Uninstall Cloud Service Mesh

This page explains how to uninstall Cloud Service Mesh.

Warning: Following these instructions to uninstall Cloud Service Mesh removes allconfigurations regardless of control plane type (in-cluster or managed).

Uninstall Cloud Service Mesh

Use the following commands to uninstall all Cloud Service Mesh components. Thesecommands also delete theistio-system namespace and all custom resourcedefinitions (CRDs), including any CRDs that you applied.

Warning: If you created CRDs, make sure you have copies of them before proceedingthrough the following steps.

  1. To prevent interruption of application traffic:

    • Downgrade any STRICT mTLS policies to PERMISSIVE.
    • Remove any AuthorizationPolicy that may block traffic.

  2. Disable Automatic Management on this cluster (whether you applied it directly or using the fleet-default configuration):

      gcloud container fleet mesh update --management manual

  3. Disable sidecar auto-injection on your namespace(s), if it is enabled. Run the following command to display namespace labels:

    kubectlgetnamespaceYOUR_NAMESPACE--show-labels

    The output is similar to the following:

    NAMESTATUSAGELABELSdemoActive4d17histio.io/rev=asm-181-5

    If you seeistio.io/rev= in the output under theLABELS column, remove it:

    kubectllabelnamespaceYOUR_NAMESPACEistio.io/rev-

    If you seeistio-injection in the output under theLABELS column, remove it:

    kubectllabelnamespaceYOUR_NAMESPACEistio-injection-

    If you don't see either theistio.io/rev oristio-injection labels, then auto-injection wasn't enabled on the namespace.

  4. Restart your workloads that have sidecars injected to remove the proxies.

  5. If you're using managed Cloud Service Mesh, remove anycontrolplanerevisionresources in the cluster:

    kubectl delete controlplanerevisionRELEASE_CHANNEL -n istio-system

    WhereRELEASE_CHANNEL is therelease channelyou provisioned, such asasm-managed,asm-managed-rapid, orasm-managed-stable.

  6. Delete webhooks from your cluster, if they exist.

    In-cluster Cloud Service Mesh

    Delete thevalidatingwebhooksconfiguration andmutatingwebhookconfiguration.

    kubectl delete validatingwebhookconfiguration,mutatingwebhookconfiguration -l operator.istio.io/component=Pilot

    Managed Cloud Service Mesh

    A. Delete thevalidatingwebhooksconfiguration.

    kubectl delete validatingwebhookconfiguration istiod-istio-system-mcp

    B. Delete themutatingwebhookconfiguration.

    Note: Use theRELEASE_CHANNEL according to therelease channel you provisioned.For example, Regular(istiod-asm-managed), Rapid(istiod-asm-managed-rapid), and Stable (istiod-asm-managed-stable).
    kubectl delete mutatingwebhookconfiguration istiod-RELEASE_CHANNEL

  7. Once all workloads come up and no proxies are observed, then you can safelydelete the in-cluster control plane to stop billing. If you deployed amanaged control plane, then it is automatically deleted with the previousstep.

    To remove the in-cluster control plane, run the command below:

    istioctlxuninstall--purge

    If there are no other control planes, you can delete theistio-systemnamespace to get rid of all Cloud Service Mesh resources. Otherwise, delete theservices corresponding to the Cloud Service Mesh revisions. This avoids deletingshared resources, such as CRDs.

  8. Delete theistio-system andasm-system namespaces:

    kubectldeletenamespaceistio-systemasm-system--ignore-not-found=true

  9. Check if the deletions were successful:

    kubectlgetns

    The output should indicate aTerminating state and return as shown, otherwise you might have to manually delete any remaining resources in the namespaces and try again.

    NAMESTATUSAGEistio-systemTerminating71masm-systemTerminating71m
    1. If you will delete your clusters, or have already deleted them, ensurethat each cluster isunregistered from your fleet.

  10. If you have enabled managed Cloud Service Mesh fleet-default configuration andwant to disable it for future clusters, disable it. You can skip this stepif you're only uninstalling from a single cluster.

    gcloudcontainerhubmeshdisable--fleet-default-member-config--projectFLEET_PROJECT_ID

    WhereFLEET_PROJECT_ID is the ID of your Fleet Host project.

  11. If you're using managed Cloud Service Mesh, delete themdp-controller deployment:

    kubectldeletedeploymentmdp-controller-nkube-system

  12. Check to see if theistio-cni-plugin-config configmap is present:

    kubectlgetconfigmapistio-cni-plugin-config-nkube-system

    If present, delete theistio-cni-plugin-config configmap:

    kubectldeleteconfigmapistio-cni-plugin-config-nkube-system
    Warning: The network reliability of your GKE cluster may be impacted if youdon't delete this configmap.

  13. Delete theistio-cni-node daemonset:

    kubectldeletedaemonsetistio-cni-node-nkube-system

Upon completion of these steps, all Cloud Service Mesh components, including proxies,in-cluster certificate authorities, and RBAC roles and bindings, aresystematically removed from the cluster. During the installation process, aGoogle-owned service account is granted the necessary permissions to establishthe service mesh resources within the cluster. These uninstall instructionsdon't revoke these permissions, allowing for a seamless re-activation ofCloud Service Mesh in the future.

Note: Theistio-system namespace and config maps may also continue to berecreated. If you require all of these artifacts to get removed,contact support.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.