This topic provides answers to some frequently asked questions about authorization management.
Authorization failures
- What do I do if the console prompts the following error message: ForbiddenQueryClusterNamespace Forbidden query namespaces?
- What do I do if the console prompts the APISERVER_403 error?
- What do I do if the console prompts the following error message: The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions.
- How do I identify whether an authorization error is caused by RAM policies or RBAC roles?
- What do I do if I cannot access clusters by using a RAM user or RAM role that is attached with the AdministratorAccess or AliyunCSFullAccess policy?
RBAC authorization
RAM authorization
- Why does a RAM user or RAM role that has read-only permissions on all clusters fail to view some clusters?
- How do I grant a RAM user or RAM role the permissions to create clusters?
- How do I navigate to the page on which I can assign the system roles for ACK?
- What do I do if a RAM role is revoked from an ECS instance?
- How do I assign a custom RAM role to an ACK cluster?
What do I do if the console prompts the following error message: ForbiddenQueryClusterNamespace Forbidden query namespaces?
SymptomThe console prompts the error message ForbiddenQueryClusterNamespace Forbidden query namespaces .
Cause and solutionThe Resource Access Management (RAM) user or RAM role that you use does not have role-based access control (RBAC) permissions on namespaces in the cluster. You must go to the Authorizations page of the console to assign a RBAC role to the RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles.
What do I do if the console prompts the APISERVER_403 error?
SymptomThe console prompts the error message APISERVER_403.
Cause and solutionThe RAM user or RAM role that you use is not assigned the required RBAC role on your cluster. You must go to the Authorizations page of the console to assign the required RBAC role to the RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles. For more information about RBAC authorization, see Documentation.
What do I do if the console prompts the following error message: The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions.
SymptomThe console prompts the error message The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions.
CauseThe RAM user or RAM role that you use does not have the required RAM permissions or the RBAC administrator permissions on your cluster. By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. The following example shows how to grant RBAC permissions to other RAM users or RAM roles.
Solution- RBAC administrator permissions: You must assign the predefined RBAC administrator role or cluster-admin role to RAM User or RAM Role A and specify the cluster and namespace within which the role is applied.
- RAM permissions: You must assign the RAM permissions to RAM user or RAM role which the role is applied. The policy must contain the following permissions:
To allow a RAM user or RAM role, for example, RAM User or RAM Role A, to grant RBAC permissions to other RAM users or RAM roles, you must first assign the predefined RBAC administrator role or cluster-admin role to RAM User or RAM Role A and specify the cluster and namespace within which the role is applied. In addition, you must attach a RAM policy to RAM User or RAM Role A. The policy must contain the following permissions:
- Query other RAM users or RAM roles that belong to the Alibaba Cloud account.
- Attach RAM policies to a specified RAM user or RAM role.
- Query the RBAC permissions of a RAM user or RAM role.
- Perform RBAC authorization.
Use the following method to assign the RAM permissions:
Log on to the RAM console and attach a custom RAM policy to the RAM user or RAM role. For more information, see Create a custom RAM policy. Use the following template to create a custom RAM policy:
{
"Statement": [{
"Action": [
"ram:Get*",
"ram:List*",
"cs:GetUserPermissions",
"cs:GetSubUsers",
"cs:GrantPermission"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:AttachPolicyToUser",
"ram:AttachPolicyToRole"
],
"Effect": "Allow",
"Resource": [
"acs:ram:*:*:policy/xxxxxx",
"acs:*:*:*:user/*"
]
}
],
"Version": "1"
}
After you attach the preceding RAM policy to RAM User or RAM Role A, RAM User or RAM Role A is authorized to attach specified RAM policies and assign RBAC roles to other RAM users or RAM roles. For more information about how to use RAM User or RAM Role A to assign RBAC roles to other RAM users or RAM roles, see Assign RBAC roles to RAM users or RAM roles.
How do I identify whether an authorization error is caused by RAM policies or RBAC roles?
- Caused by RAM policies
Symptom
The API or console returns the following error message:RAM policy Forbidden for action cs:DescribeEvents STSToken policy Forbidden for action cs:DescribeClusterNodes
Cause
The error message indicates that the RAM policy attached to the RAM user or RAM role does not contain the
cs:DescribeEvents
action.Solution
If the error message returned by the API or the console contains RAM policy Forbidden or STSToken policy Forbidden, the RAM policy that is attached to the RAM user or RAM role does not contain required actions. Add the required actions to the RAM policy attached to the RAM user or RAM role. For more information, see Create a custom RAM policy.
- Caused by RBAC roles
Symptom
The API or console returns the following error message:events is forbidden: User "<uid>" cannot list resource "events" in API group "" at the cluster scope ForbiddenQueryClusterNamespace, Forbidden query namespaces
Cause
The error message indicates that the RBAC role assigned to the RAM user or RAM role
<uid>
does not have the permissions to list resource events.Solution
If the error message returned by the API or the console contains APISERVER_403, User "xxx" cannot xx resource "xx" in API group, or ForbiddenQueryClusterNamespace, the RBAC role that is assigned to the RAM user or RAM role does not have the required permissions. Add the required permissions to the RBAC role that is assigned to the RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles.
What do I do if I cannot access clusters by using a RAM user or RAM role that is attached with the AdministratorAccess or AliyunCSFullAccess policy?
The authorization mechanism of Container Service for Kubernetes (ACK) consists of RAM authorization and RBAC authorization. For more information, see Authorization overview. After you attach the AdministratorAccess or AliyunCSFullAccess policy to a RAM user or RAM role in the RAM console, you must go to the Authorizations page and assign RBAC roles to the RAM user or RAM role to grant permissions on clusters. For more information about how to assign RBAC roles, see Assign RBAC roles to RAM users or RAM roles.
Can I grant permissions on applications?
Yes. You can create a custom ClusterRole and define a rule to grant permissions on
individual applications. You can use the resourceNames
field to specify the applications.
Why does a RAM user or RAM role that is assigned the cs:admin
role fail to create CustomResourceDefinition (CRD) objects in ACK clusters?
If your cluster is created before May 2019, the default administrator role of the
cluster does not have the permissions to access some Kubernetes resources. You can
assign the cluster-admin
role to the RAM user or RAM role. You can also delete the cs:admin
ClusterRole and then recreate the ClusterRole.
The following YAML template is provided as an example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cs:admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
How do I use a RAM user or RAM role or RAM role to assign RBAC roles to other RAM users or RAM roles?
For more information, see What do I do if the console prompts the following error message: The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions..
Why does a RAM user or RAM role that has read-only permissions on all clusters fail to view some clusters?
Symptom
A RAM user is granted read-only permissions on all clusters by using the RAM console, and access permissions on specified namespaces of two clusters by using RBAC. Previously, the RAM user or RAM role can query all clusters in the console. However, the RAM user or RAM role can query only some of the clusters now. The permissions of the RAM user or RAM role are not recently modified.
Cause
You logged on to the ACK console by using another RAM user or RAM role or you selected a resource group. In this case, you must log on to the ACK console by using the RAM user or RAM role to which you have granted permissions and select All Resources at the top of the ACK console.
Solution
How do I grant a RAM user or RAM role the permissions to create clusters?
How do I navigate to the page on which I can assign the system roles for ACK?
If you revoke system roles that are assigned to ACK, you must assign the system roles to ACK again.
What do I do if a RAM role is revoked from an ECS instance?
When your application that runs on an ECS instance sends requests to metadata api 100
, a 404 error or a Message:Node condition RAMRoleError is now: True, reason: NodeHasNoRAMRole error message is returned. You can reassign a RAM role to an ECS instance by using
the following methods:
- If a RAM role is revoked from an ECS instance, you must reassign the RAM role to the
ECS instance. For more information, see Replace an instance RAM role.
- If the ECS instance serves as a master node in your cluster, you must assign the master RAM role to the ECS instance. Go to the cluster details page and choose .
- If the ECS instance serves as a worker node in your cluster, you must assign the worker RAM role to the ECS instance. Go to the cluster details page and choose .
- If you modified the policies of the RAM role, check whether the modified content contains the required permissions.
- If you modified the policies of the RAM role before the error occurs, try to roll back the policies to the original version.
How do I assign a custom RAM role to an ACK cluster?
You cannot assign a custom RAM role to an ACK cluster. However, you can attach custom RAM policies to the worker RAM role that is automatically created and assigned to the cluster when you create worker nodes.