Problem description
The following error message may be returned when you log on to the Container Service for Kubernetes console as a Resource Access Management (RAM) user and access your Kubernetes cluster. The RAM user already has full permissions on Container Service for Kubernetes.
Note: AliyunCSFullAccess is used to grant the full permissions.
The error message returned because you are not authorized to perform the specified operation. If you are a RAM user, contact the owner of the Alibaba Cloud account to authorize the RAM user.
Causes
The role-based access control (RBAC) authorization is invalid for the RAM user. A RAM user is used in this example. If the following error message is returned, RBAC authorization is invalid. For more information, see Using RBAC Authorization.
Note: A RAM user can be granted the following permissions on Kubernetes clusters:
- RAM authorization: AliyunCSFullAccess includes all permissions on Container Service for Kubernetes. For example, this policy allows you to create Kubernetes clusters. The permissions specified by the policy are different from those granted to a specific cluster.
- RBAC authorization: Kubernetes RBAC authorization is used when a Kubernetes cluster requests internal resources. For example, ServiceAccount is used when a pod accesses the API server within a cluster.
Error from server (Forbidden): nodes is forbidden: User "XXX" cannot list nodes at the cluster scope
Solutions
You must grant the RBAC permissions on the cluster to the RAM user. For more information, see the Custom permissions section of the topic Configure RBAC permissions for RAM users.
Note: The topic Configure RBAC permissions for RAM users is divided into two parts. The first part describes RAM authorization, and the second part describes RBAC authorization.
Application scope
- Dedicated clusters of Container Service for Kubernetes
- Managed clusters of Container Service for Kubernetes