This topic describes the exceptions that occur when you use the Container Compute Service (ACS) console to access clusters and the causes of the exceptions. This topic also provides solutions to these exceptions. This topic helps resolve the following exceptions: an API server request exception occurs when you access a cluster resource, an API server request exception occurs when you access the log of a pod, the current account does not have the required role-based access control (RBAC) permissions to perform the operation, and the current account does not have the required RAM permissions to perform the operation.
An API server request exception occurs when you access a cluster resource
Issue
When you use the ACS console to access a cluster resource, the system returns the following error message: "An error occurred while processing your request to the API server of the current cluster." The error code is ErrorQueryClusterNamespace
or APIServer.500
.
Cause
The load balancing configuration of the API server is invalid or the status of the API server is abnormal. As a result, the ACS control planes fail to connect to the API server.
Solution
Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the cluster that you want to manage.
On the cluster details page, click the Cluster Resources tab and then click the hyperlink to the right of API Server SLB to log on to the Server Load Balancer (SLB) console.
If the system displays the The specified SLB ID does not exist. message, the SLB instance for the API server is deleted or released. You cannot restore the SLB instance. To resolve this issue, you must recreate the cluster. For more information, see Create an ACS cluster.
If the system does not display the preceding message, proceed to the next step.
Check whether the Status column of the SLB instance displays Running.
If the SLB instance is not in the Running state, the SLB instance may be suspended or locked. A pay-as-you-go SLB instance is suspended if the SLB instance is overdue. A subscription SLB instance is locked if the subscription of the SLB instance expires. You must settle the overdue payment or renew the subscription, and then restart the SLB instance. For more information about overdue payments related to SLB instances, see Overdue payments.
If the SLB instance is in the Running state, proceed to the next step.
Check whether the SLB instance has a listener whose Frontend Protocol/Port and Backend Protocol/Port settings are set to TCP:6443, and whether the Status column of the listener displays Running.
If the preceding listener does not exist, the configuration of the listener for the API server is modified.
If the preceding listener exists but the listener is in the Stopped state, select the listener and click Start.
If the preceding listener does not exist, submit a ticket.
If the preceding listener exists and runs as normal, proceed to the next step.
Check whether the Health Check Status column of the listener displays Normal.
If the health check status is not Normal, the backend servers of the SLB instance for the API server are abnormal. Submit a ticket.
If the health check status of the listener is Normal, proceed to the next step.
Check whether access control is enabled for the preceding listener.
If access control is enabled for the listener, this indicates that the whitelist of the listener is not correctly configured. To resolve this issue, add the CIDR block
100.104.0.0/16
to the whitelist. The CIDR block specifies the source IP addresses of the internal requests that are sent by the ACS control planes to the API server. For more information about access control, see Access control.If access control is disabled for the listener, proceed to the next step.
If the exception is not caused due to the preceding reasons, submit a ticket.
An API server request exception occurs when you access the log of a pod
If this exception occurs when you access the log of a pod but you can access other cluster resources as normal, perform the following operations to troubleshoot the issue:
Check whether the status of the pod is Running. If the pod is not in the Running state, see Pod troubleshooting.
Check all security group rules to make sure that inbound traffic destined for TCP port 10250 from VPCs is allowed. If the inbound traffic is denied, add a security group rule to allow the inbound traffic. For more information, see Add a security group rule.
If the exception is not caused due to the preceding reasons, submit a ticket.
The current account does not have the required RBAC permissions to perform the operation
Issue
When you access the ACS console, the system returns the following error message: "The current account does not have the required RBAC permissions to perform the operation". The error code is ForbiddenQueryClusterNamespace
or APISERVER.403
.
Cause
The account that you use does not have the required RBAC permissions to perform the operation.
Solution
Use an Alibaba Cloud account or an account that has administrator permissions to log on to the ACS console. In the left-side navigation pane, click Authorizations.
On the RAM Users tab, find the Resource Access Management (RAM) user that causes the error and click Modify Permissions for the RAM user.
On the Permission Management page, click Add Permissions, select a cluster, a namespace, and a predefined RBAC role, and then click Submit.
The current account does not have the required RAM permissions to perform the operation
Issue
When you access the ACS console, the system returns the following error message: "The current account does not have the required RAM permissions to perform the operation". The error code is StatusForbidden
.
Cause
The account that you use does not have the required RAM permissions to perform the operation.
Solution
Use an Alibaba Cloud account or an account that has RAM permissions to log on to the RAM console.
Grant your account the required permissions based on the CS information that is returned by the system, such as cs:DescribeKubernetesVersionMetadata. For more information, see Create a custom RAM policy.