Skip to content

After Rancher 2.6.x upgrade, HTTP 403 Errors in Rancher UI

Article Number: 000020710

Environment

Several features of Rancher UI don't work and return HTTP 403 for some users after Rancher upgrade from 2.6.x :
- Shell execution
- Yaml editing

Situation

For some users, several Rancher features are not working and returning HTTP 403 (Forbidden)

Rancher Trace log:

User-system-serviceaccount-cattle-impersonation-system-cattle-impersonation-u-vnds56pccy-cannot-impersonate-resource-users-in-API-group-at-the-cluster-scope-due-to-missing-clusterrolebinding

Resolution

1. Check RBAC Clusterroles and Clusterrolebindings of the affected user 

## Clusterroles of the user
$ kubectl get clusterrole | grep u-b3l74guter

## Clusterrolebindings of the  user
$ kubectl get clusterrolebinding | grep u-b3l74guter

2. From the previous output, the expected Clusterrole cattle-impersonation-u-xxxxxxxx is present, but the Clusterrolebinding is absent.

3. Delete the cattle-impersonation-user-xxxx Clusterrole of the user

$ kubectl delete clusterrole cattle-impersonation-u-b3l74guter

4. Trigger the recreation of the Clusterrole and Clusterrolebinding by browsing to a Rancher feature.

e.g: open a Monitoring link in the cluster
    This action triggered the recreation of the Clusterrole and Clusterrolebinding