Uninstalling Anthos Service Mesh

This page is for platform administrators.

This page describes how to uninstall Anthos Service Mesh from a user cluster.

Steps:

  1. Ensure your default mTLS mode is set to Permissive mTLS.

  2. Shift traffic away from the Istio Ingress gateway.

  3. Turn off sidecar auto-injection on your namespaces, if it is enabled:

     KUBECONFIG=USER_KUBECONFIG kubectl get namespace NAMESPACE --show-labels
    

    The output is similar to the following:

     NAME   STATUS   AGE     LABELS
     demo   Active   4d17h   istio.io/rev=asm-196-1
    

    If you see istio.io/rev= in the output under the LABELS column, remove it:

     KUBECONFIG=USER_KUBECONFIG kubectl label namespace NAMESPACE istio.io/rev-
    

    If you don't see the istio.io/rev label, then auto-injection wasn't enabled on the namespace.

  4. Restart your application Pods to remove the Envoy sidecars. An example command to restart the Pods of all the deployments in a namespace:

    KUBECONFIG=USER_KUBECONFIG kubectl rollout restart deployment -n NAMESPACE
    
  5. Trigger the uninstallation of Anthos Service Mesh by using Management Center Console or the API:

    Console

    1. In the Management Center console, go to the Service Mesh menu.
    2. In the Versions column, click the link of the Anthos Service Mesh version.
    3. On the Edit Service Mesh page, click Remove Service Mesh.
    4. A pop-up dialog shows the result of a confidence check before deletion. The dialog lists all of the namespaces and Pods that still depend on the current Anthos Service Mesh installation by checking the istio.io/rev label on namespaces and Pods. If the check finds any of these dependencies, you cannot proceed until you migrate these namespaces or Pods.
    5. If the confidence check passes, click Remove to start uninstalling Anthos Service Mesh on the target cluster.

    After you submit the deletion request, the Service Mesh page opens and the previous installation of Anthos Service Mesh is no longer visible.The uninstallation of the Anthos Service Mesh resources might take several minutes to complete.

    API

    1. Before you uninstall Anthos Service Mesh, verify that there are no Pods or namespaces that depend on the current Anthos Service Mesh installation.

      1. Run the following command to verify any namespace dependencies.

        KUBECONFIG=USER_KUBECONFIG kubectl get namespace -l istio.io/rev=REVISION
        

        Replace REVISION with the revision label of the current Anthos Service Mesh version.

      2. Run the following command to verify any Pod dependencies.

        KUBECONFIG=USER_KUBECONFIG kubectl get pod -l istio.io/rev=REVISION --field-selector metadata.namespace!=istio-system --all-namespaces
        

      If the queries return empty results, proceed to the next step. Otherwise, migrate these namespaces or Pods first before proceeding.

    2. Find the ServiceMeshBinding resource related to the target cluster on the admin cluster .

        KUBECONFIG=ADMIN_KUBECONFIG kubectl get servicemeshbinding -n anthos-management-center  -o=custom-columns="NAME:.metadata.name,cluster:.spec.configs[*].placement.clusterIDs[*]"| grep  TARGET_CLUSTER_ID 
      

      Here's an example of the output:

        SERVICE_MESH_BINDING_NAME   TARGET_CLUSTER_ID,OTHER_CLUSTER_ID,...
      

      Then you can query the resource by its name:

        KUBECONFIG=ADMIN_KUBECONFIG kubectl get servicemeshbinding SERVICE_MESH_BINDING_NAME -n anthos-management-center -o yaml
      

      Here's an example of the output:

        apiVersion: managementcenter.anthos.cloud.google.com/v1alpha1
        kind: ServiceMeshBinding
        metadata:
         name: SERVICE_MESH_BINDING_NAME
         namespace: anthos-management-center
        spec:
         configs:
         - configRef:
             name: SERVICE_MESH_SPEC_NAME
             namespace: anthos-management-center
           placement:
             clusterIDs:
             -  TARGET_CLUSTER_ID
             - other_cluster_id
             -...
         ...
      
    3. Update the ServiceMeshBinding object on the admin cluster to unbind the target cluster from the existing feature spec. Here's an example of the ServiceMeshBinding object after removing the TARGET_CLUSTER_ID entry:

      apiVersion: managementcenter.anthos.cloud.google.com/v1alpha1
      kind: ServiceMeshBinding
      metadata:
       name: service-mesh-binding-sample
       namespace: anthos-management-center
      spec:
       configs:
       - configRef:
           name: SERVICE_MESH_SPEC_NAME
           namespace: anthos-management-center
         placement:
           clusterIDs:
             # the target cluster ID is removed from this list
             - other_cluster_id
             -...
         ...
      
    4. After the ServiceMeshBinding object is updated, the uninstallation of the Anthos Service Mesh starts. The uninstallation could take several minutes to complete. Run the following command on the user cluster to verify that Anthos Service Mesh is uninstalled.

      KUBECONFIG=USER_KUBECONFIG kubectl get deployment -n istio-system -l istio.io/rev=REVISION
      

      This command returns an empty result if the uninstallation is complete.