Version 1.14

Stay organized with collections Save and categorize content based on your preferences.

Uninstall Anthos Service Mesh

This page explains how to uninstall Anthos Service Mesh.

Uninstall Anthos Service Mesh

Use the following commands to uninstall all Anthos Service Mesh components. These commands also delete the istio-system namespace and all custom resource definitions (CRDs), including any CRDs that you applied.

  1. To prevent interruption of application traffic:

    • Downgrade any STRICT mTLS policies to PERMISSIVE.
    • Remove any AuthorizationPolicy that may block traffic.
  2. Disable Automatic Managed Anthos Service Mesh through the Fleet API, if it is enabled.

  3. Disable sidecar auto-injection on your namespace(s), if it is enabled. Run the following command to display namespace labels:

     kubectl get namespace YOUR_NAMESPACE --show-labels

    The output is similar to the following:

     demo   Active   4d17h

    If you see in the output under the LABELS column, remove it:

     kubectl label namespace YOUR_NAMESPACE

    If you see istio-injection in the output under the LABELS column, remove it:

     kubectl label namespace YOUR_NAMESPACE istio-injection-

    If you don't see either the or istio-injection labels, then auto-injection wasn't enabled on the namespace.

  4. Restart your workloads that have sidecars injected to remove the proxies.

  5. Remove any ControlPlaneRevision resources in the cluster:

    kubectl delete controlplanerevision -n istio-system
  6. Delete webhooks from your cluster, if they exist.

    In-cluster Anthos Service Mesh

    Delete the validatingwebhooksconfiguration and mutatingwebhookconfiguration.

    kubectl delete validatingwebhookconfiguration,mutatingwebhookconfiguration -l

    Managed Anthos Service Mesh

    A. Delete the validatingwebhooksconfiguration.

    kubectl delete validatingwebhookconfiguration istiod-istio-system-mcp

    B. Delete the mutatingwebhookconfiguration.

    kubectl delete mutatingwebhookconfiguration RELEASE_CHANNEL
  7. Once all workloads come up and no proxies are observed, then you can safely delete the in-cluster control plane to stop billing. If you deployed a managed control plane, then it is automatically deleted with the previous step.

    To remove the in-cluster control plane, run the command below:

    istioctl x uninstall --purge

    If there are no other control planes, you can delete the istio-system namespace to get rid of all Anthos Service Mesh resources. Otherwise, delete the services corresponding to the Anthos Service Mesh revisions. This avoids deleting shared resources, such as CRDs.

  8. Delete the istio-system and asm-system namespaces:

     kubectl delete namespace istio-system asm-system --ignore-not-found=true
  9. Check if the deletions were successful:

     kubectl get ns

    The output should indicate a Terminating state and return as shown, otherwise you might have to manually delete any remaining resources in the namespaces and try again.

     NAME                 STATUS       AGE
     istio-system         Terminating  71m
     asm-system           Terminating  71m