This topic provides answers to some frequently asked questions about authorization management.

Authorization failures

RBAC authorization

RAM authorization

What do I do if the console prompts the following error message: ForbiddenQueryClusterNamespace Forbidden query namespaces?

Symptom

The console prompts the error message ForbiddenQueryClusterNamespace Forbidden query namespaces .

Cause and solution

The Resource Access Management (RAM) user or RAM role that you use does not have role-based access control (RBAC) permissions on namespaces in the cluster. You must go to the Authorizations page of the console to assign a RBAC role to the RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles.

What do I do if the console prompts the APISERVER_403 error?

Symptom

The console prompts the error message APISERVER_403.

Cause and solution

The RAM user or RAM role that you use is not assigned the required RBAC role on your cluster. You must go to the Authorizations page of the console to assign the required RBAC role to the RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles. For more information about RBAC authorization, see Documentation.

What do I do if the console prompts the following error message: The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions.

Symptom

The console prompts the error message The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions.

Cause

The RAM user or RAM role that you use does not have the required RAM permissions or the RBAC administrator permissions on your cluster. By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. The following example shows how to grant RBAC permissions to other RAM users or RAM roles.

Solution
Note Perform the following operations to grant RBAC permissions to a RAM user or RAM role.
  • RBAC administrator permissions: You must assign the predefined RBAC administrator role or cluster-admin role to RAM User or RAM Role A and specify the cluster and namespace within which the role is applied.
  • RAM permissions: You must assign the RAM permissions to RAM user or RAM role which the role is applied. The policy must contain the following permissions:

To allow a RAM user or RAM role, for example, RAM User or RAM Role A, to grant RBAC permissions to other RAM users or RAM roles, you must first assign the predefined RBAC administrator role or cluster-admin role to RAM User or RAM Role A and specify the cluster and namespace within which the role is applied. In addition, you must attach a RAM policy to RAM User or RAM Role A. The policy must contain the following permissions:

  • Query other RAM users or RAM roles that belong to the Alibaba Cloud account.
  • Attach RAM policies to a specified RAM user or RAM role.
  • Query the RBAC permissions of a RAM user or RAM role.
  • Perform RBAC authorization.

Use the following method to assign the RAM permissions:

Log on to the RAM console and attach a custom RAM policy to the RAM user or RAM role. For more information, see Create a custom RAM policy. Use the following template to create a custom RAM policy: 

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicyToRole"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}
Note Replace xxxxxx with the name of the RAM policy that you want to allow the RAM user or RAM role to attach to other RAM users or RAM roles. If you replace xxxxxx with an asterisk (*), it indicates that the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles.

After you attach the preceding RAM policy to RAM User or RAM Role A, RAM User or RAM Role A is authorized to attach specified RAM policies and assign RBAC roles to other RAM users or RAM roles. For more information about how to use RAM User or RAM Role A to assign RBAC roles to other RAM users or RAM roles, see Assign RBAC roles to RAM users or RAM roles.

How do I identify whether an authorization error is caused by RAM policies or RBAC roles?

You can identify whether an authorization error is caused by RAM policies or RBAC roles based on the error message returned by the API or the console.
  • Caused by RAM policies

    Symptom

    The API or console returns the following error message:
    RAM policy Forbidden for action cs:DescribeEvents
STSToken policy Forbidden for action cs:DescribeClusterNodes

    Cause

    The error message indicates that the RAM policy attached to the RAM user or RAM role does not contain the cs:DescribeEvents action.

    Solution

    If the error message returned by the API or the console contains RAM policy Forbidden or STSToken policy Forbidden, the RAM policy that is attached to the RAM user or RAM role does not contain required actions. Add the required actions to the RAM policy attached to the RAM user or RAM role. For more information, see Create a custom RAM policy.

  • Caused by RBAC roles

    Symptom

    The API or console returns the following error message:
    events is forbidden: User "<uid>" cannot list resource "events" in API group "" at the cluster scope
ForbiddenQueryClusterNamespace, Forbidden query namespaces

    Cause

    The error message indicates that the RBAC role assigned to the RAM user or RAM role <uid> does not have the permissions to list resource events.

    Solution

    If the error message returned by the API or the console contains APISERVER_403, User "xxx" cannot xx resource "xx" in API group, or ForbiddenQueryClusterNamespace, the RBAC role that is assigned to the RAM user or RAM role does not have the required permissions. Add the required permissions to the RBAC role that is assigned to the RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles.

What do I do if I cannot access clusters by using a RAM user or RAM role that is attached with the AdministratorAccess or AliyunCSFullAccess policy?

The authorization mechanism of Container Service for Kubernetes (ACK) consists of RAM authorization and RBAC authorization. For more information, see Authorization overview. After you attach the AdministratorAccess or AliyunCSFullAccess policy to a RAM user or RAM role in the RAM console, you must go to the Authorizations page and assign RBAC roles to the RAM user or RAM role to grant permissions on clusters. For more information about how to assign RBAC roles, see Assign RBAC roles to RAM users or RAM roles.

Can I grant permissions on applications?

Yes. You can create a custom ClusterRole and define a rule to grant permissions on individual applications. You can use the resourceNames field to specify the applications.

  1. Log on to the ACK console.
  2. In the left-side navigation pane, click Authorizations.
  3. On the Authorizations page, select the RAM user or RAM role that you want to manage on the Select RAM User wizard page and click Modify Permissions.
    Note If you log on to the ACK console as a RAM user or RAM role, make sure that the RAM user or RAM role has at least read-only permissions on the cluster that you want to manage. In addition, the RAM user or RAM role must be assigned the cluster-admin role or administrator role of the cluster. For more information, see Create a custom RAM policy.
  4. On the Configure Role-Based Access Control (RBAC) wizard page, click 122Add Permissions. Select the cluster and namespace, and then select Custom. Select the ClusterRole that you want to manage from the Custom drop-down list and click Next Step.
    AN13
    Note You can assign one predefined RBAC role and one or more custom RBAC roles in the specified cluster and namespace to a RAM user or RAM role.
    The following table describes the permissions that the predefined and custom RBAC roles have on clusters and namespaces.
    Table 1. Roles and permissions
    Role Permission on cluster resources
    Administrator Read and write permissions on resources in all namespaces.
    O&M engineer Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.
    Developer Read and write permissions on visible resources in the console in all or specified namespaces.
    Restricted user Read-only permissions on visible resources in the console in all or specified namespaces.
    Custom The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information, see Create a custom RAM policy.

    For more information about the subsequent steps, see Assign RBAC roles to RAM users or RAM roles.

Why does a RAM user or RAM role that is assigned the cs:admin role fail to create CustomResourceDefinition (CRD) objects in ACK clusters?

If your cluster is created before May 2019, the default administrator role of the cluster does not have the permissions to access some Kubernetes resources. You can assign the cluster-admin role to the RAM user or RAM role. You can also delete the cs:admin ClusterRole and then recreate the ClusterRole.

The following YAML template is provided as an example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

How do I use a RAM user or RAM role or RAM role to assign RBAC roles to other RAM users or RAM roles?

For more information, see What do I do if the console prompts the following error message: The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions..

Why does a RAM user or RAM role that has read-only permissions on all clusters fail to view some clusters?

Symptom

A RAM user is granted read-only permissions on all clusters by using the RAM console, and access permissions on specified namespaces of two clusters by using RBAC. Previously, the RAM user or RAM role can query all clusters in the console. However, the RAM user or RAM role can query only some of the clusters now. The permissions of the RAM user or RAM role are not recently modified.

Cause

You logged on to the ACK console by using another RAM user or RAM role or you selected a resource group. In this case, you must log on to the ACK console by using the RAM user or RAM role to which you have granted permissions and select All Resources at the top of the ACK console.

Solution

  1. Log on to the ACK console.
  2. In the top navigation bar, choose All Resources > All Resources.
    11
  3. Move the pointer over the avatar in the upper-right corner and make sure that you are logged on as the RAM user or RAM role.

How do I grant a RAM user or RAM role the permissions to create clusters?

  1. Use your Alibaba Cloud account to assign the system roles to ACK.
    • You need only to grant permissions to the system roles once. If you are not sure whether the permissions are granted, log on by using your Alibaba Cloud account and visit ur.alipay.com/1paTcxSWdAEW70GVH5TZiO.
    • For more information about the default system roles for ACK, see ACK default roles.
  2. Use your Alibaba Cloud account to attach custom RAM policies to the RAM user or RAM role.

    Make sure that the RAM user or RAM role has the cs:CreateCluster permission. For more information, see Create a custom RAM policy.

    The following YAML template is provided as an example:

    {
 "Statement": [{
     "Action": [
         "cs:CreateCluster"
     ],
     "Effect": "Allow",
     "Resource": [
         "*"
     ]
 }],
 "Version": "1"
}
    Note
    • When a cluster is created, the system associates cloud resources with the cluster, such as virtual private clouds (VPCs). Make sure that the RAM user or RAM role is granted the required permissions to access cloud resources.
    • Make sure that the RAM user or RAM role has the List permission on VPCs. To grant this permission, you can attach the AliyunVPCReadOnlyAccess policy to the RAM user or RAM role.
    • If you want to grant permissions on other resources, check the documentation on the system policies and authorizations related to the corresponding cloud services. For more information, see RAM authorization.

How do I navigate to the page on which I can assign the system roles for ACK?

If you revoke system roles that are assigned to ACK, you must assign the system roles to ACK again.

For more information, see Step 2: Assign the default roles.
Note You must use an Alibaba Cloud account to reassign the system roles to ACK.

What do I do if a RAM role is revoked from an ECS instance?

When your application that runs on an ECS instance sends requests to metadata api 100, a 404 error or a Message:Node condition RAMRoleError is now: True, reason: NodeHasNoRAMRole error message is returned. You can reassign a RAM role to an ECS instance by using the following methods:

  • If a RAM role is revoked from an ECS instance, you must reassign the RAM role to the ECS instance. For more information, see Replace an instance RAM role.
    • If the ECS instance serves as a master node in your cluster, you must assign the master RAM role to the ECS instance. Go to the cluster details page and choose Cluster Information > Cluster Resources > Master RAM Role.
    • If the ECS instance serves as a worker node in your cluster, you must assign the worker RAM role to the ECS instance. Go to the cluster details page and choose Cluster Information > Cluster Resources > Worker RAM Role.
  • If you modified the policies of the RAM role, check whether the modified content contains the required permissions.
  • If you modified the policies of the RAM role before the error occurs, try to roll back the policies to the original version.

How do I assign a custom RAM role to an ACK cluster?

You cannot assign a custom RAM role to an ACK cluster. However, you can attach custom RAM policies to the worker RAM role that is automatically created and assigned to the cluster when you create worker nodes.

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. On the cluster details page, click the Cluster Resources tab.
  5. On the Cluster Resources tab, click the link to the right side of Worker RAM Role.
  6. On the RAM Roles page, click the policy name.
  7. On the details page of the policy, click Modify Policy Document. In the Modify Policy Document pane, copy the following content into the Policy Document code editor and click OK. In this example, the permissions to scale and delete clusters are added to the policy. For more information, see Create a custom RAM policy. 
    {
            "Action": [
              "cs:ScaleCluster",
              "cs:DeleteCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
         }
    Modify permissions