Resolve console cluster access issues, such as API server request errors, pod log access failures, and missing cluster RBAC permissions.
Cluster API server request errors: ErrorQueryClusterNamespace or APIServer.500
Symptom
When you access cluster resources in the console, the error message 'An exception occurred with the request to the cluster's API server' appears with error code ErrorQueryClusterNamespace or APIServer.500. The cluster management console shows an error dialog with message An exception occurred with the request to the cluster's API server, error code ErrorQueryClusterNamespace, details failed to query access namespace for user, request URL https://192.168.xxx:10885/api/v1/namespaces?limit=300, and error context deadline exceeded (Client.Timeout exceeded while awaiting headers).
Cause
Abnormal configuration or status of the API server load balancer breaks connectivity between the Container Service control plane and the cluster API server.
Solution
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
-
On the Basic Information tab, click the API server SLB instance ID to open the SLB console.
-
If the UI shows that the load balancer ID does not exist, the API server load balancer was deleted or released and the cluster cannot be recovered. See Create an ACK managed cluster to recreate it.
-
If the instance exists, continue to the next step.
-
-
Check whether the Status of the load balancer is Running.
-
If not, check whether the instance is overdue or expired. If so, renew and enable it. See Overdue payments for SLB billing details.
-
If yes, continue to the next step.
-
-
Click Listeners and verify that frontend and backend TCP:6443 listeners exist and Status is Running.
-
If not, the API server load balancer listener was modified.
-
If the listener is in the Disable state, select the listener and then click Enable.
-
If the listener does not exist:
-
For an ACK managed cluster: Submit a ticket.
-
For an ACK dedicated cluster: Add all cluster master nodes to the default server group, then add a TCP listener with frontend and backend set to TCP:6443. Set the backend to the Default Server Group and enable the listener.
-
-
-
If yes, continue to the next step.
-
-
Check whether the Health Check Status of the listener is Healthy.
-
If not, the API server load balancer backend is abnormal.
-
For an ACK managed cluster: Submit a ticket.
-
For an ACK dedicated cluster: Troubleshoot as described below. If the issue persists, submit a ticket.
-
In the ACK console, go to . For each master node, click its ECS instance ID to open the ECS console and verify Running status.
-
In the ECS console, remotely log on to each master node and verify that the API Server container is running.
-
To log on to a master node, see Connection methods.
-
Check API server container status based on the container runtime.
-
Docker runtime: Run
docker ps | grep kube-apiserver, then usedocker inspectto check container status from the output. -
containerd runtime: Run
crictl ps | grep kube-apiserver, then usecrictl inspectto check container status from the output.
-
-
-
-
-
If yes, continue to the next step.
-
-
Check whether access control is enabled for the listener.
-
If so, the access control whitelist for the API server load balancer listener is misconfigured. Add address block
100.104.0.0/16to the whitelist. This block is the source address range the ACK control plane uses to access the API server internally. -
If no, continue to the next step.
-
-
If none of the above apply, submit a ticket.
API server request errors when accessing pod logs
If other cluster resources are accessible but pod logs fail, follow these steps.
-
Check whether the status of the pod is Running. If not, see Troubleshoot pod issues.
-
On the page, find the node hosting the pod and click its ECS instance ID. In the ECS console, click Security Group.
-
Review security group rules and ensure inbound VPC access on TCP port 10250. If not, add a security group rule.
-
If the issue persists, submit a ticket.
Account lacks cluster RBAC permissions for the operation: ForbiddenQueryClusterNamespace or APISERVER.403
Symptom
When you access the console, the error message "The current account has not been granted the required cluster RBAC permissions for this operation" appears with error code ForbiddenQueryClusterNamespace or APISERVER.403. When you query namespaces, an Error dialog shows "The current account has not been granted the required cluster RBAC permissions for this operation. Please contact the primary account or a permissions administrator for authorization". The English error is Forbidden query namespaces with error code ForbiddenQueryClusterNamespace.
Cause
Your account lacks the required cluster RBAC permissions.
Solution
-
Log on to the ACK console as an Alibaba Cloud account or administrator. In the left navigation pane, choose Authorizations.
-
On the RAM Users tab, find the affected user and click Modify Permissions next to the username.
-
Click Add Permissions, select the cluster, namespace, and permissions, then click Submit.
Account lacks RAM permissions for the operation StatusForbidden
Symptom
When you access the console, the error "The current account is not granted the required RAM permissions for this operation" appears with error code StatusForbidden. In the ACK console, an Error dialog shows "The current account is not granted the required RAM permissions for this operation. Please contact the master account or a RAM administrator for authorization." The error message is RAM policy Forbidden for action cs:DescribeKubernetesVersionMetadata with error code StatusForbidden.
Cause
Your account lacks the required RAM permissions.
Solution
-
Log on to the RAM console as an Alibaba Cloud account or an account with RAM permissions.
-
Add the required permission, such as cs:DescribeKubernetesVersionMetadata, based on the CS information on the error page. See Grant permissions on clusters and cloud resources by using RAM.