Uninstall istio (all components) completely from kubernetes cluster

Question

I installed istio using these commands:

VERSION = 1.0.5
GCP = gcloud
K8S = kubectl

@$(K8S) apply -f istio-$(VERSION)/install/kubernetes/helm/istio/templates/crds.yaml
@$(K8S) apply -f istio-$(VERSION)/install/kubernetes/istio-demo-auth.yaml
@$(K8S) get pods -n istio-system
@$(K8S) label namespace default istio-injection=enabled
@$(K8S) get svc istio-ingressgateway -n istio-system

Now, how do I completely uninstall it including all containers/ingress/egress etc (everthing installed by istio-demo-auth.yaml?

Thanks.

Answer 1

If you used istioctl, it's pretty easy:

istioctl x uninstall --purge

Of course, it would be easier if that command were listed in istioctl --help...

Reference: https://istio.io/latest/docs/setup/install/istioctl/#uninstall-istio

Answer 2

Based on their documentation here, you can generate all specs as yml file then pipe it to simple kubectl's delete operation

istioctl manifest generate <your original installation options> | kubectl delete -f -

here's an example:

istioctl manifest generate --set profile=default | kubectl delete -f -

A drawback of this approach though is to remember all options you have used when you installed istio which might be quite hard to remember especially if you enabled specific components.

If you have installed istio using helm's chart, you can uninstall it easily

First, list all installed charts:

helm list -n istio-system
NAME    NAMESPACE   REVISION    UPDATED                                 STATUS   
istiod  istio-system    1       2020-03-07 15:01:56.141094 -0500 EST    deployed   

and then delete/uninstall the chart using the following syntax:

helm delete -n istio-system --purge istio-system
helm delete -n istio-system --purge istio-init
...

Check their website for more information on how to do this.

If you already installed istio using istioctl or helm in its own separate namespace, you can easily delete completely that namespace which will in turn delete all resources created inside it.

kubectl delete namespace istio-system 

Answer 3

Just run kubectl delete for the files you applied.

kubectl delete -f istio-$(VERSION)/install/kubernetes/istio-demo-auth.yaml

You can find this in docs as well.

Answer 4

If you have installed it as described, then you will need to delete it in the same way.

kubectl delete -f istio-$(VERSION)/install/kubernetes/helm/istio/templates/crds.yaml
kubectl delete -f istio-$(VERSION)/install/kubernetes/istio-demo-auth.yaml

Then you would manually delete the folder, and istioctl, if you moved to anywhere.

IMPORTANT: Deleting a namespace is super comfortable to clean up, but you can't do it for all scenarios. In this situation, if you delete the namespace only, you are leaving all the permissions and credentials intact. Now, say you want to update Istio, and Istio team has made some security changes in their RBAC rules, but has not changed the name of the object. You would deploy the new yaml file, and it will throw an error saying the object (for example clusterrolebinding) already exists. If you don't pay attention to what that error was, you can end up with the worse type of errors (when there are no error, but something goes wrong).

Answer 5

Cleaning up Istio is a bit tricky, because of all the things it adds: CustomResourceDefinitions, ConfigMaps, MutatingWebhookConfigurations, etc. Just deleting the istio-system namespace is not sufficient. The safest bet is to use the uninstall instructions from istio.io for the method you used to install.

Kubectl: https://istio.io/docs/setup/kubernetes/install/kubernetes/#uninstall

Helm: https://istio.io/docs/setup/kubernetes/install/helm/#uninstall

When performing these steps, use the version of Istio you are attempting to remove. So if you are trying to remove Istio 1.0.2, grab that release from istio.io.

Answer 6

After normal istio uninstall (depending on the way istio was installed by helm or istioctl) following steps can be performed

• Check if anything still exists in the istio-system namespace, if exists then delete manually, also remove the istio-system namespace
• Check if there is a sidecar associated with any pod (sometimes sidecars not get cleaned up in case of failed uninstallation)

kubectl get pods -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.namespace}{"\t"}{..image}{"\n\n"}{end}' -A | grep 'istio/proxyv' | grep -v istio-system

• Get the CRD that is still in use and remove associated resources

kubectl get crds | grep 'istio.io' | cut -f1-1 -d "." |     xargs -n1 -I{} bash -c "  echo {} && kubectl get --all-namespaces  {} -o wide  && echo -e '---'"

• Delete all the CRD

kubectl get crds | grep 'istio.io' |   xargs -n1 -I{} sh -c "kubectl delete crd {}"

• Edit the labels back (optional)

kubectl label default <namespace name> istio-injection=disabled

Answer 7

Don't forget to disable the injection:

kubectl delete -f istio-$(VERSION)/install/kubernetes/helm/istio/templates/crds.yaml
kubectl delete -f istio-$(VERSION)/install/kubernetes/istio-demo-auth.yaml
kubectl label default your-namespace istio-injection=disabled

Answer 8

Using the profile you used in installation, demo for example, run the following command istioctl manifest generate --set profile=demo | kubectl delete -f -

Answer 9

Just delete the ns

k delete ns istio-system

Answer 10

Deleting CRDs without needing to find the helm charts:

kubectl delete crd -l chart=istio

Answer 11

Hi if you installated via helm-template you can use these commands :

For CRD's:

$ helm template ${ISTIO_BASE_DIR}/install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl delete -f -

$ kubectl delete crd $(kubectl get crd |grep istio)

For Deployment/NS..etc other resources:

$     helm template install/kubernetes/helm/istio --name istio --namespace istio-system\
    --values install/kubernetes/helm/istio/values-istio-demo.yaml \
    --set global.controlPlaneSecurityEnabled=true \
    --set global.mtls.enabled=true | kubectl delete -f -