Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Uninstalling the enforcer

About uninstalling the enforcer

The method of uninstalling the enforcer varies according to how you originally installed it and what type of install it was. Refer to the procedure that matches your situation.

Uninstalling a host enforcer

PREREQUISITE: Local host with apoctl installed and configured.

  1. From your local host with apoctl installed, generate a short-lived Microsegmentation token that you can use to uninstall the enforcer.

    apoctl auth appcred --path ~/.apoctl/default.creds \
                        --restrict-role @auth:role=enforcer \
                        --restrict-role @auth:role=enforcer-installer \
                        --validity 60m
    
    apoctl auth appcred --path '.apoctl/default.creds' `
                        --restrict-role @auth:role=enforcer `
                        --restrict-role @auth:role=enforcer-installer `
                        --validity 60m
    

  2. Retrieve the URL of your Microsegmentation Console API.

    echo $MICROSEG_API
    
    echo $Env:MICROSEG_API
    

  3. Access the target host, such as via SSH or Remote Desktop.

  4. Set a TOKEN environment variable containing the token you just generated. We’ve truncated the example token value below for readability.

    export TOKEN=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6IkNlcnRpZmljYXRlIiwiZGF0YSI6eyJjb21tb25O....
    
    $env:TOKEN="eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6IkNlcnRpZmljYXRlIiwiZGF0YSI6eyJjb21tb25O...."
    

  5. Set a MICROSEG_API environment variable on the target host containing the URL of the Microsegmentation Console API you just echoed on your local host.

    export MICROSEG_API=https://api.microsegmentation.acme.com
    
    $env:MICROSEG_API="https://api.microsegmentation.acme.com"
    

  6. Set a TARGET_NS environment variable containing the Microsegmentation namespace of the enforcer.

    export TARGET_NS=/acme/aws-dev/vm1
    
    $env:TARGET_NS="/acme/aws-dev/vm1"
    

  7. Install apoctl using the following command.

    sudo curl -o /usr/local/bin/apoctl \
          https://download.aporeto.com/releases/release-5.0.8/apoctl/linux/apoctl && \
    sudo chmod 755 /usr/local/bin/apoctl
    
    curl https://download.aporeto.com/releases/release-5.0.8/apoctl/windows/apoctl.msi -o apoctl.msi; `
    if ($?) {. .\apoctl.msi /quiet}
    if ($?) {$env:PATH+="C:\Program Files\Apoctl;"}
    

  8. Use the following command to uninstall the enforcer.

    sudo apoctl enforcer uninstall linux --token $TOKEN \
                                         --enforcer-namespace $TARGET_NS \
                                         --api $MICROSEG_API
    
    apoctl enforcer uninstall windows --token $($env:TOKEN) `
                                      --enforcer-namespace $($env:TARGET_NS) `
                                      --api $($env:MICROSEG_API)
    

    TIP

    We detail the apoctl enforcer uninstall command further in the reference documentation. You can also run apoctl enforcer uninstall -h to review its flags.

  9. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the enforcer’s namespace. The enforcer should be absent.

  10. Remove apoctl and clear TOKEN.

    sudo rm /usr/local/bin/apoctl
    export TOKEN=""
    
    Start-Process msiexec.exe -ArgumentList '/x apoctl.msi /quiet' -Wait ; `
    if($?) {rm 'apoctl.msi'} `
    if($?) {$env:TOKEN=""} ; `
    if($?) {rm '.apoctl' -r -fo}
    

Uninstalling a DaemonSet enforcer

PREREQUISITE: Local host with apoctl installed and configured.

  1. From your local host with apoctl installed, set a TARGET_NS environment variable containing the Microsegmentation namespace of the cluster.

    export TARGET_NS=/acme/aws-dev/k8s-cluster-01
    
    $env:TARGET_NS="/acme/aws-dev/k8s-cluster-01"
    

  2. Use the following command to uninstall the DaemonSet enforcer.

    apoctl enforcer uninstall kubernetes --enforcer-namespace $TARGET_NS \
                                         --api $MICROSEG_API 
    
    apoctl enforcer uninstall kubernetes --enforcer-namespace $($env:TARGET_NS) \
                                         --api $($env:MICROSEG_API)
    

    TIP

    We detail the apoctl enforcer uninstall kubernetes command further in the reference documentation. You can also run apoctl enforcer uninstall kubernetes -h to review its flags.

  3. Open the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the enforcer’s namespace. The enforcer should be absent.