This guide shows you how to uninstall the Istio on GKE add-on from a cluster.
Removing Istio from a cluster
The simplest way to remove the Istio on GKE add-on is to delete the cluster. However, if the cluster has an existing application that must be preserved, disabling Istio requires the following steps:
- Ensure your default mTLS mode is set to Permissive mTLS.
- Shift traffic away from the Istio ingress gateway.
- Turn off sidecar auto-injection, if enabled.
kubectl label namespace your-namespace istio-injection=disabled
- Restart application pods (for example using rolling restart) to remove the Envoy sidecars.
- Remove the Istio control plane with
gcloud:gcloud beta container clusters update my-cluster --project=$PROJECT_ID \ --update-addons=Istio=DISABLED
- Some versions of the Istio on GKE add-on deliberately leave behind some
Istio resources to support non-disruptive migration workflows. To
completely remove all Istio resources:
- Wait a few minutes for the Istio operator to delete any resources it installed.
- Delete the
istio-systemnamespace if it exists:kubectl delete ns istio-system
- Delete the Istio
CustomResourceDefinitions:kubectl delete crd $(kc get crd | grep istio.io | cut -d " " -f 1)