sure they are cleaned up by doing the following:Delete the
snkdaemonset.kubectl delete daemonset snk -n kube-systemDelete the firewall rule.
gcloud compute firewall-rules delete gke-csm-thc-FIRST_8_CHARS_OF_CLUSTER_IDReplace the following:
- FIRST_8_CHARS_OF_CLUSTER_ID is the first 8 characters of the Cluster ID for your specific cluster.
Check to see if the
istio-cni-plugin-configconfigmap is present:kubectl get configmap istio-cni-plugin-config -n kube-systemIf present, delete the
istio-cni-plugin-configconfigmap:kubectl delete configmap istio-cni-plugin-config -n kube-systemDelete the
istio-cni-nodedaemonset:kubectl delete daemonset istio-cni-node -n kube-system
If you're uninstalling managed Cloud Service Mesh and you're keeping your cluster, contact Support to ensure that all Google Cloud resources are cleaned up. The
istio-systemnamespace and config maps may also continue to be recreated if you don't follow this step.
Upon completion of these steps, all Cloud Service Mesh components, including proxies, in-cluster certificate authorities, and RBAC roles and bindings, are systematically removed from the cluster. During the installation process, a Google-owned service account is granted the necessary permissions to establish the service mesh resources within the cluster. These uninstall instructions don't revoke these permissions, allowing for a seamless re-activation of Cloud Service Mesh in the future.