DocsICP FilingConsole
官方文档
首页

Troubleshoot cluster access issues from the console

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes the symptoms, causes, and solutions for issues that occur when you access a cluster from the console. For example, the API server of the current cluster may return request errors, an API server request error may occur when you access pod logs, or the current account is not granted the required cluster RBAC permissions.

Current cluster API server request exception: ErrorQueryClusterNamespace or APIServer.500

Symptom

When you access cluster resources in the console, you may receive the error message 'An exception occurred with the request to the cluster's API server' with the error code ErrorQueryClusterNamespace or APIServer.500. An error dialog box appears in the cluster management console, displaying the message An exception occurred with the request to the cluster's API server, the error code ErrorQueryClusterNamespace, the error details failed to query access namespace for user, the request URL https://192.168.xxx:10885/api/v1/namespaces?limit=300, and the error context deadline exceeded (Client.Timeout exceeded while awaiting headers).

Cause

An abnormal configuration or status of the API server load balancing causes a connection failure between the Container Service control plane and the cluster API server.

Solution

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.

  3. On the Basic Information tab, click the instance ID for the API server's SLB to go to the SLB console.

    • If the UI prompts that the load balancer ID does not exist, it means that the load balancing instance for the API server has been deleted or released and the cluster cannot be recovered. See Create an ACK managed cluster to recreate the cluster.

    • If the instance exists, continue to the next step.

  4. Check whether the Status of the load balancing instance is Running.

    • If not, check whether the instance has an overdue payment or has expired. If so, renew the instance and enable it. For more information about overdue payments for SLB, see Overdue payments.

    • If yes, continue to the next step.

  5. Click Listeners and verify that a TCP:6443 listener exists for both the frontend and backend and that the Status is Running.

    • If not, this indicates that the API server's load balancing listener has been modified.

      • If the listener is in the Disable state, select the listener and then click Enable.

      • If the listener does not exist, perform the following steps:

        • For an ACK managed cluster: Submit a ticket.

        • For an ACK dedicated cluster: Make sure that all cluster Master nodes are added to the default server group. Then, create a listener with both the frontend and backend set to TCP:6443. Set the backend of the listener to the Default Server Group and enable the listener. For more information, see Add a TCP listener.

    • If yes, continue to the next step.

  6. Check whether the Health Check Status of the listener is Healthy.

    • If not, this indicates that the load balancing backend of the API server is abnormal.

      • For an ACK managed cluster: Submit a ticket.

      • For an ACK dedicated cluster: Follow the steps below to troubleshoot. If the issue persists, submit a ticket.

        • In the ACK console, go to Nodes > Nodes. For each Master instance, click its corresponding ECS instance ID to go to the ECS console and check whether the instance is in the Running state.

        • In the ECS console, remotely log in to each Master node and check whether the API Server container is running properly.

          1. To log on to a master node, see Connection methods.

          2. Check the status of the API server container based on the container runtime.

            • Docker runtime: Run the docker ps | grep kube-apiserver command and use the docker inspect command to check the container status based on the output.

            • containerd runtime: Run the crictl ps | grep kube-apiserver command, and based on the output, use the crictl inspect command to check the container status.

    • If yes, continue to the next step.

  7. Check whether access control is enabled for the specified listener.

    • If so, this indicates that the access control whitelist for the load balancing listener of the API server is not configured correctly. You must add the address block 100.104.0.0/16 to the whitelist in the access control policy. This address block is the source address block for requests from the ACK control plane to internally access the API server.

    • If no, continue to the next step.

  8. If none of the above apply, please submit a ticket for assistance.

Abnormal API server request error when accessing pod logs

If you can access other cluster resources but encounter this issue only when viewing pod logs, follow these steps.

  1. Check whether the status of the pod is Running. If not, see Troubleshoot pod issues.

  2. On the Nodes > Nodes page, find the node where the pod is located in the node list and click the corresponding ECS instance ID. You are redirected to the ECS console. Click Security Group.

  3. Review all security group rules to ensure they allow inbound access from the VPC on TCP port 10250. If not, add the required rule. For more information, see Add a security group rule.

  4. If the issue persists, submit a ticket.

The current account is not granted the cluster RBAC permissions required for the operation: ForbiddenQueryClusterNamespace or APISERVER.403

Symptom

When you access the console, you receive the error message "The current account has not been granted the required cluster RBAC permissions for this operation" with the error code ForbiddenQueryClusterNamespace or APISERVER.403. When you query namespaces in the cluster management console, an Error dialog box appears with the message "The current account has not been granted the required cluster RBAC permissions for this operation. Please contact the primary account or a permissions administrator for authorization". The English error message is Forbidden query namespaces, and the error code is ForbiddenQueryClusterNamespace.

Cause

Your account lacks the necessary cluster RBAC permissions for the operation.

Solution

  1. Log on to the ACK console with an Alibaba Cloud account or an account with administrator permissions. In the left-side navigation pane, choose Authorizations.

  2. On the RAM Users tab, find the user that has an error, and click Modify Permissions to the right of the username.

  3. Click Add Permissions, select the required cluster, namespace, and permissions, and then click Submit.

The current account does not have the required RAM permissions for the operation StatusForbidden

Symptom

When you access the console, an error occurs with the message "The current account is not granted the required RAM permissions for this operation". The error code is StatusForbidden. When you perform an operation in the ACK console, an Error dialog box appears and displays the message "The current account is not granted the required RAM permissions for this operation. Please contact the master account or a RAM administrator for authorization." The error message is RAM policy Forbidden for action cs:DescribeKubernetesVersionMetadata, and the error code is StatusForbidden.

Cause

Your account lacks the necessary RAM permissions for the operation.

Solution

  1. Use an Alibaba Cloud account or an account with RAM permissions to log on to the RAM console.

  2. Add the required permission, such as cs:DescribeKubernetesVersionMetadata, to your account based on the CS information on the error page. For more information, see Grant permissions on clusters and cloud resources by using RAM.

Previous:Troubleshoot storage issuesNext:Troubleshoot component errors