Uninstall Cloud Service Mesh

Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.

This page explains how to uninstall Cloud Service Mesh if you are using the Istio APIs. If you are using Compute Engine APIs, no steps arenecessary. See theCloud Service Mesh overviewto understand the differences.

Warning: Following these instructions to uninstall Cloud Service Mesh removes allconfigurations regardless of control plane type (in-cluster or managed).

Uninstall Cloud Service Mesh

Use the following commands to uninstall all Cloud Service Mesh components. Thesecommands also delete theistio-system namespace and all custom resourcedefinitions (CRDs), including any CRDs that you applied.

Warning: If you created CRDs, make sure you have copies of them before proceedingthrough the following steps.

  1. To prevent interruption of application traffic:

    • Downgrade any STRICT mTLS policies to PERMISSIVE.
    • Remove any AuthorizationPolicy that may block traffic.

  2. Disable Automatic Management on this cluster (whether you applied it directly or using the fleet-default configuration):

      gcloud container fleet mesh update \     --management manual \     --membershipsMEMBERSHIP_NAME \     --projectFLEET_PROJECT_ID \     --locationMEMBERSHIP_LOCATION

    Replace the following:

    • MEMBERSHIP_NAME is the membership name listed when youverified that your cluster was registered to the fleet.
    • MEMBERSHIP_LOCATION is the location of your membership (eithera region, orglobal).

  3. Disable sidecar auto-injection on your namespace(s), if it is enabled. Run the following command to display namespace labels:

    kubectlgetnamespaceYOUR_NAMESPACE--show-labels

    The output is similar to the following:

    NAMESTATUSAGELABELSdemoActive4d17histio.io/rev=asm-181-5

    If you seeistio.io/rev= in the output under theLABELS column, remove it:

    kubectllabelnamespaceYOUR_NAMESPACEistio.io/rev-

    If you seeistio-injection in the output under theLABELS column, remove it:

    kubectllabelnamespaceYOUR_NAMESPACEistio-injection-

    If you don't see either theistio.io/rev oristio-injection labels, then auto-injection wasn't enabled on the namespace.

  4. Restart your workloads that have sidecars injected to remove the proxies.

  5. If you're using managed Cloud Service Mesh, check whichcontrol plane implementationyou have in your cluster, this will help delete relevant resources in furthersteps.

  6. If you're using managed Cloud Service Mesh, remove allcontrolplanerevisionresources in the cluster:

    kubectldeletecontrolplanerevisionasm-managedasm-managed-rapidasm-managed-stable-nistio-system--ignore-not-found=true

  7. Delete webhooks from your cluster, if they exist.

    In-cluster Cloud Service Mesh

    Delete thevalidatingwebhooksconfiguration andmutatingwebhookconfiguration.

    kubectldeletevalidatingwebhookconfiguration,mutatingwebhookconfiguration-loperator.istio.io/component=Pilot

    Managed Cloud Service Mesh

    A. Delete thevalidatingwebhooksconfiguration.

    kubectldeletevalidatingwebhookconfigurationistiod-istio-system-mcp

    B. Delete allmutatingwebhookconfiguration.

    Note: Use theRELEASE_CHANNEL according to therelease channel you provisioned.For example, Regular(istiod-asm-managed), Rapid(istiod-asm-managed-rapid), and Stable (istiod-asm-managed-stable).
    kubectl delete mutatingwebhookconfiguration istiod-RELEASE_CHANNEL

  8. Once all workloads come up and no proxies are observed, then you can safelydelete the in-cluster control plane to stop billing.

    To remove the in-cluster control plane, run the following command:

    istioctluninstall--purge

    If there are no other control planes, you can delete theistio-systemnamespace to get rid of all Cloud Service Mesh resources. Otherwise, delete theservices corresponding to the Cloud Service Mesh revisions. This avoids deletingshared resources, such as CRDs.

  9. Delete theistio-system andasm-system namespaces:

    kubectldeletenamespaceistio-systemasm-system--ignore-not-found=true

  10. Check if the deletions were successful:

    kubectlgetns

    The output should indicate aTerminating state and return as shown, otherwise you might have to manually delete any remaining resources in the namespaces and try again.

    NAMESTATUSAGEistio-systemTerminating71masm-systemTerminating71m

  11. If you will delete your clusters, or have already deleted them, ensurethat each cluster isunregistered from your fleet.

  12. If you enabled managed Cloud Service Mesh fleet-default configuration andwant to disable it for future clusters, disable it. You can skip this stepif you're only uninstalling from a single cluster.

    gcloudcontainerhubmeshdisable--fleet-default-member-config--projectFLEET_PROJECT_ID

    WhereFLEET_PROJECT_ID is the ID of your Fleet Host project.

  13. If you enabled managed Cloud Service Mesh, check and delete managed resources if they present:

    Note: If your cluster is anAutopilot cluster, you cannot delete resources from thekube-system namespace. If you're uninstalling managed Cloud Service Mesh and you're keeping yourcluster,contact Support to ensure that these resources are deleted.

    1. Delete themdp-controller deployment:

      kubectldeletedeploymentmdp-controller-nkube-system

    2. If you have theTRAFFIC_DIRECTOR control plane implementation, clean up Transparent Health Check resources. Normally these are removed automatically, but you can make sure they are cleaned up by doing the following:

      1. Delete thesnk daemonset.

        kubectldeletedaemonsetsnk-nkube-system

      2. Delete the firewall rule.

        gcloudcomputefirewall-rulesdeletegke-csm-thc-FIRST_8_CHARS_OF_CLUSTER_ID

        Replace the following:

        • FIRST_8_CHARS_OF_CLUSTER_ID is the first 8 characters of theCluster ID for your specific cluster.

    3. Check to see if theistio-cni-plugin-config configmap is present:

      kubectlgetconfigmapistio-cni-plugin-config-nkube-system

      If present, delete theistio-cni-plugin-config configmap:

      kubectldeleteconfigmapistio-cni-plugin-config-nkube-system
      Warning: The network reliability of your GKE cluster may be impacted if you don't delete this configmap.

    4. Delete theistio-cni-node daemonset:

      kubectldeletedaemonsetistio-cni-node-nkube-system

  14. If you're uninstalling managed Cloud Service Mesh and you're keeping yourcluster,contact Support to ensure that allGoogle Cloud resources are cleaned up. Theistio-system namespace and configmaps may also continue to be recreated if you don't follow this step.

Upon completion of these steps, all Cloud Service Mesh components, including proxies,in-cluster certificate authorities, and RBAC roles and bindings, aresystematically removed from the cluster. During the installation process, aGoogle-owned service account is granted the necessary permissions to establishthe service mesh resources within the cluster. These uninstall instructionsdon't revoke these permissions, allowing for a seamless re-activation ofCloud Service Mesh in the future.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.