Authorization management FAQs

ForbiddenQueryClusterNamespace: Forbidden query namespaces

The RAM user or RAM role lacks RBAC permissions on the cluster's namespaces. Go to Authorizations in the ACK console and assign an RBAC role to the RAM user or RAM role.

APISERVER_403

The RAM user or RAM role lacks the required RBAC permissions on the cluster. Go to Authorizations in the ACK console and grant the required RBAC role. See Using RBAC Authorization.

The current RAM user does not have management permissions

The RAM user or RAM role cannot grant RBAC permissions to others. By default, only the Alibaba Cloud account owner or a RAM user with explicit delegation can do this.

To delegate RBAC management to a RAM user or RAM role (referred to as User A below), grant both of the following:

RBAC administrator permissions: In the ACK console under Authorizations, assign the predefined administrator role or cluster-admin role to User A for the target clusters and namespaces.

RAM permissions: In the RAM console, attach a custom policy to User A. The policy must allow User A to query other RAM users and roles in the same account, attach specified policies, and manage RBAC permissions. Use the following template:

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicyToRole"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

Replace xxxxxx with the policy name User A can attach. To allow any policy, replace xxxxxx with *.

See Create a custom RAM policy and Grant RBAC permissions to RAM users or RAM roles.

How do I tell whether an error is caused by RAM or RBAC?

Look at the error message:

RAM policy errors contain RAM policy Forbidden or STSToken policy Forbidden:

RAM policy Forbidden for action cs:DescribeEvents
STSToken policy Forbidden for action cs:DescribeClusterNodes

The RAM policy attached to the user or role does not include the listed action. Add the missing action. See Create a custom RAM policy.

RBAC permission errors contain APISERVER_403, User "xxx" cannot xx resource, or ForbiddenQueryClusterNamespace:

events is forbidden: User "<uid>" cannot list resource "events" in API group "" at the cluster scope
ForbiddenQueryClusterNamespace, Forbidden query namespaces

This means the RAM user <uid> lacks the required Kubernetes RBAC permissions. Grant the required RBAC permissions.

I attached AdministratorAccess or AliyunCSFullAccess to a RAM user, but it still cannot access clusters

ACK requires both RAM authorization and RBAC authorization. Attaching AdministratorAccess or AliyunCSFullAccess in the RAM console only covers the RAM layer. Go to Authorizations in the ACK console and assign RBAC roles to the RAM user as well. See Authorization overview and Grant RBAC permissions to RAM users or RAM roles.

ForbiddenCheckControlPlaneLog

The RAM user or RAM role is not assigned the predefined administrator or O&M engineer RBAC role. Go to Authorizations in the ACK console and assign the administrator or O&M engineer role.

ForbiddenHelmUsage

The RAM user or RAM role is not assigned the predefined administrator RBAC role. Go to Authorizations in the ACK console and assign the administrator role.

ForbiddenRotateCert

The RAM user or RAM role is not assigned the predefined administrator RBAC role. Go to Authorizations in the ACK console and assign the administrator role.

ForbiddenAttachInstance

The RAM user or RAM role is not assigned the predefined administrator or O&M engineer RBAC role. Go to Authorizations in the ACK console and assign the administrator or O&M engineer role.

ForbiddenUpdateKMSState

The RAM user or RAM role is not assigned the predefined administrator or O&M engineer RBAC role. Go to Authorizations in the ACK console and assign the administrator or O&M engineer role.

Forbidden get trigger

The RAM user or RAM role is not assigned the predefined administrator, O&M engineer, or developer RBAC role. Go to Authorizations in the ACK console and assign one of those roles.

Can I grant permissions on specific applications rather than all resources?

Yes. Create a custom ClusterRole that uses the resourceNames field to scope permissions to specific applications, then bind it to the RAM user or RAM role.

1. Log on to the ACK console.

2. In the left-side navigation pane, click Authorizations.

3. On the RAM Users tab, find the target RAM user and click Modify Permissions.

   Note

   The account you use to make this change must have at least read-only permissions on the cluster and must be assigned the cluster-admin or administrator role. See Create a custom RAM policy.

4. Click Add Permissions, select the cluster, namespace, and authorization type, then click Submit. The following table lists predefined RBAC role permissions. For subsequent steps, see Grant RBAC permissions to RAM users or RAM roles.

   Note

   • Permissions can also be granted across all clusters for a RAM user.

   • A RAM user or RAM role can hold one predefined RBAC role and one or more custom RBAC roles for a given cluster or namespace.

   Role	RBAC permissions on cluster resources
   Administrator	Read/write access to all namespace resources and cluster-level nodes, volumes, namespaces, and quotas.
   O&M engineer	Read/write access to console-visible resources across all namespaces; read-only access to nodes, volumes, namespaces, and quotas.
   Developer	Read/write access to console-visible resources in all or specified namespaces.
   Restricted user	Read-only access to console-visible resources in all or specified namespaces.
   Custom role	Determined by the selected ClusterRole. Review its rules before assignment to prevent unintended permissions. See Create a custom RAM policy.

   

A RAM user assigned the cs:admin role cannot create CustomResourceDefinition (CRD) objects

This affects clusters created before May 2019. The default cs:admin ClusterRole in those clusters lacks permissions for some Kubernetes resources, including CRD creation. Two options:

• Assign the cluster-admin role to the RAM user or RAM role.

• Delete the existing cs:admin ClusterRole and recreate it with the following definition:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

How do I use a RAM user or RAM role to assign RBAC roles to other users?

See The current RAM user does not have management permissions for the required RAM permissions and RBAC role assignments.

How do I find the RAM user or RAM role associated with a ClusterRoleBinding or RoleBinding?

Check the subjects field. If kind is User and name consists of digits or digits and hyphens, it is the RAM user or RAM role ID.

The following example shows a ClusterRoleBinding for RAM user 1*** and a RoleBinding for RAM user 2***:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: 1***-cluster-admin-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: 1***-1673419473

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: 2***-default-rolebinding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: 'cs:ns:dev'
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: '2***'

Why can't I modify or revoke the RBAC permissions of a cluster creator?

ACK blocks requests to modify or revoke the cluster creator's RBAC permissions, ensuring the creator always retains cluster access.

To revoke a cluster creator's permissions, delete the ClusterRoleBinding directly:

1. Find the ClusterRoleBinding for the creator. Replace <uid> with the Alibaba Cloud account UID.

   kubectl get clusterrolebinding | grep <uid>

2. Back up and delete the ClusterRoleBinding. Replace <name> with the name returned in the previous step.

   kubectl get clusterrolebinding <name> -o yaml > <name>.yaml
   kubectl delete clusterrolebinding <name>

What permissions are required to use the terminal feature?

Assign the predefined administrator, O&M engineer, or developer RBAC role to the RAM user or RAM role. Also grant the RAM permission to call cs:DescribeClusterUserKubeconfig. See Grant RBAC permissions to RAM users or RAM roles and Create a custom RAM policy.

How do I grant RBAC permissions to a user who logs on through CloudSSO?

CloudSSO users log on as RAM roles, not as individual RAM users. To grant RBAC permissions, grant them to the RAM role, not to the individual user account.

For example, if the user logs on as AliyunReservedSSO-Policy-foo-bar-admin/foo.bar, grant the RBAC permissions to the RAM role AliyunReservedSSO-Policy-foo-bar-admin.

A RAM user with read-only permissions on all clusters can no longer see some clusters

The most common cause is a wrong account or a non-default resource group filter—not a permission change. Check the following:

1. Log on to the ACK console using the correct RAM user or RAM role.

2. In the top navigation bar, set the resource scope to All Resources > All Resources.

   

3. Hover over the avatar in the upper-right corner to verify the logon identity.

If a resource group filter is active, clusters outside that group are hidden even if permissions are correct.

How do I grant a RAM user or RAM role permission to create clusters?

Two steps are required:

1. Assign system roles to ACK using your Alibaba Cloud account. System roles only need to be assigned once. If unsure, log on with your Alibaba Cloud account, click Cloud Resource Access Authorization, and complete the authorization. See ACK default roles.

2. Attach a custom RAM policy to the RAM user or RAM role that includes the cs:CreateCluster permission:

   Note

   • Cluster creation associates cloud resources such as VPCs with the cluster. Ensure the RAM user or RAM role can access those resources.

   • Attach the AliyunVPCReadOnlyAccess policy to allow VPC listing.

   • For other resource types, see RAM authorization.

   {
    "Statement": [{
        "Action": [
            "cs:CreateCluster"
        ],
        "Effect": "Allow",
        "Resource": [
            "*"
        ]
    }],
    "Version": "1"
   }

   See Create a custom RAM policy.

What error codes mean the Alibaba Cloud account is missing required ACK service roles?

These error codes indicate missing ACK service roles. Log on with an Alibaba Cloud account or a RAM user with AdministratorAccess, then click the link in the error message to complete assignment.

How do I navigate to the system role assignment page for ACK?

If ACK system roles have been revoked, reassign them following the steps in Quickly create an ACK managed cluster.

Only an Alibaba Cloud account (not a RAM user) can reassign system roles.

A RAM role was revoked from an ECS instance — what should I do?

When an application on an ECS instance calls metadata api 100 and the RAM role has been removed, the request returns a 404 error or a message such as Message:Node condition RAMRoleError is now: True, reason: NodeHasNoRAMRole.

Reassign the RAM role to the ECS instance:

• Master node (ACK dedicated clusters only): On the Cluster Information page, go to the Basic Information tab and assign the Master RAM Role.

• Worker node: On the Cluster Information page, go to the Basic Information tab and assign the Worker RAM Role.

See Replace an instance RAM role.

If you modified the policy attached to the RAM role, verify it still contains the required permissions. If the modification preceded the error, try rolling back.

How do I assign a custom RAM role to an ACK cluster?

Use a custom Worker RAM role.

Will online workloads be affected after I delete a RAM user for a resigned employee?

Deleting a RAM user does not affect cluster management by other RAM users. However, you must use an Alibaba Cloud account to revoke the kubeconfig file issued to the deleted RAM user.