Disabling or uninstalling Istio on GKE

This guide shows you how to either disable, or completely uninstall the Istio on GKE add-on from a cluster.

Disabling the Istio on GKE add-on disables the add-on management of Istio on the cluster, but preserves the Istio installation and configurations on the cluster. When you disable the Istio on GKE add-on, Google no longer manages your Istio installation on the cluster. You are responsible for managing the configuration and lifecycle of Istio on the cluster. To disable the Istio on GKE add-on, follow the instructions in the Disabling Istio on GKE add-on section.

Instead of disabling the add-on, you can uninstall the Istio on GKE add-on completely. Uninstalling the Istio on GKE add-on completely removes Istio and all associated configurations from the cluster. To uninstall the Istio on GKE add-on, follow the instructions in the Uninstalling Istio from a cluster section.

Disabling Istio on GKE add-on

You can disable the Istio on GKE add-on if you no longer want Google to manage your Istio installation. Your Istio installation and configurations are preserved. To do this, ensure that you are running GKE versions 1.17.17-gke.3100+, 1.18.16-gke.1600+, or 1.19.8-gke.1600+ and above. Disabling the Istio on GKE add-on on earlier GKE versions completely uninstalls Istio (the Istio installation and configurations), which might result in downtime for your services.

  1. Disable Istio on GKE by running the following command:

    gcloud beta container clusters update my-cluster --project=$PROJECT_ID \
      --update-addons=Istio=DISABLED
    

Uninstalling Istio from a cluster

The simplest way to remove the Istio on GKE add-on is to delete the cluster. However, if the cluster has an existing application that must be preserved, disabling Istio requires the following steps:

  1. Ensure your default mTLS mode is set to Permissive mTLS.
  2. Shift traffic away from the Istio ingress gateway.
  3. Turn off sidecar auto-injection, if enabled.
    kubectl label namespace your-namespace istio-injection=disabled
    
  4. Restart application pods (for example using rolling restart) to remove the Envoy sidecars.
  5. Remove the Istio control plane with gcloud:
    gcloud beta container clusters update my-cluster --project=$PROJECT_ID \
      --update-addons=Istio=DISABLED
    
  6. Delete the IstioOperator CustomResource:

    kubectl delete istiooperator -n istio-system istio-1-6-11-gke-0
    

    Depending on your cluster version, you might need to replace istio-1-6-11-gke-0 with the name of the CustomResource installed in your cluster. You can obtain the name by running:

    kubectl get istiooperator -n istio-system\
    
  7. Wait a few minutes for the Istio operator to delete any resources it installed.

  8. Delete the istio-system namespace if it exists:

    kubectl delete ns istio-system

  9. Delete the remaining Istio cluster resources:

    for i in $(kubectl get clusterrole,clusterrolebinding,crd | grep istio | cut -f1 -d' '); do kubectl delete $i; done