This guide shows you how to either disable, or completely uninstall the Istio on GKE add-on from a cluster.
Disabling the Istio on GKE add-on disables the add-on management of Istio on the cluster, but preserves the Istio installation and configurations on the cluster. When you disable the Istio on GKE add-on, Google no longer manages your Istio installation on the cluster. You are responsible for managing the configuration and lifecycle of Istio on the cluster. To disable the Istio on GKE add-on, follow the instructions in the Disabling Istio on GKE add-on section.
Instead of disabling the add-on, you can uninstall the Istio on GKE add-on completely. Uninstalling the Istio on GKE add-on completely removes Istio and all associated configurations from the cluster. To uninstall the Istio on GKE add-on, follow the instructions in the Uninstalling Istio from a cluster section.
Disabling Istio on GKE add-on
You can disable the Istio on GKE add-on if you no longer want Google to manage your Istio installation. Your Istio installation and configurations are preserved. To do this, ensure that you are running GKE versions 1.17.17-gke.3100+, 1.18.16-gke.1600+, or 1.19.8-gke.1600+ and above. Disabling the Istio on GKE add-on on earlier GKE versions completely uninstalls Istio (the Istio installation and configurations), which might result in downtime for your services.
Disable Istio on GKE by running the following command:
gcloud beta container clusters update my-cluster --project=$PROJECT_ID \ --update-addons=Istio=DISABLED
Uninstalling Istio from a cluster
The simplest way to remove the Istio on GKE add-on is to delete the cluster. However, if the cluster has an existing application that must be preserved, disabling Istio requires the following steps:
- Ensure your default mTLS mode is set to Permissive mTLS.
- Shift traffic away from the Istio ingress gateway.
- Turn off sidecar auto-injection, if enabled.
kubectl label namespace your-namespace istio-injection=disabled
- Restart application pods (for example using rolling restart) to remove the Envoy sidecars.
- Remove the Istio control plane with
gcloud:gcloud beta container clusters update my-cluster --project=$PROJECT_ID \ --update-addons=Istio=DISABLED
Delete the
IstioOperatorCustomResource:kubectl delete istiooperator -n istio-system istio-1-6-11-gke-0
Depending on your cluster version, you might need to replace
istio-1-6-11-gke-0with the name of theCustomResourceinstalled in your cluster. You can obtain the name by running:kubectl get istiooperator -n istio-system\
Wait a few minutes for the Istio operator to delete any resources it installed.
Delete the
istio-systemnamespace if it exists:kubectl delete ns istio-system
Delete the remaining Istio cluster resources:
for i in
$(kubectl get clusterrole,clusterrolebinding,crd | grep istio | cut -f1 -d' '); do kubectl delete $i; doneAt this point, you have successfully uninstalled the Istio on GKE add-on. However, there are related resources that are purposefully labelled for safe migrations which you must manually deleted from the cluster:
kubectl delete mutatingwebhookconfiguration istio-sidecar-injector kubectl delete clusterrole istio-citadel-istio-system istio-galley-istio-system istio-mixer-istio-system istio-operator istio-pilot-istio-system istio-reader istio-security-post-install-istio-system istio-sidecar-injector-istio-system kubectl delete clusterrolebinding istio-citadel-istio-system istio-galley-admin-role-binding-istio-system istio-mixer-admin-role-binding-istio-system istio-multi istio-operator istio-pilot-istio-system istio-security-post-install-role-binding-istio-system istio-sidecar-injector-admin-role-binding-istio-system kubectl delete deployment istio-operator -n istio-operator kubectl delete service istio-operator -n istio-operator kubectl delete ns istio-operator