DocsICP FilingConsole
官方文档
首页

Troubleshoot cluster access issues from the console

更新时间:
复制 MD 格式
产品详情
我的收藏

Resolve API server exceptions, missing RBAC permissions, and missing RAM permissions when accessing a cluster from the Container Compute Service (ACS) console.

API server request exception

Symptoms

When you access cluster resources on the console, an error message such as "An API server request exception occurred for the current cluster" appears. The error code is ErrorQueryClusterNamespace or APIServer.500. An Error dialog box appears with the message "An error occurred while processing your request to the API server of the current cluster. Troubleshoot the issue that affects the Kubernetes control plane or try again later." The detailed error message is failed to query access namespace for user (User ID) error is an error on the server ("Get \"https://192.168.*.*:10885/api/v1/namespaces?limit=300\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)") has prevented the request from succeeding (get namespaces), the error code is ErrorQueryClusterNamespace, and the request ID is 5D6A5DAF-0AB6-5EEB-***.

Cause

The ACS control plane cannot connect to the cluster API server due to an invalid SLB configuration or abnormal SLB instance status.

Solution

  1. Log on to the ACS console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the target cluster.

  3. On the cluster details page, click the Cluster Resources tab. Then, click the link next to API server SLB to go to the Server Load Balancer (SLB) console.

    • If the page shows the message The specified SLB ID does not exist, the SLB instance for the API server was deleted or released. The cluster cannot be recovered. Create an ACS cluster to replace it.

    • Otherwise, proceed to the next step.

  4. Verify that the Status of the SLB instance is Running.

    • If not, the instance may be suspended for overdue payments (pay-as-you-go) or locked due to an expired subscription. Renew and re-enable the instance. Overdue payments.

    • If it is, proceed to the next step.

  5. Verify that the SLB instance's TCP:6443 listener is configured for both the frontend and backend, its Status is Running, its Health Check Status is Normal, and its Access Control is set to whitelist.

    • If not, the listener for the API server SLB instance was modified.

      • If the listener exists but is in the Disable state, select the listener and click Enable.

      • If the listener does not exist, submit a ticket for assistance.

    • If it is, proceed to the next step.

  6. Check whether the Health Check Status of the preceding listener is Healthy.

    • If not, the backend servers of the API server's SLB instance are not healthy. Submit a ticket for assistance.

    • If it is, proceed to the next step.

  7. Check if access control is enabled for the listener.

    • If so, add the CIDR block 100.104.0.0/16 (ACS control plane source range) to the whitelist. Access control.

    • If not, proceed to the next step.

  8. If the issue persists, submit a ticket for assistance.

API server exception for pod logs

If only pod log access fails while other cluster resources are accessible, follow these steps.

  1. Check whether the pod status is Running. If not, Troubleshoot pod issues.

  2. Verify that inbound VPC traffic over TCP port 10250 is allowed in the security group rules. Add a security group rule if this traffic is blocked.

  3. If the issue persists, submit a ticket for assistance.

Missing cluster RBAC permissions

Symptoms

When you access the console, the error "The current account does not have the required cluster RBAC permissions to perform the operation. Contact the primary account or a permissions administrator to grant the permissions." appears. The error code is ForbiddenQueryClusterNamespace or APISERVER.403. The underlying error message is Forbidden query namespaces.

Cause

Your account lacks the required cluster RBAC permissions for the operation.

Solution

  1. Log on to the Container Compute Service console with an Alibaba Cloud account or an administrator account. In the left-side navigation pane, choose Authorizations.

  2. On the RAM Users tab, find the affected user and click Modify Permissions in the Actions column.

  3. On the Permission Management page, click Add Permissions, select the target cluster and namespace, choose a predefined role, and then click Submit.

Missing RAM permissions

Symptoms

When you access the console, the Error dialog box shows "The current account does not have the required RAM permissions to perform the operation. Contact the primary account or a permissions administrator to grant the permissions." The error code is StatusForbidden and the required permission is cs:DescribeKubernetesVersionMetadata.

Cause

Your account lacks the required RAM permissions for the operation.

Solution

  1. Log on to the RAM console using an Alibaba Cloud account or an account with RAM permissions.

  2. Grant the permission indicated in the error message, such as cs:DescribeKubernetesVersionMetadata. Create a custom RAM policy.

Previous:SupportNext:Troubleshoot pod issues